Control
FortiNAC Settings
Isolation Interfaces
Configure the eth1 VPN isolation interface using Configuration Wizard.
High Availability: If High Availability is configured, access Configuration Wizard on the Secondary Server and make the same modifications. This ensures the domain value and the additional scopes are added properly in the event of a failover.
-
Launch the Configuration Wizard by opening a browser and navigating to:
https://<FortiNAC IP Address or hostname>:8443/
-
Navigate to System > Configuration Wizard.
-
Under the Steps column, click Virtual Private Network.
-
Click the checkbox for Virtual Private Network Interface eth1.
-
Configure the eth1 interface using the table below.
Virtual Private Network Interface eth1
Interface IPv4 Address
IPv4 address for the VPN interface on eth1.
Mask
VPN interface subnet mask (IPv4).
IPv4 Gateway
Gateway IP address used by the VPN interface
Interface IPv6 Address (optional)
IPv6 address for the VPN interface on eth1.
Interface IPv6 Mask in CIDR notation
(optional)
Subnet IPv6 mask for the VLAN interface in CIDR notation format (e.g., 64).
Interface IPv6 Gateway(optional)
IPv6 Gateway for the VLAN interface for eth1 when clients connect through this VLAN.
-
Under Virtual Private Network Scopes, click Add.
-
Configure using the table below.
Label
Desired name for VPN DHCP scope
Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These are reserved.
Gateway
Default gateway for the client lease pool you are adding. Do not use the default gateway for eth1.
Domain
Must match the domain value configured in the Palo Alto.
NOTE:
-
FortiNAC only answers SRV queries from connecting agents sourced from this domain. If FortiNAC is managing multiple VPN scopes, they must all use the same domain. See DNS File Entry Descriptions in the Appendix for details.
-
OS X, iOS, and some Linux systems may have communication issues if a .local suffix is used.
Mask
Subnet mask for the default gateway.
-
-
Under Lease Pools click Add.
-
Enter the IP Addresses for Start and End of the lease pool range for the VPN scope defined in the FortiGate Address Object.
-
Click Add to save.
-
Click Apply.
-
Repeat steps 10 – 13 for additional VPN scopes as needed
-
Click Summary when finished.
-
Review the data on the Summary View to confirm the configured settings.
-
Click Apply. The Configuration Wizard writes the data to the files on the appliances. This process may take several minutes to complete. When completed, the Results page appears.
-
Review the Results. Errors are noted at the top of the Results page.
-
Scroll down through the results and note errors or warnings. Make changes and apply them until a successful configuration is written.
Example values:
FortiNAC CA FQDN: Server01.Fortinet.com
Eth0 (Management interface): 10.200.20.20
Registration interface: 10.200.5.20
Remediation interface: 10.200.5.21
VPN interface: 10.200.5.22
Eth1 GW: 10.200.5.1
VPN DHCP range (SSL): 10.200.80.10- 10.200.80.99
VPN DHCP range (IPSec): 10.200.80.100 – 10.200.80.200
-
After committing the changes in Configuration Wizard, run the command
ifconfig
in the FortiNAC CLI to identify the sub-interfaces assigned to the isolation networks. If separate Control and Application Servers, access the CLI of the Application Server.> ifconfig
eth0:
flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.200.20.20 netmask 255.255.255.0
broadcast 10.200.20.255
eth1:
flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
broadcast 10.200.5.255
inet6 fe80::20c:29ff:fe71:e423 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:71:e4:23 txqueuelen 1000 (Ethernet)
eth1:1
: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
broadcast 10.200.5.255
eth1:2:
flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
broadcast 10.200.5.255 << VPN
-
Proceed to Policy Based Routes.
Policy Based Routes
Configure policy-based routing. Policy-based routing ensures traffic is transmitted out the same interface it was received. This allows FortiNAC agents to communicate to FortiNAC through both the management (eth0) or VPN sub-interface depending on whether the endpoint is isolated or not.
Policy-based routing is configured on FortiNAC using the command: setupAdvancedRoute which is run from a FortiNAC CLI. This must be done for both Primary and Secondary Servers in High Availability Configurations. For details on policy-based routing and the script used for configuration, see Policy Based Routing in the Appendix.
Important: If High Availability is configured, execute the steps outlined in sections Isolation Interfaces and Policy Based Routes on the Secondary Server and make the same modifications. Otherwise, VPN will not work should a failover occur.
-
Login to the CLI as root of the FortiNAC server (Application Server if separate Control and Application Servers)
-
Run the script
Important: The following instructions presume the script has not yet been run. If script has been run previously and are modifying or adding an interface, see Appendix for instructions.
-
Type setupAdvancedRoute
-
Type I to install
-
Enter the gateway for each interface (eth0, eth1, etc) as prompted.
-
-
Once script completes, verify configuration. Type
ip rule show
There should now be a rule listed for each interface and sub-interface configured:
0: from all lookup local
10: from
<eth0 IP address>lookup eth0
20: from
<eth1 IP address>lookup eth1
30: from
<eth1:1 IP address>lookup eth1:1
40: from
<eth1:2 IP address>lookup eth1:2
32766: from all main
32767: from all default
Example:
>ip rule show
0: from all lookup local
10: from 10.200.20.20 lookup eth0
20: from 10.200.5.20 lookup eth1
30: from 10.200.5.21 lookup eth1:1
40: from 10.200.5.22 lookup eth1:2
32766: from all main
32767: from all default
-
Reboot appliance.
System Defined Uplink Count
Ensure the System Defined Uplink Count value is larger than the maximum number of VPN clients that could be online at the same time. Otherwise, the VPN virtual port in FortiNAC could be changed to an uplink. All clients would then be marked as offline and the FSSO tags removed, affecting network access. For details on setting this value, see System Defined Uplink Count in section Network device of the Administration Guide.
Authentication Server Settings
Before network access is permitted, rogue hosts connecting to the VPN must register with FortiNAC via the captive portal or Persistent Agent. If it is not desired to register unknown hosts connecting to the VPN, skip this step.
Configure FortiNAC to authenticate using either a RADIUS server or LDAP directory. Refer to the Administration Guide sections listed below for instructions. Depending upon the deployment, these components may already be configured.
-
Define which authentication server type will be used (LDAP or RADIUS). See Portal configuration – Configure authentication credentials
-
Configure the settings for the authentication server. Refer to the appropriate section: