When hosts connect to the network, the FortiNAC software determines the host’s state. Based on that state the host may be sent to registration, quarantine, authentication, dead end, or the production network. The configuration of the device to which the host has connected controls the host’s network access.
Use model configuration of your FortiNAC software to set just a VLAN for each host state, a VLAN and a CLI configuration for any of those states or nothing. If you set a CLI configuration for a state, you must also set a VLAN for that state even if it is just the production VLAN. When both a VLAN and a CLI configuration are set for a particular host state, they can work in conjunction with each other. For example, if authentication is set to VLAN 10 and a CLI configuration is also applied, that configuration might reduce bandwidth while the user is in the authentication VLAN.
CLI configurations will not be applied if there is no VLAN selected in the Network Access section of the model configuration.
This option is used when you would like to apply a CLI configuration to hosts who do not match a network access policy. Typically these hosts would not have a policy because they have not registered or been authenticated and the FortiNAC software does not know who they are.
- Select Network Devices > Topology.
- Right-click on the device and then click Model Configuration.
- In General, enter the User Name and Password for CLI access to the device.
- In Protocol, select the communication protocol for this device.
- In Network Access, select Read VLANs to populate drop-downs for each host state. Select the VLANs used for each host state. Note that you should not fill in the Default field if ports on this device have different default VLAN settings. Default VLANs should be set in Network Access/VLANS. If all ports on the device use the same default VLAN, you can set it here.
- In the CLI Configurations section, select the type as Port based. Port based configurations affect the port directly.
- Select a CLI Configuration for the host states you wish to affect.
- If you are using a RADIUS server for authentication, the default servers are displayed and do not need to be modified. If this device should use a different RADIUS server for authentication, select it from the drop-down list and enter the matching RADIUS Secret.
- Click Apply to save your changes.