Fortinet white logo
Fortinet white logo
7.4.0

Considerations

Considerations

  • Redundant Controllers using VIP: In order to ensure FortiNAC does not lose SSH communication when VIP moves between controllers, SSH keys must be manually entered for each controller.

  • System port group assignment for Controller and AP connected switch ports: It is recommended to remove these ports from the "Forced Registration", "Forced Remediation", and "Forced Authentication" port groups.

    • Connecting unregistered APs to those ports create rogue host records.

    • Once the controller is modeled, FortiNAC reads the list of managed Access Points from the controller. Any AP’s managed by that controller are then converted to device models.

    • If those ports are left in any of the previously mentioned system port groups, the APs are isolated and will not have connectivity to their controller. If the controller cannot communicate with an AP, the AP will not be discovered and created.

    • Once a model exists for the AP, the ports can be placed into any of the forced isolation groups to subsequently protect those ports.

  • Aruba Software License Dependencies

    • For all ArubaOS releases the PEF license is required to support Roles on the Aruba controller. Without the PEF license, only VLANs can be configured on the controller.

  • SSID Operation Mode and Authentication

    • It is recommended that Aruba OS version 3.1.1 and above is running on mobility controllers integrating with FortiNAC software.

    • In environments that lack 802.1x infrastructure, enable MAC authentication. Set the security for an SSID using MAC authentication to Open System. This relies upon RADIUS transactions to provide dynamic role assignment to connecting hosts.

  • VLAN Pools

    Aruba allows for the creation of VLAN pools on the controller. VLAN pools may be used with FortiNAC with the following configuration requirements:

    • VLAN pools must be encapsulated within an Aruba role definition. FortiNAC assigns sessions to roles and is agnostic to the VLANs within the pool.

    • Within the FortiNAC model configuration view for the Aruba controller, the Operational Mode must be set to "L2 Roles with VLANs". For additional details, refer to "FortiNAC Software Device Model Configuration".

    • If VLAN pools are to be used for FortiNAC Isolation network states (Registration, Remediation, etc), FortiNAC must be configured for Layer 3 Network Type (isolation network traffic is routed to FortiNAC).

    • VLAN pools within Aruba roles have been validated on Aruba version 6.4.4.9, although earlier versions of Aruba firmware may also support them.

  • If using Local RADIUS in FortiNAC between the Aruba WLC and FortiNAC integration, Aruba must be configured with a loopback address the same as the IP modeled in FortiNAC, and the Aruba should be configured to source its RADIUS traffic from that loopback interface/IP address.

Considerations

Considerations

  • Redundant Controllers using VIP: In order to ensure FortiNAC does not lose SSH communication when VIP moves between controllers, SSH keys must be manually entered for each controller.

  • System port group assignment for Controller and AP connected switch ports: It is recommended to remove these ports from the "Forced Registration", "Forced Remediation", and "Forced Authentication" port groups.

    • Connecting unregistered APs to those ports create rogue host records.

    • Once the controller is modeled, FortiNAC reads the list of managed Access Points from the controller. Any AP’s managed by that controller are then converted to device models.

    • If those ports are left in any of the previously mentioned system port groups, the APs are isolated and will not have connectivity to their controller. If the controller cannot communicate with an AP, the AP will not be discovered and created.

    • Once a model exists for the AP, the ports can be placed into any of the forced isolation groups to subsequently protect those ports.

  • Aruba Software License Dependencies

    • For all ArubaOS releases the PEF license is required to support Roles on the Aruba controller. Without the PEF license, only VLANs can be configured on the controller.

  • SSID Operation Mode and Authentication

    • It is recommended that Aruba OS version 3.1.1 and above is running on mobility controllers integrating with FortiNAC software.

    • In environments that lack 802.1x infrastructure, enable MAC authentication. Set the security for an SSID using MAC authentication to Open System. This relies upon RADIUS transactions to provide dynamic role assignment to connecting hosts.

  • VLAN Pools

    Aruba allows for the creation of VLAN pools on the controller. VLAN pools may be used with FortiNAC with the following configuration requirements:

    • VLAN pools must be encapsulated within an Aruba role definition. FortiNAC assigns sessions to roles and is agnostic to the VLANs within the pool.

    • Within the FortiNAC model configuration view for the Aruba controller, the Operational Mode must be set to "L2 Roles with VLANs". For additional details, refer to "FortiNAC Software Device Model Configuration".

    • If VLAN pools are to be used for FortiNAC Isolation network states (Registration, Remediation, etc), FortiNAC must be configured for Layer 3 Network Type (isolation network traffic is routed to FortiNAC).

    • VLAN pools within Aruba roles have been validated on Aruba version 6.4.4.9, although earlier versions of Aruba firmware may also support them.

  • If using Local RADIUS in FortiNAC between the Aruba WLC and FortiNAC integration, Aruba must be configured with a loopback address the same as the IP modeled in FortiNAC, and the Aruba should be configured to source its RADIUS traffic from that loopback interface/IP address.