Isolation Interfaces
Configure the eth1 VPN isolation interface using Configuration Wizard.
High Availability: If High Availability is configured, access Configuration Wizard on the Secondary Server and make the same modifications. This ensures the domain value and the additional scopes are added properly in the event of a failover.
-
Launch the Configuration Wizard by opening a browser and navigating to:
https://<FortiNAC IP Address or hostname>:8443/
-
Navigate to System > Configuration Wizard.
-
Under the Steps column, click Virtual Private Network.
-
Click the checkbox for Virtual Private Network Interface eth1.
-
Configure the eth1 interface using the table below.
Virtual Private Network Interface eth1
Interface IPv4 Address
IPv4 address for the VPN interface on eth1.
Mask
VPN interface subnet mask (IPv4).
IPv4 Gateway
Gateway IP address used by the VPN interface
Interface IPv6 Address (optional)
IPv6 address for the VPN interface on eth1.
Interface IPv6 Mask in CIDR notation
(optional)
Subnet IPv6 mask for the VLAN interface in CIDR notation format (e.g., 64).
Interface IPv6 Gateway(optional)
IPv6 Gateway for the VLAN interface for eth1 when clients connect through this VLAN.
-
Under Virtual Private Network Scopes, click Add.
-
Configure using the table below.
Label
Desired name for VPN DHCP scope
Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These are reserved.
Gateway
Default gateway for the client lease pool you are adding. Do not use the default gateway for eth1.
Domain
Must match the domain value configured in the FortiGate.
NOTE:
-
FortiNAC only answers SRV queries from connecting agents sourced from this domain. If FortiNAC is managing multiple VPN scopes, they must all use the same domain. See DNS File Entry Descriptions in the Appendix for details.
-
OS X, iOS, and some Linux systems may have communication issues if a .local suffix is used.
Mask
Subnet mask for the default gateway.
-
-
Under Lease Pools click Add.
-
Enter the IP Addresses for Start and End of the lease pool range for the VPN scope defined in the FortiGate Address Object.
-
Click Add to save.
-
Click Apply.
-
Repeat steps 10 – 13 for additional VPN scopes as needed
-
Click Summary when finished.
-
Review the data on the Summary View to confirm the configured settings.
-
Click Apply. The Configuration Wizard writes the data to the files on the appliances. This process may take several minutes to complete. When completed, the Results page appears.
-
Review the Results. Errors are noted at the top of the Results page.
-
Scroll down through the results and note errors or warnings. Make changes and apply them until a successful configuration is written.
Example values:
FortiNAC CA FQDN: Server01.Fortinet.com
Eth0 (Management interface): 10.200.20.20
Registration interface: 10.200.5.20
Remediation interface: 10.200.5.21
VPN interface: 10.200.5.22
Eth1 GW: 10.200.5.1
VPN DHCP range (SSL): 10.200.80.10- 10.200.80.99
VPN DHCP range (IPSec): 10.200.80.100 – 10.200.80.200
-
After committing the changes in Configuration Wizard, run the command
ifconfig
in the FortiNAC CLI to identify the sub-interfaces assigned to the isolation networks. If separate Control and Application Servers, access the CLI of the Application Server.
> ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.200.20.20 netmask 255.255.255.0 broadcast 10.200.20.255
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.200.5.20 netmask 255.255.255.0 broadcast 10.200.5.255
inet6 fe80::20c:29ff:fe71:e423 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:71:e4:23 txqueuelen 1000 (Ethernet)
eth1:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.200.5.21 netmask 255.255.255.0 broadcast 10.200.5.255
eth1:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.200.5.22 netmask 255.255.255.0 broadcast 10.200.5.255 << VPN
Proceed to Policy Based Routes.