Fortinet black logo

FortiNAC Deployment Guide

Home FortiNAC-F 7.2.0 FortiNAC Deployment Guide
7.2.0
7.2.0

FortiNAC “Isolation” VLANs

FortiNAC IsolationVLANs

In the switches to be controlled by FortiNAC, configure the appropriate “isolation” VLANs.

  • A single VLAN (Isolation) for restricting network access for the following host states

    (The following are possible options – not all may be used)

    • Unknown hosts (hosts not registered in FortiNAC)

    • Untrusted registered hosts (hosts marked "At-Risk")

    • Disabled registered hosts

    • Untrusted or unknown hosts connecting over VPN tunnel managed by FortiNAC

    • Registered hosts requiring user authenticated by FortiNAC. Validates user accessing the computer prior to allowing full network access

  • Alternatively, separate VLANs for each host state

    (The following are possible options – not all may be used)

    • Registration: Isolates unknown hosts (hosts not registered in FortiNAC)

    • Remediation: Isolates untrusted registered hosts (hosts marked "At-Risk")

    • Dead End: Isolates disabled registered hosts

    • Virtual Private Network (VPN): Isolates untrusted or unknown hosts connecting over VPN tunnel managed by FortiNAC

    • Authentication: Isolates registered hosts until user is authenticated by FortiNAC. Validates user accessing the computer prior to allowing full network access

    • Access Point Management (Hub): Manages clients connected to hubs or simple access points by using DHCP as a means to control or restrict host network access. FortiNAC acts as the DHCP server for both known/trusted and unknown/untrusted hosts. See section Access point management of the Administration Guide for additional configuration instructions.

Layer 3 deployments require a VLAN per state per location that is separated by an L3 device.

The FortiNAC Service Network Interface is configured on the port2 interface of the appliance. Serves DHCP, DNS and the Captive Portal to devices in the “isolation” VLANs.

Note: To prevent isolated devices from resolving DNS from any other server, block outbound DNS except to the FortiNAC Service Network Interface (port2) interface.

See the following pages for logical network diagram examples.

Single FortiNAC “Isolation” Network Configuration

Shared VLAN for all States

(L3 Network Type)

Single FortiNAC “Isolation” Network Configuration

Shared VLAN for all States

(L3 Network Type)

(High Availability Configuration)

Multiple FortiNAC “Isolation” Network Configuration

Individual VLANs per State

(L3 Network Type)

Multiple FortiNAC “Isolation” Network Configuration

Individual VLANs per State

(L3 Network Type)

(High Availability Configuration)

Previous
Next

FortiNAC IsolationVLANs

In the switches to be controlled by FortiNAC, configure the appropriate “isolation” VLANs.

  • A single VLAN (Isolation) for restricting network access for the following host states

    (The following are possible options – not all may be used)

    • Unknown hosts (hosts not registered in FortiNAC)

    • Untrusted registered hosts (hosts marked "At-Risk")

    • Disabled registered hosts

    • Untrusted or unknown hosts connecting over VPN tunnel managed by FortiNAC

    • Registered hosts requiring user authenticated by FortiNAC. Validates user accessing the computer prior to allowing full network access

  • Alternatively, separate VLANs for each host state

    (The following are possible options – not all may be used)

    • Registration: Isolates unknown hosts (hosts not registered in FortiNAC)

    • Remediation: Isolates untrusted registered hosts (hosts marked "At-Risk")

    • Dead End: Isolates disabled registered hosts

    • Virtual Private Network (VPN): Isolates untrusted or unknown hosts connecting over VPN tunnel managed by FortiNAC

    • Authentication: Isolates registered hosts until user is authenticated by FortiNAC. Validates user accessing the computer prior to allowing full network access

    • Access Point Management (Hub): Manages clients connected to hubs or simple access points by using DHCP as a means to control or restrict host network access. FortiNAC acts as the DHCP server for both known/trusted and unknown/untrusted hosts. See section Access point management of the Administration Guide for additional configuration instructions.

Layer 3 deployments require a VLAN per state per location that is separated by an L3 device.

The FortiNAC Service Network Interface is configured on the port2 interface of the appliance. Serves DHCP, DNS and the Captive Portal to devices in the “isolation” VLANs.

Note: To prevent isolated devices from resolving DNS from any other server, block outbound DNS except to the FortiNAC Service Network Interface (port2) interface.

See the following pages for logical network diagram examples.

Single FortiNAC “Isolation” Network Configuration

Shared VLAN for all States

(L3 Network Type)

Single FortiNAC “Isolation” Network Configuration

Shared VLAN for all States

(L3 Network Type)

(High Availability Configuration)

Multiple FortiNAC “Isolation” Network Configuration

Individual VLANs per State

(L3 Network Type)

Multiple FortiNAC “Isolation” Network Configuration

Individual VLANs per State

(L3 Network Type)

(High Availability Configuration)

Previous
Next