Fortinet black logo

New Features

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Use wildcards in a MAC address in a NAC policy

Use wildcards in a MAC address in a NAC policy

When configuring a NAC policy, you can use the wildcard * character when manually specifying a MAC address to match the device.

config user nac-policy
    edit <policy>
        set mac "xx:xx:xx:**:**:**"
    next
end

In this example, VM_PC1 and VM_PC2 both have MAC addresses that start with 00:0c:29. A NAC policy is created on the FortiGate 500E to match both PCs. After the PCs are connected to the FortiSwitch units, they are detected by the NAC policy and assigned to Lab_VLAN.

To configure a MAC address with wildcards in a NAC policy using the CLI:

  1. Configure a MAC policy to be applied on the managed FortiSwitch units through the NAC device:

    config switch-controller mac-policy
    edit "LAB_Linux"
        set fortilink "port11"
        set vlan "Lab_VLAN"
    next
end

  2. Configure the NAC policy matching pattern to identify matching NAC devices:

    config user nac-policy
    edit "VM-Policy"
        set mac "00:0c:29:**:**:**"
        set switch-fortilink "port11"
        set switch-mac-policy "LAB_Linux"
    next
end

  3. Check that the NAC devices are added:

    # show switch-controller nac-device
    config switch-controller nac-device
        edit 2
            set description "auto detected @ 2020-11-30 14:13:45"
            set mac 00:0c:29:d4:4f:3c
            set last-known-switch "S248EPTF18001384"
            set last-known-port "port6"
            set matched-nac-policy "VM-Policy"
            set mac-policy "LAB_Linux"
        next
        edit 3
            set description "auto detected @ 2020-11-30 14:16:07"
            set mac 00:0c:29:a8:0a:1c
            set last-known-switch "S524DN4K16000116"
            set last-known-port "port7"
            set matched-nac-policy "VM-Policy"
            set mac-policy "LAB_Linux"
        next
    end
To configure a MAC address with wildcards in a NAC policy using the GUI:

  1. Go to WiFi & Switch Controller > NAC Policies.

  2. Click Create New.

  3. In the Name field, enter a name for the NAC policy.

  4. Make certain that the status is set to Enabled.

  5. Click Specify to select which FortiSwitch units to apply the NAC policy to or click All to select all FortiSwitch units.

  6. Click Device.

  7. Enable MAC address and enter the MAC address with wildcards.

  8. If you want to assign a specific VLAN to a device assigned to the specified user group, click Assign VLAN and enter the VLAN identifier.

  9. If you want to assign port-level settings for devices assigned to the specific user group, click Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.

  10. Click OK.

Previous
Next

Use wildcards in a MAC address in a NAC policy

When configuring a NAC policy, you can use the wildcard * character when manually specifying a MAC address to match the device.

config user nac-policy
    edit <policy>
        set mac "xx:xx:xx:**:**:**"
    next
end

In this example, VM_PC1 and VM_PC2 both have MAC addresses that start with 00:0c:29. A NAC policy is created on the FortiGate 500E to match both PCs. After the PCs are connected to the FortiSwitch units, they are detected by the NAC policy and assigned to Lab_VLAN.

To configure a MAC address with wildcards in a NAC policy using the CLI:

  1. Configure a MAC policy to be applied on the managed FortiSwitch units through the NAC device:

    config switch-controller mac-policy
    edit "LAB_Linux"
        set fortilink "port11"
        set vlan "Lab_VLAN"
    next
end

  2. Configure the NAC policy matching pattern to identify matching NAC devices:

    config user nac-policy
    edit "VM-Policy"
        set mac "00:0c:29:**:**:**"
        set switch-fortilink "port11"
        set switch-mac-policy "LAB_Linux"
    next
end

  3. Check that the NAC devices are added:

    # show switch-controller nac-device
    config switch-controller nac-device
        edit 2
            set description "auto detected @ 2020-11-30 14:13:45"
            set mac 00:0c:29:d4:4f:3c
            set last-known-switch "S248EPTF18001384"
            set last-known-port "port6"
            set matched-nac-policy "VM-Policy"
            set mac-policy "LAB_Linux"
        next
        edit 3
            set description "auto detected @ 2020-11-30 14:16:07"
            set mac 00:0c:29:a8:0a:1c
            set last-known-switch "S524DN4K16000116"
            set last-known-port "port7"
            set matched-nac-policy "VM-Policy"
            set mac-policy "LAB_Linux"
        next
    end
To configure a MAC address with wildcards in a NAC policy using the GUI:

  1. Go to WiFi & Switch Controller > NAC Policies.

  2. Click Create New.

  3. In the Name field, enter a name for the NAC policy.

  4. Make certain that the status is set to Enabled.

  5. Click Specify to select which FortiSwitch units to apply the NAC policy to or click All to select all FortiSwitch units.

  6. Click Device.

  7. Enable MAC address and enter the MAC address with wildcards.

  8. If you want to assign a specific VLAN to a device assigned to the specified user group, click Assign VLAN and enter the VLAN identifier.

  9. If you want to assign port-level settings for devices assigned to the specific user group, click Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.

  10. Click OK.

Previous
Next