Requirements for ACL based configurations
CLI configurations can be created in your FortiNAC software to modify ACLs based on host state. These CLI configurations are applied via model configuration for the device that contains the ACLs. See Apply a host based configuration via the model configuration. This section provides an overview of the basic setup required within FortiNAC along with some sample ACLs and CLI configurations.
Requirements For IP ACL based configurations
- Devices to which these IP address based CLI configurations are applied must be Layer 3 devices, such as a router or a Layer 3 switch.
- VLAN Switching and MAC Filtering must be disabled for the device. To disable these options locate the device in the Topology. Right-click and select Properties.
- Switches connected to Layer 3 devices should not be modeled in FortiNAC.
- In order to control access to the production network, the ACL permits or denies access to either the FortiNAC DNS server or your regular DNS servers. By doing this the host retains the same IP address throughout the transition to the production network. Therefore, the DHCP server for your hosts should be your regular DHCP server and not FortiNAC.
- Since hosts are switched to the FortiNAC DNS server during isolation, you must add the FortiNAC IP address to the Production DHCP’s list of DNS servers.
- Make sure that the lease pool and lease times are large enough that hosts always receive the same IP address. If a host’s IP address changes before the registration process is complete, then the ACL is not updated correctly.
- The host’s browser caches the registration page. After a host has successfully registered, the success page tells the host to close the browser. If you are using the Dissolvable Agent, the Renew IP option must be enabled. This forces the IP address to be released and clears the cache.