Network access control (NAC) helps administrators implement policies to control the devices and users that have access to their networks. A NAC policy can use user or detected device information, such as device type or OS, to put traffic into a specific VLAN or apply specific port settings.
The NAC function can be enabled on all FortiSwitches, or on specific FortiSwitch ports.
Initially, devices connected to ports with the NAC function enabled are put into an onboarding VLAN. The onboarding VLAN usually has a restrictive security policy, device identification enabled, a DHCP server, and captive portal enabled. The device identification feature collects device information. When the device matches the patterns that are defined in a NAC policy, an action is applied to the device, such as moving it to a specific VLAN or having a security policy applied.
The list of managed FortiSwitches that a NAC policy can be applied on can contain a reference to a managed FortiSwitch device. When this reference is set by an administrator, it must be removed before the managed switch can be deleted.
config user nac-policy edit <name> unselect switch-scope <switch> next end
In this example, NAC settings are enabled and configured so that a Linux PC is automatically moved into a VLAN dedicated to Linux PCs after it comes online and gets identified.
- Use the wizard to enable the NAC feature and configure basic settings:
- Go to WiFi & Switch Controller > FortiSwitch NAC Policies. If FortiSwitch options are not visible, see Feature visibility for instructions on making them visible.
- Click Configure NAC Settings in the message box.
- Specify the switch ports that NAC access mode will be enabled on, or enable it on all of them.
- Select the onboarding VLAN. If no VLAN exists, click Create in the drop down menu to create a new NAC VLAN interface.
- Click Next.
- Create or modify NAC VLANs (also known as FortiSwitch VLANs) that can be used in NAC policies.
- Create or edit NAC VLANs as needed. See FortiLink setup for details.
- Click Submit.
The NAC settings can be edited in WiFi & Switch Controller > FortiLink Interface.
The NAC VLANs can be edited in WiFi & Switch Controller > FortiSwitch VLANs.
The access mode of the switch ports is changed to NAC and the native VLAN is set to the onboarding VLAN.
- Create a NAC VLAN for all Linux PCs:
- Go to WiFi & Switch Controller > FortiSwitch VLANs and click Create New.
- Set Name to vlan_Linux.
- Configure the remaining settings as required.
- Click OK.
- Create a NAC policy to match all Linux PCs and assign them to the specific VLAN:
- Go to WiFi & Switch Controller > FortiSwitch NAC Policies and click Create New.
- Enter a name for the policy, such as Linux_to_VLAN.
- Enable Operating system and enter Linux* in the field.
- Select the Assign VLAN card and set VLAN to vlan_Linux.
- Click OK.
- After the Linux PC connects, check that it is matched to the policy:
- Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
- Select the Linux_to_VLAN policy and click View Matched Devices.
The Matched Devices pane opens, showing the devices that matched the policy.
- Go to WiFi & Switch Controller > FortiSwitch Ports.
The port that the Linux PC is connected to will include vlan_Linux in the Allowed VLANs column.
- Configure the FortiLink interface:
config system interface edit "fortilink" set vdom "root" set fortilink enable set ip 169.254.1.1 255.255.255.0 set allowaccess ping fabric set type aggregate set member "internal11" set lldp-reception enable set lldp-transmission enable set snmp-index 8 set auto-auth-extension-device enable set switch-controller-nac "fortilink" next end
- Configure the integrated NAC settings:
config switch-controller nac-settings edit "fortilink" set mode global set onboarding-vlan "onboarding" next end
- Configure the NAC policy matching pattern to identify matching NAC devices:
config user nac-policy edit "Linux_to_VLAN" set os "Linux*" set switch-fortilink "fortilink" set switch-mac-policy "Linux_to_VLAN" next end
- Configure the MAC policy to be applied on the managed FortiSwitch devices through the NAC device:
config switch-controller mac-policy edit "Linux_to_VLAN" set fortilink "fortilink" set vlan "vlan_Linux" next end
- View the NAC devices learned on the managed FortiSwitch ports that match the NAC policy:
show switch-controller nac-device config switch-controller nac-device edit 1 set description "auto detected @ 2020-04-01 15:36:24" set mac 00:0c:29:a9:12:74 set last-known-switch "S124EP5918000276" set last-known-port "port6" set matched-nac-policy "Linux_to_VLAN" set mac-policy "Linux_to_VLAN" next end