NAC policy added to policy package 7.2.1
The network access control (NAC) policy is added to manage policies for FortiSwitches in per-device or central management mode.
You can create a NAC policy that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match the policy are assigned to a specific VLAN or have port-specific settings applied to them.
FortiSwitch Manager also supports dynamic port policy and FortiLink configuration.
This topic includes steps to create:
To create a NAC Policy:
To make the NAC Policy option available, you must enable it in the Display Options for Policy & Objects. Go to Policy & Objects > Tools > Display Options. In the Policy section, select the checkbox for NAC Policy and click OK. The NAC Policy option will now display in the tree menu. |
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the FortiGate policy package, select NAC Policy.
- Click Create New.
- Enter the following information:
Option
Description
Name
Enter a unique name for the policy.
Status
Set the policy to Enabled or Disabled.
FortiLink Interface
Use the search field to find and select the FortiLink interface.
FortiSwitch Groups
Select All or Specify the FortiSwitch groups.
Description
Optionally, add a description for the policy.
Device Patterns
Category
Select Device, User, or EMS Tag.
For Device pattern fields, you can use the wildcard * character when entering the value to be matched.
MAC Address
Enable or disable matching a MAC address, then enter a MAC address.
Only available if Category is Device.
Hardware Vendor
Enable or disable matching a hardware vendor, then enter a hardware vendor name.
Only available if Category is Device.
Device Family
Enable or disable matching a device family, then enter a device family name.
Only available if Category is Device.
Type
Enable or disable matching a device type, then enter a device type.
Only available if Category is Device.
Operating System
Enable or disable matching an operating system, then enter an operating system.
Only available if Category is Device.
User group
Select a user group.
Only available if Category is User.
FortiClient EMS Tag
Select a FortiClient EMS tag.
Only available if Category is EMS Tag.
Switch Controller Action
Assign VLAN
Enable to select a VLAN interface for the switch controller action.
Bounce Port
Enable or disable the bounce port.
Assign device to dynamic address
Enable to use a dynamic firewall address for matching a device, then select the address. See To create a dynamic firewall address for the NAC Policy: below.
Wireless Controller Action
Assign VLAN
Enable to select a VLAN interface for the wireless controller action.
Revision
Change Note
Add a description of the changes being made to the policy. This field is required. - Click OK to save the policy.
You can now deploy the NAC policy using the Install Wizard. For example, see the install preview below:
To create a dynamic firewall address for the NAC Policy:
- Go to Policy & Objects > Object Configurations > Firewall Objects > Addresses.
- Click Create New.
- From the Type dropdown, select Dynamic.
- For the Sub Type field, select Switch Controller NAC Policy Tag.
- From the Interface dropdown, select the FortiLink interface.
- Configure the other options, as needed.
- Click OK to save the dynamic firewall address.
You can now use the dynamic firewall address in a NAC policy through the Assign device to dynamic address option. For example, see the NAC policy configuration below:
The firewall address will be included when the NAC policy is deployed. For example, see the install preview below:
To create a dynamic port policy:
- Go to FortiSwitch Manager > FortiSwitch Templates > Dynamic Port Policy.
- Click Create New, and enter a Name for the dynamic port policy.
- In the Policy Information section, click Create New.
- Enter the following information for the dynamic port policy rule:
Option
Description
Name
Enter a unique name for the dynamic port policy rule.
Status
Set the rule to Enabled or Disabled.
Description
Optionally, enter a description for the rule.
Device Patterns
MAC Address
Enable or disable matching a MAC address, then enter a MAC address.
Host
Enable or disable matching a host address, then enter a host address.
Hardware Vendor
Enable or disable matching a hardware vendor, then enter a hardware vendor name.
Device Family
Enable or disable matching a device family, then enter a device family name.
Type
Enable or disable matching a device type, then enter a device type.
Switch Controller Action
LLDP Profile
Enable to select an LLDP profile for the switch controller action.
QoS Policy
Enable to select a QoS policy for the switch controller action.
802.1X Policy
Enable to select an 802.1X policy for the switch controller action.
VLAN Policy
Enable to select a QoS policy for the switch controller action.
- Click OK to save the dynamic port policy.
- Go to FortiSwitch Manager > FortiSwitch Templates > FortiSwitch Template.
- Click Create New, and enter a Template Name and Platform.
- In the Switch VLAN Assignments table, select a port and click Edit.
The Edit VLAN Assignment dialog displays.
- For the Access Mode field, select dynamic.
- From the Port Policy dropdown, select the dynamic port policy.
- Click OK.
- Click OK to save the FortiSwitch Template.
The configuration will be deployed to the FortiGate device when the template is assigned to a FortiSwitch. For example, see the install preview below:
To create a FortiLink Settings template:
- Go to FortiSwitch Manager > FortiSwitch Templates > FortiLink Settings.
- Click Create New.
- Enter the following information:
Option
Description
Name
Enter a name for the FortiLink Settings template.
NAC VLAN segmentation
Enable or disable NAC VLAN segmentation.
Primary Interface
Select the primary interface.
Onboarding VLAN
Select the onboarding VLAN interface.
Segment VLANs
Select the segment VLANs.
- Click OK to save the FortiLink Settings template.
- Go to FortiSwitch Manager > FortiSwitch Templates > VDOM Settings, and edit a FortiGate's mapped FortiLink.
- From the NAC Settings dropdown, select the FortiLink settings template.
- Click OK.
The configuration can now be deployed to FortiGate devices, as needed. For example, see the install preview below: