Fortinet black logo

Administration Guide

Requirements

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:824251
Download PDF

Requirements

To use Supplicant EasyConnect policies to configure the supplicant on hosts that connect to your wireless network, the following requirements must be met:

  • If your RADIUS server is configured with a certificate it must be a trusted third-party certificate from a CA such as Verisign or Thawte. If you have used a self-signed certificate it must be distributed to all hosts or you must replace it with a trusted third-party certificate. FortiNAC will not be able to configure the supplicant unless these certificates are correct.
  • You must have at least one Isolation VLAN, such as Registration or Remediation. If you do not, use the Configuration Wizard to configure an Isolation context. See the Appliance Installation Guide for instructions on running the Configuration Wizard.
  • Supplicant Easy Connect Policies are only supported on the following operating systems:

    Having the required Windows Service Packs installed ensures that the host is transitioned to the secure SSID without having to close the browser and reopen:

    • Windows 7 Service Pack 1 and higher
    • Windows 8, 8.1, 10 and higher
    Note

    Windows 10 hosts using the random hardware address functionality may experience unpredictable and undesired results with the Supplicant Easy Connect feature.

    • macOS 10.7 and higher
    • Android 2.3.3 or higher
    • iOS 4.0 or higher
  • Supplicant EasyConnect Configurations can only be applied as follows:

    • For Windows and macOS hosts you must use the Dissolvable Agent or the Persistent Agent
    • For Android devices you must use the Mobile Agent. Mobile Agent requires the use of a certificate from a CA. A self-signed certificate cannot be used. See SSL certificates.
    • iOS and macOS users need to select the secure SSID because they will not be switched to that SSID automatically after applying the supplicant configuration.
  • Supplicant configurations are applied to the host using an agent, except in the case of iOS devices where the user is prompted to download the configuration from the Captive Portal. The Dissolvable Agent or Persistent Agent are used for Windows and macOS hosts and the Mobile Agent is used for Android devices.
  • Supplicant configurations for Windows hosts connecting on an SSID that uses WEP Enterprise, WPA Enterprise, WPA2 Enterprise for security require that you upload the CA or Root certificate for the valid SSL certificate used to secure the RADIUS server. FortiNAC parses the CA certificate in order to read the CA fingerprint. This allows the supplicant configuration to be applied correctly and to switch the Windows host from the Open SSID to the Secure SSID. CA or Root certificates can be downloaded from the CA that issued your SSL certificate. See Add or modify a configuration and Open SSID for device onboarding.

  • If you would like to modify the text displayed to Apple iOS users in the captive portal, go to the portal content editor and modify Profile Configuration Download under the appropriate Isolation context, such as Registration or Remediation. See Portal content editor.
  • Configure Isolation VLANs on the Model configuration for the wireless devices being used or the individual SSIDs being used. See Model configuration or SSID configuration.
  • Create an endpoint compliance policy that uses the Dissolvable Agent or the Persistent Agent for Windows and macOS hosts and the Mobile Agent hosts. The user/host profile created for this endpoint compliance policy must have information in it that will match a connecting host that needs to have a supplicant configured. For example, the User/Host profile could have a group of wireless devices as the connection location and Host operating system in the Who/What by Attribute field. See Endpoint compliance policies and Agent packages.

    Note

    It is recommended that you modify the associated scan to require Service Pack 1 and higher for Windows 7. Having these Service Packs installed ensures that the host is transitioned to the secure SSID without having to close the browser and reopen.

    Note

    In some cases, when the supplicant configuration is applied using the Persistent Agent, the host cannot be transitioned to the secure SSID automatically. The user must connect to the SSID manually.

  • Create at least one user/host profile that has criteria that matches the hosts who will need a Supplicant, such as operating system or connection location. See User/host profiles.
  • Create at least one supplicant configuration with the setup parameters for the SSID that hosts will use. See Supplicant configurations.
  • Create at least one Supplicant EasyConnect Policy that maps the supplicant configuration to a user/host profile. See Supplicant EasyConnect policies.

Requirements

To use Supplicant EasyConnect policies to configure the supplicant on hosts that connect to your wireless network, the following requirements must be met:

  • If your RADIUS server is configured with a certificate it must be a trusted third-party certificate from a CA such as Verisign or Thawte. If you have used a self-signed certificate it must be distributed to all hosts or you must replace it with a trusted third-party certificate. FortiNAC will not be able to configure the supplicant unless these certificates are correct.
  • You must have at least one Isolation VLAN, such as Registration or Remediation. If you do not, use the Configuration Wizard to configure an Isolation context. See the Appliance Installation Guide for instructions on running the Configuration Wizard.
  • Supplicant Easy Connect Policies are only supported on the following operating systems:

    Having the required Windows Service Packs installed ensures that the host is transitioned to the secure SSID without having to close the browser and reopen:

    • Windows 7 Service Pack 1 and higher
    • Windows 8, 8.1, 10 and higher
    Note

    Windows 10 hosts using the random hardware address functionality may experience unpredictable and undesired results with the Supplicant Easy Connect feature.

    • macOS 10.7 and higher
    • Android 2.3.3 or higher
    • iOS 4.0 or higher
  • Supplicant EasyConnect Configurations can only be applied as follows:

    • For Windows and macOS hosts you must use the Dissolvable Agent or the Persistent Agent
    • For Android devices you must use the Mobile Agent. Mobile Agent requires the use of a certificate from a CA. A self-signed certificate cannot be used. See SSL certificates.
    • iOS and macOS users need to select the secure SSID because they will not be switched to that SSID automatically after applying the supplicant configuration.
  • Supplicant configurations are applied to the host using an agent, except in the case of iOS devices where the user is prompted to download the configuration from the Captive Portal. The Dissolvable Agent or Persistent Agent are used for Windows and macOS hosts and the Mobile Agent is used for Android devices.
  • Supplicant configurations for Windows hosts connecting on an SSID that uses WEP Enterprise, WPA Enterprise, WPA2 Enterprise for security require that you upload the CA or Root certificate for the valid SSL certificate used to secure the RADIUS server. FortiNAC parses the CA certificate in order to read the CA fingerprint. This allows the supplicant configuration to be applied correctly and to switch the Windows host from the Open SSID to the Secure SSID. CA or Root certificates can be downloaded from the CA that issued your SSL certificate. See Add or modify a configuration and Open SSID for device onboarding.

  • If you would like to modify the text displayed to Apple iOS users in the captive portal, go to the portal content editor and modify Profile Configuration Download under the appropriate Isolation context, such as Registration or Remediation. See Portal content editor.
  • Configure Isolation VLANs on the Model configuration for the wireless devices being used or the individual SSIDs being used. See Model configuration or SSID configuration.
  • Create an endpoint compliance policy that uses the Dissolvable Agent or the Persistent Agent for Windows and macOS hosts and the Mobile Agent hosts. The user/host profile created for this endpoint compliance policy must have information in it that will match a connecting host that needs to have a supplicant configured. For example, the User/Host profile could have a group of wireless devices as the connection location and Host operating system in the Who/What by Attribute field. See Endpoint compliance policies and Agent packages.

    Note

    It is recommended that you modify the associated scan to require Service Pack 1 and higher for Windows 7. Having these Service Packs installed ensures that the host is transitioned to the secure SSID without having to close the browser and reopen.

    Note

    In some cases, when the supplicant configuration is applied using the Persistent Agent, the host cannot be transitioned to the secure SSID automatically. The user must connect to the SSID manually.

  • Create at least one user/host profile that has criteria that matches the hosts who will need a Supplicant, such as operating system or connection location. See User/host profiles.
  • Create at least one supplicant configuration with the setup parameters for the SSID that hosts will use. See Supplicant configurations.
  • Create at least one Supplicant EasyConnect Policy that maps the supplicant configuration to a user/host profile. See Supplicant EasyConnect policies.