Access point management provides the ability to manage hosts connected to hubs using DHCP as a means to control or restrict host access.
If the Access Point (AP) was discovered using device discovery and the AP supports bridging, FortiNAC automatically puts the AP model in the bridging devices group and the interface that the AP is connected to shows up as a link.
For FortiNAC to manage the hosts connecting through the AP the AP must show up connected to an interface of the upstream switch.
- Put the port that the AP is connected to into the Access Point Management group.
- Remove the AP from the Bridging Devices group.
Undo any uplink setting on the interfaces that the APs are connected to within FortiNAC.
- From Topology, click the device to select it.
- Click the interface that is identified as an uplink to select it, then right-click and select Port Properties.
- Turn the User Defined Uplink off, then click Apply.
- Right-click the switch model and select Resync Interfaces.
The link goes away and either the AP or a Cloud is connected to the interface.
This process has to be done for models that were placed in the Bridging Group that have an AP connected. Each interface where an AP is connected on those models needs to be modified so that access point management is applied.
FortiNAC does the following:
- Assigns authorized hosts an IP address from the allocated IP address pool (this allocation is done in the dhcpd.conf file that is updated using the Configuration Wizard)
- Assigns unauthorized hosts an IP address from the allocated IP address pool for all unauthorized hosts (this allocation is done in the dhcpd.conf file that is updated using the Configuration Wizard)
- Updates the DHCP server configuration with authorized IP addresses and the associated MAC address
- Directs authorized hosts to a valid DNS to allow network access
- Directs unauthorized hosts to FortiNAC’s access point management DNS
- Verifies whether or not the host accessing the network through an access point has a valid IP address in the DHCP lease file
- Generates a Static-IP-Address event if a host’s IP address is not listed in the DHCP lease file maintained by FortiNAC
- Takes action on the Static-IP-Address event when the event is mapped to an alarm and action through the Alarm Mapping functionality
FortiNAC detects static IP addresses and generates a StaticIPAddress event. When a host connects, FortiNAC checks the DHCP lease file maintained by FortiNAC. If the host’s MAC address is in the DHCP lease file, FortiNAC allows the host to connect. If the host’s MAC address is not in the DHCP lease file, FortiNAC generates the StaticIPAddress event. You can map this event to an alarm and have action taken on the host. See Map events to alarms for details on using this feature.
Before configuring access point management in FortiNAC make sure that the access point management view with appropriate VLAN ID and IP address ranges has been configured in the Configuration Wizard. See the Appliance Installation Guide for directions.
If a host is manually rescanned by selecting rescan on the Host Health tab or an existing scan is manually set to Failed while the host is on the production network, the host remains on the production network until the lease for the IP address expires or the host disconnects from the network. There is no mechanism to move the host to Isolation when it is connected to the network in an access point management environment.
- Click System > Settings.
- Expand the Control folder and click Access Point Management.
- Click the check box next to Enable Access Point Management.
- In the Configuration Update field enter the number of seconds that will lapse between updates to the DHCP Configuration file.
Click Add below the IP address table to add ranges of possible IP addresses. This table only needs to be configured if detecting hosts with Static IP addresses is required.
The IP address ranges entered should include all the possible IP addresses that were made available on the network for access point management when the Configuration Wizard was run.
- Enter the Starting and Ending IP addresses of a range of possible IP addresses.
- Click OK.
- Repeat step 6 through step 8 to enter all the ranges of possible IP addresses.
- Click Save Settings to save all changes to the access point management view.
- Click System > Groups and click the Access-Point-Management group to select it.
- Right-click and select Modify.
- The All Members panel in the Modify Group dialog displays a list of Topology containers. Click the + sign next to the container that has the managed switch, and then click the + sign next to the device. Select the port where the access point is connected.
- Click the right arrow to move the port to the Selected Members column.
- Click OK.
- On the Groups view, with the group still selected, click Show Members and verify that the port is in the group.
To disable hosts on the access point, set a port on the switch to a secure or static port based on the type of switch in use. This is not the port where the Access Point connects; it is another port on the same switch. See Secure port/static port overview for additional information.
Some switches may require the command line interface rather than the FortiNAC User Interface.
When a Restricted host connects a fake DNS is given. This will resolve to the FortiNAC Application Server DNS.
The Application Server DNS directs to a page which redirects the host to a preconfigured URL, based on host state (At Risk or Unregistered, for example) Registration, Remediation, Quarantine, or Dead End.