Isolation Interfaces

Configure the eth1 VPN isolation interface using Configuration Wizard.

High Availability: If High Availability is configured, access Configuration Wizard on the Secondary Server and make the same modifications. This ensures the domain value and the additional scopes are added properly in the event of a failover.

Launch the Configuration Wizard by opening a browser and navigating to:

https://<FortiNAC IP Address or hostname>:8443/
Navigate to System > Configuration Wizard.
Under the Steps column, click Virtual Private Network.
Click the checkbox for Virtual Private Network Interface eth1.

Configure the eth1 interface using the table below.

Virtual Private Network Interface eth1

Interface IPv4 Address	IPv4 address for the VPN interface on eth1.
Mask	VPN interface subnet mask (IPv4).
IPv4 Gateway	Gateway IP address used by the VPN interface
Interface IPv6 Address (optional)	IPv6 address for the VPN interface on eth1.
Interface IPv6 Mask in CIDR notation (optional)	Subnet IPv6 mask for the VLAN interface in CIDR notation format (e.g., 64).
Interface IPv6 Gateway(optional)	IPv6 Gateway for the VLAN interface for eth1 when clients connect through this VLAN.

Under Virtual Private Network Scopes, click Add.

Configure using the table below.

Label	Desired name for VPN DHCP scope Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These are reserved.
Gateway	Default gateway for the client lease pool you are adding. Do not use the default gateway for eth1.
Domain	Must match the domain value configured in the FortiGate. NOTE: FortiNAC only answers SRV queries from connecting agents sourced from this domain. If FortiNAC is managing multiple VPN scopes, they must all use the same domain. See DNS File Entry Descriptions in the Appendix for details. OS X, iOS, and some Linux systems may have communication issues if a .local suffix is used.
Mask	Subnet mask for the default gateway.

Under Lease Pools click Add.
Enter the IP Addresses for Start and End of the lease pool range for the VPN scope defined in the FortiGate Address Object.
Click Add to save.
Click Apply.
Repeat steps 10 – 13 for additional VPN scopes as needed
Click Summary when finished.
Review the data on the Summary View to confirm the configured settings.
Click Apply. The Configuration Wizard writes the data to the files on the appliances. This process may take several minutes to complete. When completed, the Results page appears.
Review the Results. Errors are noted at the top of the Results page.
Scroll down through the results and note errors or warnings. Make changes and apply them until a successful configuration is written.

Example values:

FortiNAC CA FQDN: Server01.Fortinet.com

Eth0 (Management interface): 10.200.20.20

Registration interface: 10.200.5.20

Remediation interface: 10.200.5.21

VPN interface: 10.200.5.22

Eth1 GW: 10.200.5.1

VPN DHCP range (SSL): 10.200.80.10- 10.200.80.99

VPN DHCP range (IPSec): 10.200.80.100 – 10.200.80.200
After committing the changes in Configuration Wizard, run the command ifconfig in the FortiNAC CLI to identify the sub-interfaces assigned to the isolation networks. If separate Control and Application Servers, access the CLI of the Application Server.

> ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.200.20.20 netmask 255.255.255.0 broadcast 10.200.20.255

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.200.5.20 netmask 255.255.255.0 broadcast 10.200.5.255

inet6 fe80::20c:29ff:fe71:e423 prefixlen 64 scopeid 0x20<link>

ether 00:0c:29:71:e4:23 txqueuelen 1000 (Ethernet)

eth1:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.200.5.21 netmask 255.255.255.0 broadcast 10.200.5.255

eth1:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.200.5.22 netmask 255.255.255.0 broadcast 10.200.5.255 << VPN

Proceed to Policy Based Routes.

Isolation Interfaces

Configure the eth1 VPN isolation interface using Configuration Wizard.

Launch the Configuration Wizard by opening a browser and navigating to:

https://<FortiNAC IP Address or hostname>:8443/

Navigate to System > Configuration Wizard.

Under the Steps column, click Virtual Private Network.

Click the checkbox for Virtual Private Network Interface eth1.

Configure the eth1 interface using the table below.

Virtual Private Network Interface eth1

Interface IPv4 Address	IPv4 address for the VPN interface on eth1.
Mask	VPN interface subnet mask (IPv4).
IPv4 Gateway	Gateway IP address used by the VPN interface
Interface IPv6 Address (optional)	IPv6 address for the VPN interface on eth1.
Interface IPv6 Mask in CIDR notation (optional)	Subnet IPv6 mask for the VLAN interface in CIDR notation format (e.g., 64).
Interface IPv6 Gateway(optional)	IPv6 Gateway for the VLAN interface for eth1 when clients connect through this VLAN.

Under Virtual Private Network Scopes, click Add.

Configure using the table below.

Label	Desired name for VPN DHCP scope Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These are reserved.
Gateway	Default gateway for the client lease pool you are adding. Do not use the default gateway for eth1.
Domain	Must match the domain value configured in the FortiGate. NOTE: FortiNAC only answers SRV queries from connecting agents sourced from this domain. If FortiNAC is managing multiple VPN scopes, they must all use the same domain. See DNS File Entry Descriptions in the Appendix for details. OS X, iOS, and some Linux systems may have communication issues if a .local suffix is used.
Mask	Subnet mask for the default gateway.

Under Lease Pools click Add.

Enter the IP Addresses for Start and End of the lease pool range for the VPN scope defined in the FortiGate Address Object.

Click Add to save.

Click Apply.

Repeat steps 10 – 13 for additional VPN scopes as needed

Click Summary when finished.

Review the data on the Summary View to confirm the configured settings.

Click Apply. The Configuration Wizard writes the data to the files on the appliances. This process may take several minutes to complete. When completed, the Results page appears.

Review the Results. Errors are noted at the top of the Results page.

Scroll down through the results and note errors or warnings. Make changes and apply them until a successful configuration is written.

Example values:

FortiNAC CA FQDN: Server01.Fortinet.com

Eth0 (Management interface): 10.200.20.20

Registration interface: 10.200.5.20

Remediation interface: 10.200.5.21

VPN interface: 10.200.5.22

Eth1 GW: 10.200.5.1

VPN DHCP range (SSL): 10.200.80.10- 10.200.80.99

VPN DHCP range (IPSec): 10.200.80.100 – 10.200.80.200

After committing the changes in Configuration Wizard, run the command ifconfig in the FortiNAC CLI to identify the sub-interfaces assigned to the isolation networks. If separate Control and Application Servers, access the CLI of the Application Server.

> ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.200.20.20 netmask 255.255.255.0 broadcast 10.200.20.255

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.200.5.20 netmask 255.255.255.0 broadcast 10.200.5.255

inet6 fe80::20c:29ff:fe71:e423 prefixlen 64 scopeid 0x20<link>

ether 00:0c:29:71:e4:23 txqueuelen 1000 (Ethernet)

eth1:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.200.5.21 netmask 255.255.255.0 broadcast 10.200.5.255

eth1:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.200.5.22 netmask 255.255.255.0 broadcast 10.200.5.255 << VPN

FortiGate VPN Integration

Isolation Interfaces

Isolation Interfaces