Fortinet black logo

FortiWLC Integration

Home FortiNAC 8.3.0 FortiWLC Integration

Requirements

8.3.0
9.4.0
9.2.0
9.1.0
8.8.0
8.7.0
8.6.0
8.5.0
8.3.0
Copy Link
Copy Doc ID 8f3deb76-200d-11e9-b6f6-f8bc1258b856:365553
Download PDF

Requirements

To integrate the FortiWLC wireless controller with your Administrative software, you must meet the requirements listed in this table.

Component

Requirement

Device Firmware

Version 5.1.47 or higher

FortiNAC Software

Version: 8.1 or higher

Note:In many cases previous versions of FortiNAC can be

used, however, instructions are written based on the version noted

here.

Individual SSID Configuration

FortiNAC supports individual SSID configuration and management for the FortiWLC wireless controller only when the SSIDs are configured for 802.1x. SSIDs configured for MAC Authentication cannot be identified in a RADIUS request and therefore are not modeled and managed independently from the device. SSIDs configured for MAC Authentication are managed based on the configuration stored for the controller in the FortiNAC Model Configuration. Refer to the Wireless Integration Overview document available in the Fortinet online Resource Center or in your online help.

FortiWLC Internal Captive Portal (ICP)

On an unsecured SSID (not 802.1x) the ICP feature on FortiWLC controllers provides a faster transition between one FortiNAC host state and another because it allows the wireless host to keep the production IP Address assigned when the host connected to the network. Users connecting to an SSID configured for ICP are always initially considered unauthenticated and have restricted network access based upon a set of default firewall rules that block all access to the network except for DHCP and DNS. See FortiWLC documentation for more information on their internal captive portal feature.

Network access control is accomplished on the FortiWLC controller through the application of this set of default of Firewall Rules to redirect hosts to an internal web page on the device. Hosts are given access only to DHCP and DNS to obtain an IP Address and all HTTP traffic is redirected to an internal web page. The web page, which consists of a customized page that must be uploaded to the controller, forces a refresh and directs the host browser to the FortiNAC captive portal or isolation interface. If the host is in a state to be allowed on the production network, FortiNAC commands the FortiWLC device to change the state of the wireless client within the controller to authenticated. For authenticated users, the default set of Firewall Rules are removed so the host can access the production network. For these users, a different set of Rules can optionally be defined and applied to provide other network restrictions based on an administrator's preference. Any such rules apply to all users connecting to the unsecured SSID however. Rules cannot be customized by user or host.

If a host needs to be isolated later, FortiNAC commands the FortiWLC device to reset the host to the unauthenticated state, and the restrictive Firewall Rules are reapplied.

This configuration can be used in place of the MAC Authentication configuration. For an SSID using 802.1x authentication, VLAN transition is still accomplished by forcing the host to request a new IP address in the new VLAN.

To use the ICP feature on the controller you must:

  • Use a Layer 3 configuration on FortiNAC. Hosts will placed into the production network immediately, and remain there, but based on the host's state within FortiNAC, it will need to access the FortiNAC captive portal views on a different isolation network.
  • You may need to add routes on any core network routers to allow machines on the wireless production network to access the FortiNAC isolation interface.

Additional Notes for ICP

  • If ICP is enabled, FortiNAC attempts to manage all hosts connecting on all SSIDs that use WebAuth within their Security Profile.
  • Browser caching may cause pages to redirect to the isolation page or timeout based on the level of access allowed by the firewall rules in effect. It may be necessary for the user to restart the browser.
  • FortiNAC role based access is not available when using ICP. All users connected to the SSID that are not isolated have the same access to the network based on how it is configured for that SSID.
  • There is no capability to automatically configure a supplicant or change the SSID to which the user is connecting. Users stay on the open SSID until they choose to connect elsewhere.
  • If a user disconnects voluntarily from the wireless network, and subsequently reconnects, his machine may immediately be placed back on the network in his previous authenticated state subject to the value of the "L3 User Session Timeout" value configured for the captive portal on the controller. Other controller-based timeouts also apply including the "CaptivePortalSessionTimeout" and the "CaptivePortalActivityTimeout".
Previous
Next

Requirements

To integrate the FortiWLC wireless controller with your Administrative software, you must meet the requirements listed in this table.

Component

Requirement

Device Firmware

Version 5.1.47 or higher

FortiNAC Software

Version: 8.1 or higher

Note:In many cases previous versions of FortiNAC can be

used, however, instructions are written based on the version noted

here.

Individual SSID Configuration

FortiNAC supports individual SSID configuration and management for the FortiWLC wireless controller only when the SSIDs are configured for 802.1x. SSIDs configured for MAC Authentication cannot be identified in a RADIUS request and therefore are not modeled and managed independently from the device. SSIDs configured for MAC Authentication are managed based on the configuration stored for the controller in the FortiNAC Model Configuration. Refer to the Wireless Integration Overview document available in the Fortinet online Resource Center or in your online help.

FortiWLC Internal Captive Portal (ICP)

On an unsecured SSID (not 802.1x) the ICP feature on FortiWLC controllers provides a faster transition between one FortiNAC host state and another because it allows the wireless host to keep the production IP Address assigned when the host connected to the network. Users connecting to an SSID configured for ICP are always initially considered unauthenticated and have restricted network access based upon a set of default firewall rules that block all access to the network except for DHCP and DNS. See FortiWLC documentation for more information on their internal captive portal feature.

Network access control is accomplished on the FortiWLC controller through the application of this set of default of Firewall Rules to redirect hosts to an internal web page on the device. Hosts are given access only to DHCP and DNS to obtain an IP Address and all HTTP traffic is redirected to an internal web page. The web page, which consists of a customized page that must be uploaded to the controller, forces a refresh and directs the host browser to the FortiNAC captive portal or isolation interface. If the host is in a state to be allowed on the production network, FortiNAC commands the FortiWLC device to change the state of the wireless client within the controller to authenticated. For authenticated users, the default set of Firewall Rules are removed so the host can access the production network. For these users, a different set of Rules can optionally be defined and applied to provide other network restrictions based on an administrator's preference. Any such rules apply to all users connecting to the unsecured SSID however. Rules cannot be customized by user or host.

If a host needs to be isolated later, FortiNAC commands the FortiWLC device to reset the host to the unauthenticated state, and the restrictive Firewall Rules are reapplied.

This configuration can be used in place of the MAC Authentication configuration. For an SSID using 802.1x authentication, VLAN transition is still accomplished by forcing the host to request a new IP address in the new VLAN.

To use the ICP feature on the controller you must:

  • Use a Layer 3 configuration on FortiNAC. Hosts will placed into the production network immediately, and remain there, but based on the host's state within FortiNAC, it will need to access the FortiNAC captive portal views on a different isolation network.
  • You may need to add routes on any core network routers to allow machines on the wireless production network to access the FortiNAC isolation interface.

Additional Notes for ICP

  • If ICP is enabled, FortiNAC attempts to manage all hosts connecting on all SSIDs that use WebAuth within their Security Profile.
  • Browser caching may cause pages to redirect to the isolation page or timeout based on the level of access allowed by the firewall rules in effect. It may be necessary for the user to restart the browser.
  • FortiNAC role based access is not available when using ICP. All users connected to the SSID that are not isolated have the same access to the network based on how it is configured for that SSID.
  • There is no capability to automatically configure a supplicant or change the SSID to which the user is connecting. Users stay on the open SSID until they choose to connect elsewhere.
  • If a user disconnects voluntarily from the wireless network, and subsequently reconnects, his machine may immediately be placed back on the network in his previous authenticated state subject to the value of the "L3 User Session Timeout" value configured for the captive portal on the controller. Other controller-based timeouts also apply including the "CaptivePortalSessionTimeout" and the "CaptivePortalActivityTimeout".
Previous
Next