Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Support receiving the NAS-Filter-Rule during Wi-Fi authentication 7.4.4

    Support receiving the NAS-Filter-Rule during Wi-Fi authentication 7.4.4

    Note

    This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide:

    This release adds supports for receiving the NAS-Filter-Rule attribute after a wireless client successfully authenticates through 802.1X authentication.

    When a wireless client connects to a WPA2/WPA3 Enterprise SSID and gets authenticated by a RADIUS server, the server sends attributes—including the NAS-Filter-Rule attribute—with an "Access-Accept" message to the FortiGate. The FortiGate then forwards these rules to the FortiAP associated with the wireless client. The FortiAP can set up a dynamic Access Control List (dACL) using these rules, which regulates the wireless client's access to the network.

    Note

    The NAS-Filter-Rule attribute is only supported by Tunnel and Local Bridging mode SSIDs. It is not supported on Local Standalone mode.

    The NAS-Filter-Rule attribute is only supported when the security mode is set to WPA2/WPA3 Enterprise with a RADIUS server as the Authentication protocol.

    The following CLI command has been added:

    config wireless-controller vap
  edit <name>
    set nas-filter-rule {enable | disable}
  next
end

    set nas-filter-rule

    		Enable/disable NAS filter rule support (default = disable).
    To enable NAS-Filter-Rule on a VAP - CLI:

    1. Create a VAP with nas-filter-rule enabled.

      config wireless-controller vap
  edit "wifi3"
    set ssid "FOS_81F"
    set security wpa2-only-enterprise
    set fast-bss-transition enable
    set auth radius
    set radius-server "peap"
    set nas-filter-rule enable
    set schedule "always"
  next
end

    2. Set up an example user account in the RADIUS server with NAS-Filter-Rules configuring access control.

      test3           Cleartext-Password := "123456"
                Tunnel-Type = "VLAN",
                Tunnel-Medium-Type = "IEEE-802",
                Fortinet-Group-Name = "group1",
                Session-Timeout=300,
                Tunnel-Private-Group-Id = 100,
                Termination-Action=1,
                NAS-Filter-Rule = "permit in icmp from assigned to 172.16.200.44/32\000",
                NAS-Filter-Rule += "deny in tcp from assigned to 172.16.200.44/32"

    3. Connect a wireless client with the authenticated example user account "test3" to the SSID and verify the NAS-Filter-Rules are sent to the FortiAP.

      • From the FortiGate:

        FortiWiFi-81F-2R-3G4~POE (Interim)# dia wireless-controller wlac -d sta online
   vf=0 mpId=0 wtp=1 rId=2 wlan=wifi3 vlan_id=0 ip=10.30.80.2 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user=test3 group=group1 signal=-28 noise=-95 idle=15 bw=0 use=5 chan=100 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2

      • From the FortiAP:

        FortiAP-231F # usta
WTP daemon STA info:
  1/1   f8:e4:e3:d8:5e:af 00:00:00:00:00:00 vId=0    type=wl----sta,  vap=wlan12,FOS_81F(0) mpsk=  ip=10.30.80.2/1  mimo=2 host=WiFi-Client-2 vci= os=Linux
                          replycount=0000000000000002
                          pmksa info: size 302 ver 1 TAG-1 0,6,f8:e4:e3:d8:5e:af
                          nas filter rules:
                              permit in icmp from assigned to 172.16.200.44/32
                              deny in tcp from assigned to 172.16.200.44/32
Total STAs: 1
WTP daemon mhost info:
Total MHOSTs: 0

FortiAP-231F # cw_diag -c nasflt f8:e4:e3:d8:5e:af
STA f8:e4:e3:d8:5e:af IP filter rules from kernel:
=========================================================================================================
 ##  Hit Count  Action Dir Prot Source Address  Destination Address Options                       
---- ---------- ------ --- ---- --------------- ------------------- -------
 00           0 permit in  icmp assigned        172.16.200.44
 01           0 deny   in  tcp  assigned        172.16.200.44
---- ---------- ------ --- ---- ---  ---------- ------------------- --------
 df           4 permit

    4. Verify the wireless client follows the NAS-Filter-Rules.

      1. The wireless client can ping the server 172.16.200.44.

        root@WiFi-Client-2:/home/wpa-test# ping 172.16.200.44
PING 172.16.200.44 (172.16.200.44) 56(84) bytes of data.
64 bytes from 172.16.200.44: icmp_seq=1 ttl=63 time=57.0 ms
--- 172.16.200.44 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 57.013/57.013/57.013/0.000 ms

      2. The wireless client is denied access to the server 172.16.200.44 over HTTP.

        root@WiFi-Client-2:/home/wpa-test# curl http://172.16.200.44
root@WiFi-Client-2:/home/wpa-test#
    Previous
    Next

    Support receiving the NAS-Filter-Rule during Wi-Fi authentication 7.4.4

    Support receiving the NAS-Filter-Rule during Wi-Fi authentication 7.4.4

    Note

    This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide:

    This release adds supports for receiving the NAS-Filter-Rule attribute after a wireless client successfully authenticates through 802.1X authentication.

    When a wireless client connects to a WPA2/WPA3 Enterprise SSID and gets authenticated by a RADIUS server, the server sends attributes—including the NAS-Filter-Rule attribute—with an "Access-Accept" message to the FortiGate. The FortiGate then forwards these rules to the FortiAP associated with the wireless client. The FortiAP can set up a dynamic Access Control List (dACL) using these rules, which regulates the wireless client's access to the network.

    Note

    The NAS-Filter-Rule attribute is only supported by Tunnel and Local Bridging mode SSIDs. It is not supported on Local Standalone mode.

    The NAS-Filter-Rule attribute is only supported when the security mode is set to WPA2/WPA3 Enterprise with a RADIUS server as the Authentication protocol.

    The following CLI command has been added:

    config wireless-controller vap
  edit <name>
    set nas-filter-rule {enable | disable}
  next
end

    set nas-filter-rule

    		Enable/disable NAS filter rule support (default = disable).
    To enable NAS-Filter-Rule on a VAP - CLI:

    1. Create a VAP with nas-filter-rule enabled.

      config wireless-controller vap
  edit "wifi3"
    set ssid "FOS_81F"
    set security wpa2-only-enterprise
    set fast-bss-transition enable
    set auth radius
    set radius-server "peap"
    set nas-filter-rule enable
    set schedule "always"
  next
end

    2. Set up an example user account in the RADIUS server with NAS-Filter-Rules configuring access control.

      test3           Cleartext-Password := "123456"
                Tunnel-Type = "VLAN",
                Tunnel-Medium-Type = "IEEE-802",
                Fortinet-Group-Name = "group1",
                Session-Timeout=300,
                Tunnel-Private-Group-Id = 100,
                Termination-Action=1,
                NAS-Filter-Rule = "permit in icmp from assigned to 172.16.200.44/32\000",
                NAS-Filter-Rule += "deny in tcp from assigned to 172.16.200.44/32"

    3. Connect a wireless client with the authenticated example user account "test3" to the SSID and verify the NAS-Filter-Rules are sent to the FortiAP.

      • From the FortiGate:

        FortiWiFi-81F-2R-3G4~POE (Interim)# dia wireless-controller wlac -d sta online
   vf=0 mpId=0 wtp=1 rId=2 wlan=wifi3 vlan_id=0 ip=10.30.80.2 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user=test3 group=group1 signal=-28 noise=-95 idle=15 bw=0 use=5 chan=100 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2

      • From the FortiAP:

        FortiAP-231F # usta
WTP daemon STA info:
  1/1   f8:e4:e3:d8:5e:af 00:00:00:00:00:00 vId=0    type=wl----sta,  vap=wlan12,FOS_81F(0) mpsk=  ip=10.30.80.2/1  mimo=2 host=WiFi-Client-2 vci= os=Linux
                          replycount=0000000000000002
                          pmksa info: size 302 ver 1 TAG-1 0,6,f8:e4:e3:d8:5e:af
                          nas filter rules:
                              permit in icmp from assigned to 172.16.200.44/32
                              deny in tcp from assigned to 172.16.200.44/32
Total STAs: 1
WTP daemon mhost info:
Total MHOSTs: 0

FortiAP-231F # cw_diag -c nasflt f8:e4:e3:d8:5e:af
STA f8:e4:e3:d8:5e:af IP filter rules from kernel:
=========================================================================================================
 ##  Hit Count  Action Dir Prot Source Address  Destination Address Options                       
---- ---------- ------ --- ---- --------------- ------------------- -------
 00           0 permit in  icmp assigned        172.16.200.44
 01           0 deny   in  tcp  assigned        172.16.200.44
---- ---------- ------ --- ---- ---  ---------- ------------------- --------
 df           4 permit

    4. Verify the wireless client follows the NAS-Filter-Rules.

      1. The wireless client can ping the server 172.16.200.44.

        root@WiFi-Client-2:/home/wpa-test# ping 172.16.200.44
PING 172.16.200.44 (172.16.200.44) 56(84) bytes of data.
64 bytes from 172.16.200.44: icmp_seq=1 ttl=63 time=57.0 ms
--- 172.16.200.44 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 57.013/57.013/57.013/0.000 ms

      2. The wireless client is denied access to the server 172.16.200.44 over HTTP.

        root@WiFi-Client-2:/home/wpa-test# curl http://172.16.200.44
root@WiFi-Client-2:/home/wpa-test#
    Previous
    Next