Fortinet black logo

New Features

Allow the configuration of NAC LAN segments in the GUI

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:19662
Download PDF

Allow the configuration of NAC LAN segments in the GUI

You can configure NAC LAN segments in three places in the GUI:

  • When you select a NAC VLAN in the WiFi & Switch Controller > NAC Policies page and click Edit, the Edit NAC Settings page allows you to enable or disable NAC VLAN segmentation and select the primary interface, onboarding VLAN, and segment VLANs.

  • The Network > Interfaces page shows each LAN segment VLAN as a child of the parent NAC segment.

  • The VLAN segment buttons allow you to enable or disable VLAN segments in the New Interface and Edit Interface pages.

Configuration example

In the configuration example, a FortiLink aggregate interface flk_aggr is created on the FortiGate device and connected to the two downstream FortiSwitch units. A nac_segment VLAN is created on the FortiLink aggregate interface flk_aggr. The DHCP server is created on this interface to assign addresses from 10.255.13.2-10.255.13.254. Under nac_segment, there are three LAN segments, onboarding, video, and voice.

When a device connects to a FortiSwitch port that is configured with a NAC policy, the device is assigned first to the onboarding VLAN, and nac_segment issues an IP address to the device. After the NAC policy is processed and a match occurs, the device is moved to either the video or the voice VLAN.

The IP address is not changed in this process. All sessions continue to flow according to the firewall policies for that VLAN.

Allow the configuration of NAC LAN segments in the GUI

You can configure NAC LAN segments in three places in the GUI:

  • When you select a NAC VLAN in the WiFi & Switch Controller > NAC Policies page and click Edit, the Edit NAC Settings page allows you to enable or disable NAC VLAN segmentation and select the primary interface, onboarding VLAN, and segment VLANs.

  • The Network > Interfaces page shows each LAN segment VLAN as a child of the parent NAC segment.

  • The VLAN segment buttons allow you to enable or disable VLAN segments in the New Interface and Edit Interface pages.

Configuration example

In the configuration example, a FortiLink aggregate interface flk_aggr is created on the FortiGate device and connected to the two downstream FortiSwitch units. A nac_segment VLAN is created on the FortiLink aggregate interface flk_aggr. The DHCP server is created on this interface to assign addresses from 10.255.13.2-10.255.13.254. Under nac_segment, there are three LAN segments, onboarding, video, and voice.

When a device connects to a FortiSwitch port that is configured with a NAC policy, the device is assigned first to the onboarding VLAN, and nac_segment issues an IP address to the device. After the NAC policy is processed and a match occurs, the device is moved to either the video or the voice VLAN.

The IP address is not changed in this process. All sessions continue to flow according to the firewall policies for that VLAN.