FortiNAC Software Configuration
For the FortiNAC software to recognize your device, you must add it to the Topology View either by prompting the FortiNAC software to discover the device or by adding it manually. Refer to the Help files contained within your FortiNAC software for instructions on Discovery or Adding a Device.
Regardless of how the device is added, the FortiNAC software must be able to communicate with it. To provide initial communication, you must indicate within the FortiNAC software whether to use SNMPv1 or SNMPv3 along with the appropriate SNMP access parameters.
|
Be sure to configure the IP address of the FortiNAC Server or Control Server as a client in the FortiWLC SNMP setup. If SNMP is not setup correctly, FortiNAC will not be able to communicate with the controller. |
FortiNAC Software Device Model Configuration
To manage a device, the FortiNAC software must have a model of the device in its database. First create or discover the device in the FortiNAC software. Once the device has been identified by FortiNAC, use the Model Configuration window to enter device information.
The Model Configuration window allows you to configure devices that are connected to your network so that they can be monitored or managed. Data entered in this window is stored in the FortiNAC database and is used to allow interaction with the device.
|
Field |
Definition |
||
|---|---|---|---|
|
General |
|||
|
User Name |
The user name used to log on to the device for configuration. This is for CLI access. |
||
|
Password |
The password required to configure the device. This is for CLI access. |
||
|
Protocol Type |
|||
|
Telnet SSH2 |
Use either Telnet or SSHv2 if it is available on your device. |
||
|
RADIUS |
|||
|
Primary Server |
The RADIUS server used for authenticating users connecting to the network through this device. Select the Use Default option from the drop-down list to use the server indicated in parentheses. Used only for 802.1x authentication. See RADIUS Settings in the Help system for information on configuring your RADIUS Servers. | ||
|
Secondary Server |
If the Primary RADIUS server fails to respond, this RADIUS server is used for authenticating users connecting to the network until the Primary RADIUS Server responds. Select the Use Default option from the drop-down list to use the server indicated in parentheses. Used only for 802.1 authentication. | ||
|
RADIUS Secret |
The Secret used for RADIUS authentication. Click the Modify button to change the RADIUS secret. Used for both 802.1x and Mac authentication.
|
||
|
Network Access |
|||
|
Manage Captive Portal |
If enabled, FortiNAC uses Firewall Rules to treat authenticated and unauthenticated users differently. See the ICP description in this document for more information. If the Captive Portal setting on any Security Profile for any SSID is set to WebAuth indicating that the SSID is being managed by Internal Captive Portal (ICP) on the Meru Controller and this check box is enabled, all SSIDs set to WebAuth will be managed by FortiNAC. |
||
|
Read VLANs |
Populates the Access Value fields with configured VLANs read from the controller. |
||
|
Network Access - Host State |
|||
|
Default |
The Default VLAN value is stored in the database and is used when the VLAN is not determined by another method, such as a user, host or device role. Typically, if a VLAN is specified as the Default, it is the VLAN used for "normal" or "production" network access. |
||
|
Registration |
The registration VLAN for this device. Isolates unregistered hosts from the production network during host registration. |
||
|
Authentication |
The authentication VLAN for this device. Isolates registered hosts from the Production network during user authentication. Optional. |
||
|
Dead End |
The dead end VLAN for this device. Isolates disabled hosts by providing limited or no network connectivity. | ||
|
Quarantine |
The quarantine VLAN for this device. Isolates hosts from the production network who pose a security risk because they failed a policy scan. |
||
|
Network Access - Access Parameters |
|||
|
Access Enforcement |
This set of drop-down menus works in conjunction with the Host States listed above to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include: Deny — Host will be denied access to the network when the host is in this state. For example, if the host is not registered and Registration is set to Deny, the host connection will be rejected. Note: Endpoints that have been denied access may continuously request access which can unnecessarily consume system resources.Bypass — Host will be allowed access to the network when it the host is in this state. The host will be placed on the default VLAN/Role configured on the device for this port or SSID. For example, if Quarantine is set to Bypass, hosts that fail a scan and would normally be placed in Quarantine are placed in the default VLAN/Role on the device. Enforce — Indicates that the host will be placed in the VLAN/Role specified in the Access Value column for this state. |
||
|
Access Value |
VLAN/Role where a host in this state should be placed when it connects to the network. If Enforce is selected in the Access Enforcement field you must enter a value in the Access Value field. |
||
|
Wireless AP Parameters |
|||
|
Preferred Container Name |
If this device is connected to any Wireless Access Points, they are included in the Topology View. Enter the name of the Container in which these Wireless Access Points should be stored. Containers are created in the Topology View to group devices. | ||
Setup the Model Configuration
|
The RADIUS Secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration. |
|
|
Because you are using 802.1x authentication, make sure you have a RADIUS Server configured. Select Network Devices > RADIUS Settings. See Configuring RADIUS Server Profiles in the Help system for additional information on adding a RADIUS Server. |
- After you have discovered or added the device in the Topology View, navigate to the Model Configuration window. Right-click on the device, select the device name, and then click Model Configuration.
- Enter the User Name used for CLI access on this device.
- Enter the Password used for CLI access on this device.
- In the Protocol section select either Telnet or SSHv2 if it is available on your device model.
- Click Apply.
- If you are using MAC authentication, only the RADIUS Secret is required. If you are using 802.1x authentication, either the default RADIUS server or a pre-configured RADIUS server must be selected. RADIUS servers are configured on the RADIUS Settings window.
- Enter the RADIUS Secret. This must match the value entered on the device itself and the value entered on the RADIUS settings window.
- To use the ICP feature, enable the Manage Captive Portal check box
- . Click Read VLANS to retrieve the Current Device Interface settings. This creates the interface models.
- Select a setting in Access Enforcement for each host state.
- In the Access Value column enter a VLAN ID for each host state that you
wish to enforce.
Access Enforcement applies only to SSIDs configured for 802.1x or MAC authentication. SSIDs configured to use ICP or set to WebAuth will ignore Access Enforcement settings.
- In the Preferred Container field, select the Container in which the Wireless Access Points should be placed as they are discovered.
- Click Apply.
Discover Access Points
Access Points connected to the controller must be added to FortiNAC to allow FortiNAC to see and manage connected hosts. Refer to the Wireless Integration section of the FortiNAC online help or locate the PDF version of that document in the Fortinet online Resource Center.
Device Groups
To detect which hosts have disconnected from the wireless device, you must set up a frequent polling interval for your wireless devices. Devices are automatically added to the appropriate system group as they are added to the system. The default polling interval is 10 minutes. Devices are added automatically to the L2 Polling group, which polls for connected MAC addresses. It is recommended that you add the wireless device to the L3 Polling group, which does IP to MAC polling. You can set polling intervals on an individual device by going to the Device Properties window for that device.
Add FortiWLC Controller to L3 Polling Group
If you are using the ICP feature, the FortiWLC controller must be added to the L3 Polling Group with a higher priority than other devices. Modify the controller's group membership and priority as follows:
- Select Network Devices > Network Devices.
- Locate the FortiWLC Controller in the list of devices and select it.
- In the Views column select the Group Membership icon.
- When the Group Membership dialog is displayed, click on the L3 (IP->MAC) group to mark it with a check mark and click OK.
- In the Views column select the Device Properties icon.
- On the Device Properties window click the Polling tab.
- Scroll down to L3 Polling and set the priority to something higher than all other devices, such as High.
- Click Apply to save.