Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    Home FortiGuest 1.3.0 New Features
    1.3.0
    1.3.0
    1.2.0
    1.1.0

    VLAN Mapping

    VLAN Mapping

    FortiGuest provides secure network access by supporting both static and dynamic VLAN mapping when authenticating a guest. You can view the free and occupied VLANs at Accounts > Manage Accounts > VLAN Mapping. Select the RADIUS client and all VLANs currently mapped to the PSK associated with the particular RADIUS client are displayed. If both static and dynamic VLANs are configured, then the dynamic VLANs are assigned first, if the dynamic VLAN is not available, then FortiGuest assigns the configured static VLAN.

    FortiGuest handles VLAN mapping differently for guest accounts that are tagged to the PSK vs guest accounts not tagged to the PSK. Consider the following, if a guest account is NOT tagged to a PSK.

    • If a static VLAN is configured then it is used and if a static VLAN is not configured then VLAN 0 is used.

    • Dynamic VLAN is NOT used in this scenario.

    For PSKs with guest accounts tagged to them, the behaviour described in Dynamic VLAN Mapping is applied.

    Dynamic VLAN Mapping

    Dynamic VLAN mapping is used when a PSK is authenticating via a RADIUS client. Each PSK/per RADIUS client is assigned one VLAN even if that PSK is used by multiple devices, as long as it authenticates via the same RADIUS client. Consider the following example where the VLAN is assigned per RADIUS client.

    VLAN pools pool1 and pool2 are configured on the RADIUS client.

    • If a device Mobile1 with a PSK, PSK-auth, logs in through a RADIUS client, Client1, then VLAN ID xx is assigned to it.

    • If another device, Mobile2 with the same PSK, PSK-auth, logs in through the same RADIUS client, Client1, then it is also assigned VLAN ID xx.

    • But if a device if Mobile3 with the same PSK PSK-auth logs in through a different same RADIUS client, Client2, then a different VLAN ID yy is assigned. Likewise, if Mobile3 with a different PSK PSK-auth12 through the same RADIUS client, Client1, then also a different VLAN ID yy is assigned.

    The following behaviour applies while managing dynamic VLANs.

    • The admin is allowed to configure n number of VLANs/VLAN ranges separated by commas.

    • If the admin adds an existing VLAN on a RADIUS client, then all existing mappings with those VLANs, including those currently assigned to PSKs, remain the same. But if the admin adds a new VLAN, then the existing mappings are deleted and re-configured again with the new VLANs.

    • If a RADIUS client is deleted then all VLAN mappings associated with it are also deleted.

    • If the VLAN pool is exhausted for a RADIUS client, then the static VLAN is assigned. If no static VLAN is configured, then VLAN 0 is assigned.

    To enable dynamic VLAN mapping, see PSK Authentication.

    Static VLAN Mapping

    A static VLAN can be configured per PSK. The VLAN value can be from 1-4095. To configure static VLAN, see Creating PSKs.

    Previous
    Next

    VLAN Mapping

    VLAN Mapping

    FortiGuest provides secure network access by supporting both static and dynamic VLAN mapping when authenticating a guest. You can view the free and occupied VLANs at Accounts > Manage Accounts > VLAN Mapping. Select the RADIUS client and all VLANs currently mapped to the PSK associated with the particular RADIUS client are displayed. If both static and dynamic VLANs are configured, then the dynamic VLANs are assigned first, if the dynamic VLAN is not available, then FortiGuest assigns the configured static VLAN.

    FortiGuest handles VLAN mapping differently for guest accounts that are tagged to the PSK vs guest accounts not tagged to the PSK. Consider the following, if a guest account is NOT tagged to a PSK.

    • If a static VLAN is configured then it is used and if a static VLAN is not configured then VLAN 0 is used.

    • Dynamic VLAN is NOT used in this scenario.

    For PSKs with guest accounts tagged to them, the behaviour described in Dynamic VLAN Mapping is applied.

    Dynamic VLAN Mapping

    Dynamic VLAN mapping is used when a PSK is authenticating via a RADIUS client. Each PSK/per RADIUS client is assigned one VLAN even if that PSK is used by multiple devices, as long as it authenticates via the same RADIUS client. Consider the following example where the VLAN is assigned per RADIUS client.

    VLAN pools pool1 and pool2 are configured on the RADIUS client.

    • If a device Mobile1 with a PSK, PSK-auth, logs in through a RADIUS client, Client1, then VLAN ID xx is assigned to it.

    • If another device, Mobile2 with the same PSK, PSK-auth, logs in through the same RADIUS client, Client1, then it is also assigned VLAN ID xx.

    • But if a device if Mobile3 with the same PSK PSK-auth logs in through a different same RADIUS client, Client2, then a different VLAN ID yy is assigned. Likewise, if Mobile3 with a different PSK PSK-auth12 through the same RADIUS client, Client1, then also a different VLAN ID yy is assigned.

    The following behaviour applies while managing dynamic VLANs.

    • The admin is allowed to configure n number of VLANs/VLAN ranges separated by commas.

    • If the admin adds an existing VLAN on a RADIUS client, then all existing mappings with those VLANs, including those currently assigned to PSKs, remain the same. But if the admin adds a new VLAN, then the existing mappings are deleted and re-configured again with the new VLANs.

    • If a RADIUS client is deleted then all VLAN mappings associated with it are also deleted.

    • If the VLAN pool is exhausted for a RADIUS client, then the static VLAN is assigned. If no static VLAN is configured, then VLAN 0 is assigned.

    To enable dynamic VLAN mapping, see PSK Authentication.

    Static VLAN Mapping

    A static VLAN can be configured per PSK. The VLAN value can be from 1-4095. To configure static VLAN, see Creating PSKs.

    Previous
    Next