Fortinet black logo

FortiWLC Device Configuration - MAC Authentication

Copy Link
Copy Doc ID 8f3deb76-200d-11e9-b6f6-f8bc1258b856:664370
Download PDF

FortiWLC Device Configuration - MAC Authentication

This section provides instructions for configuring the FortiWLC controller with an SSID that uses MAC Authentication. Other methods of controlling which hosts are allowed on the network, such as 802.1x or Internal Captive Portal, can also be configured and are discussed in this document.

Use a browser to log into the FortiWLC controller. Make sure the following items are configured

Note

When configuring security strings on network devices or names for items within the configuration, it is recommended that you use only letters, numbers and hyphens (-). Other characters may prevent FortiNAC from communicating with the device, such as #. Some device manufacturers prohibit the use of special characters.

VLANs

Create the VLANs that correspond to the host states you wish to enforce. These connection states include default (production) and isolation states including: registration, quarantine, authentication, and dead-end (disabled). For each VLAN configure the following:

  • VLAN name
  • VLAN ID
  • The DHCP Pass-Through option should be set to On.

AP's Configured for Bridged Mode:Ensure VLANs configured on the AP are also created in the controller. Otherwise, those VLANs cannot be used when provisioning network access. FortiNAC needs visibility to all VLANs that it may be configured to assign. A centralized network is not required for each VLAN, but the VLAN must exist on the controller.

RADIUS Server

Define the FortiNAC Server or FortiNAC Control Server as the RADIUS server for the devices you want to manage with FortiNAC. Use the management IP Address of your FortiNAC Server as the IP of the RADIUS Server. The FortiNAC software is preconfigured to use port 1812 for authentication. Set the MAC Address delimiter to colon (:).

If setting up FortiNAC as the RADIUS server for a device in a Fortinet High Availability environment, the actual IP address of the primary control server must be used, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your FortiNAC appliances can be reached. This would allow users to access the network, but they would not be controlled by FortiNAC.

Caution

The RADIUS Secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration.

MAC Filtering

For MAC Filtering configure the following:

  • FortiWLC Versions prior to 8.0: Make sure the ACL Environment State is set to Deny List Enabled
  • FortiWLC Versions 8.0 and above: Enable RADIUS Change of Authorization (CoA)
  • For MAC Auth SSIDs, select the RADIUS profile created above that designates your FortiNAC Server as the RADIUS server.

Authentication - Security Profile

On the FortiWLC controller the authentication method is configured as a Security Profile along with an encryption type, and other related parameters. These profiles are later associated with an SSID. It is possible to have multiple SSIDs supported simultaneously, some using one method and others using another.

When configuring a wireless device with multiple SSIDs that will be managed by FortiNAC, FortiNAC only allows a single VLAN mapping for each isolation state per device. For example, if the Remediation VLAN is VLAN 10 on one SSID it has to be VLAN 10 on all SSIDs, and if Dead End is VLAN 25 it has to be VLAN 25 for all SSIDs.

If you choose to use MAC Authentication you must create a Security Profile specifically for this authentication type. Note that with MAC Authentication the RADIUS server configured under the MAC Filter is always used. You cannot specify a different RADIUS server. Configure the profile as follows:

  • In the L2 Modes allowed section select an encryption mode.
  • In the Captive Portal section select Disabled.
  • Set Mac Filtering to On.

ESS Profile/SSID

SSID characterizes a wireless network on the FortiWLC controller. You can create one or more SSIDs on the controller and you may choose to have FortiNAC manage any number of them. Each SSID is represented by an ESS Profile. For each SSID you wish to have FortiNAC manage, create an ESS Profile aa follows:

  • Create an ESS Profile Name.
  • Create a SSID Name.
  • Set the Enable/Disable field to Enable.
  • Select the MAC Authentication Security Profile from the list.
  • Set the Tunnel Interface type to RADIUS VLAN Only.
  • Set the IP Prefix Validation field to Off. When enabled, it conflicts with configurations that require a radius change of VLANs via radius.

SSID Location

FortiWLC controllers running firmware version 6.0 or higher can provide SSID Location information along with a MAC Authentication RADIUS request. This information allows FortiNAC to model the MAC Auth SSIDs. When SSIDs are modeled, FortiNAC can leverage User/Host Profiles that are based on the SSID location to assign policies. To send SSID Location to FortiNAC in a RADIUS request configure the following:

Under Configuration > Security-RADIUS set the Called-Station-ID Type option to MAC MacAddress:SSID

FortiWLC Device Configuration - MAC Authentication

This section provides instructions for configuring the FortiWLC controller with an SSID that uses MAC Authentication. Other methods of controlling which hosts are allowed on the network, such as 802.1x or Internal Captive Portal, can also be configured and are discussed in this document.

Use a browser to log into the FortiWLC controller. Make sure the following items are configured

Note

When configuring security strings on network devices or names for items within the configuration, it is recommended that you use only letters, numbers and hyphens (-). Other characters may prevent FortiNAC from communicating with the device, such as #. Some device manufacturers prohibit the use of special characters.

VLANs

Create the VLANs that correspond to the host states you wish to enforce. These connection states include default (production) and isolation states including: registration, quarantine, authentication, and dead-end (disabled). For each VLAN configure the following:

  • VLAN name
  • VLAN ID
  • The DHCP Pass-Through option should be set to On.

AP's Configured for Bridged Mode:Ensure VLANs configured on the AP are also created in the controller. Otherwise, those VLANs cannot be used when provisioning network access. FortiNAC needs visibility to all VLANs that it may be configured to assign. A centralized network is not required for each VLAN, but the VLAN must exist on the controller.

RADIUS Server

Define the FortiNAC Server or FortiNAC Control Server as the RADIUS server for the devices you want to manage with FortiNAC. Use the management IP Address of your FortiNAC Server as the IP of the RADIUS Server. The FortiNAC software is preconfigured to use port 1812 for authentication. Set the MAC Address delimiter to colon (:).

If setting up FortiNAC as the RADIUS server for a device in a Fortinet High Availability environment, the actual IP address of the primary control server must be used, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your FortiNAC appliances can be reached. This would allow users to access the network, but they would not be controlled by FortiNAC.

Caution

The RADIUS Secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration.

MAC Filtering

For MAC Filtering configure the following:

  • FortiWLC Versions prior to 8.0: Make sure the ACL Environment State is set to Deny List Enabled
  • FortiWLC Versions 8.0 and above: Enable RADIUS Change of Authorization (CoA)
  • For MAC Auth SSIDs, select the RADIUS profile created above that designates your FortiNAC Server as the RADIUS server.

Authentication - Security Profile

On the FortiWLC controller the authentication method is configured as a Security Profile along with an encryption type, and other related parameters. These profiles are later associated with an SSID. It is possible to have multiple SSIDs supported simultaneously, some using one method and others using another.

When configuring a wireless device with multiple SSIDs that will be managed by FortiNAC, FortiNAC only allows a single VLAN mapping for each isolation state per device. For example, if the Remediation VLAN is VLAN 10 on one SSID it has to be VLAN 10 on all SSIDs, and if Dead End is VLAN 25 it has to be VLAN 25 for all SSIDs.

If you choose to use MAC Authentication you must create a Security Profile specifically for this authentication type. Note that with MAC Authentication the RADIUS server configured under the MAC Filter is always used. You cannot specify a different RADIUS server. Configure the profile as follows:

  • In the L2 Modes allowed section select an encryption mode.
  • In the Captive Portal section select Disabled.
  • Set Mac Filtering to On.

ESS Profile/SSID

SSID characterizes a wireless network on the FortiWLC controller. You can create one or more SSIDs on the controller and you may choose to have FortiNAC manage any number of them. Each SSID is represented by an ESS Profile. For each SSID you wish to have FortiNAC manage, create an ESS Profile aa follows:

  • Create an ESS Profile Name.
  • Create a SSID Name.
  • Set the Enable/Disable field to Enable.
  • Select the MAC Authentication Security Profile from the list.
  • Set the Tunnel Interface type to RADIUS VLAN Only.
  • Set the IP Prefix Validation field to Off. When enabled, it conflicts with configurations that require a radius change of VLANs via radius.

SSID Location

FortiWLC controllers running firmware version 6.0 or higher can provide SSID Location information along with a MAC Authentication RADIUS request. This information allows FortiNAC to model the MAC Auth SSIDs. When SSIDs are modeled, FortiNAC can leverage User/Host Profiles that are based on the SSID location to assign policies. To send SSID Location to FortiNAC in a RADIUS request configure the following:

Under Configuration > Security-RADIUS set the Called-Station-ID Type option to MAC MacAddress:SSID