Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

FortiSwitch network access control

You can configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match are assigned to a specific VLAN or have port-specific settings applied to them.

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. See Configuring the FortiSwitch NAC settings.

Summary of the procedure

  1. Define a FortiSwitch NAC VLAN. See Defining a FortiSwitch NAC VLAN.
  2. Configure the FortiSwitch NAC settings. See Configuring the FortiSwitch NAC settings.
  3. Create a FortiSwitch NAC policy. See Defining a FortiSwitch NAC policy.
  4. View the devices that match the NAC policy. See Viewing the devices that match the NAC policy.

Defining a FortiSwitch NAC VLAN

When devices are matched by a NAC policy, you can assign those devices to a FortiSwitch NAC VLAN. By default, there are six VLAN templates:

  • default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
  • quarantine—This VLAN contains quarantined traffic.
  • rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
  • voice—This VLAN is dedicated for voice devices.
  • video—This VLAN is dedicated for video devices.
  • onboarding—This VLAN is for NAC onboarding devices.

You can use the default onboarding VLAN, edit it, or create a new NAC VLAN. If you want to use the default onboarding NAC VLAN, specify it when you configure the FortiSwitch NAC settings. If you want to edit the default onboarding VLAN or create a new NAC VLAN, use the following procedures.

Creating a NAC VLAN

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
    Interface Name VLAN name
    VLAN ID Enter a number (1-4094)
    Color Choose a unique color for each VLAN, for ease of visual display.
    Role Select LAN, WAN, DMZ, or Undefined.
  2. Enable DHCP for IPv4 or IPv6.
  3. Set the Admission access options as required.
  4. Select OK.
Using the CLI:

config system interface

edit <vlan name>

set vlanid <1-4094>

set color <1-32>

set interface <FortiLink-enabled interface>

end

Editing a NAC VLAN

You can edit the default onboarding NAC VLAN.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch VLANs.
  2. Select the onboarding NAC VLAN.
  3. Select Edit.
  4. Make your changes.
  5. Select OK to save your changes.
Using the CLI:

config switch-controller initial-config template

edit onboarding

set vlanid <1-4094>

set allowaccess {ping | https |ssh | snmp | http | telnet | fgfm | radius-acct | probe-response | fabric | ftm}

set auto-ip {enable | disable}

set dhcp-server {enable | disable}

end

Configuring the FortiSwitch NAC settings

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. You can either manually configure the NAC settings or use the NAC wizard. See Using the NAC wizard.

The local mode uses the local port-level settings of managed FortiSwitch units. The global mode applies the NAC to all managed FortiSwitch ports. Be default, the mode is local.

You can set how many minutes that NAC devices are allowed to be inactive. By default, NAC devices can be inactive for 15 minutes. The range of values is 0 to 1 440 minutes. If you set the inactive-timer to 0, there is no limit to how long the NAC devices can be inactive for.

When NAC devices are discovered, they are assigned to the NAC onboarding VLAN. You can specify the default onboarding VLAN or specify another existing VLAN. By default, there is no NAC onboarding VLAN assigned.

When NAC devices are discovered and match a NAC policy, they are automatically authorized by default.

When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the DHCP process for that switch.

When a link goes down, the NAC devices are cleared from all switch ports by default.

Configuring NAC on a global level

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the NAC Settings slider to expand the NAC Settings section.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select All or Specify to apply NAC policies to all FortiSwitch ports.
  6. Select Apply to save your changes.
Using the CLI:

config switch-controller nac-settings

edit <name_of_this_NAC_configuration>

set mode global

set inactive-timer <integer>

set onboarding-vlan <string>

set auto-auth {enable | disable}

set bounce-nac-port {enable | disable}

set link-down-flush {enable | disable}

end

Configuring NAC on a local level

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the NAC Settings slider to expand the NAC Settings section.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select Specify to apply NAC policies to specific FortiSwitch ports.
  6. Select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC policies to.
  7. Select Apply to save your changes.
Using the CLI:

config switch-controller nac-settings

edit <name_of_this_NAC_configuration>

set mode local

set inactive-timer <integer>

set onboarding-vlan <string>

set auto-auth {enable | disable}

set bounce-nac-port {enable | disable}

set link-down-flush {enable | disable}

end

 

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set access-mode nac

next

end

next

end

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Right-click a port.
  3. Select Access Mode > NAC.

Using the NAC wizard

The NAC wizard helps with configuring the FortiSwitch NAC settings and defining a FortiSwitch NAC VLAN. If you do not want to manually configure the FortiSwitch NAC settings, use the NAC wizard instead.

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy.

  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Configure NAC Settings.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select All or Specify to apply NAC policies to all FortiSwitch ports or to specific FortiSwitch ports.
  6. If you selected Specify, select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC policies to.
  7. Select Next.
  8. Select one of the default NAC VLANs to be the onboarding VLAN, create a new NAC VLAN, or edit one of the default NAC VLANs. The default onboarding VLAN is onboarding. See Defining a FortiSwitch NAC VLAN.
  9. Select Submit.

Defining a FortiSwitch NAC policy

In the FortiOS GUI, you can create three types of NAC policies:

  • Device—The NAC policy matches devices with the specified MAC address, hardware vendor, device family, type, operating system, and user.
  • User—The NAC policy matches devices belonging to the specified user group.
  • EMS tag—The NAC policy matches devices with the specified FortiClient EMS tag.

Using the CLI, you can specify a port policy and MAC policy to be applied to devices that have been matched by the NAC policy. See Creating a port policy and Creating a MAC policy.

NOTE: The FortiSwitch NAC settings must be configured before defining a FortiSwitch NAC policy. See Configuring the FortiSwitch NAC settings.

Creating a device policy

A device policy matches devices with the specified criteria and then assigns a specific VLAN to those devices or applies port-level settings to those devices. You can specify the MAC address, hardware vendor, device family, type, operating system, and user for the devices to match.

By default, there is a default device policy, Onboarding VLAN, which uses the default onboarding NAC VLAN. You can use the default Onboarding VLAN policy, edit it, or create a new NAC policy.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select Device for the category.
  7. If you want the device to match a MAC address, move the MAC Address slider and enter the MAC address to match.
  8. If you want the device to match a hardware vendor, move the Hardware Vendor slider and enter the name of the hardware vendor to match.
  9. If you want the device to match a device family, move the Device Family slider and enter the name of the device family to match.
  10. If you want the device to match a device type, move the Type slider and enter the device type to match.
  11. If you want the device to match an operating system, move the Operating System slider and enter the operating system to match.
  12. If you want the device to match a user, move the User slider and enter the user name to match.
  13. If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and enter the VLAN identifier.
  14. If you want to assign port-level settings to the device that matches the specified criteria select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  15. Select OK to create the new NAC policy.
Using the CLI:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category device

set status enable

set mac <MAC_address>

set hw-vendor <hardware_vendor>

set type <device_type>

set family <device_family>

set os <operating_system>

set hw-version <hardware_version>

set sw-version <software_version>

set host <host_name>

set user <user_name>.

set src <source>

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

end

Creating a user policy

A user policy matches devices that are assigned to the specified user group and then assigns a specific VLAN to those devices or applies port-level settings to those devices.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select User for the category.
  7. Select which user group that devices must belong to.
  8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and enter the VLAN identifier.
  9. If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  10. Select OK to create the new NAC policy.
Using the CLI:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category user

set status enable

set user-group <name_of_user_group>

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

end

Creating an EMS-tag policy

An EMS-tag policy matches devices with a specified MAC address and then assigns a specific VLAN to those devices or applies port-level settings to those devices. The MAC address is derived from an Endpoint Management Server (EMS) tag created in FortiClient.

NOTE: The FortiClient EMS server must be 6.4.1 build 1442 or higher. FortiOS must be 6.4.2 build 1709 or higher.

Before creating an EMS-tag policy on a managed FortiSwitch unit:

  1. In FortiClient, group FortiClient Fabric Agent endpoints with an EMS tag.
  2. In FortiClient, share these endpoint groups with a FortiGate unit over the EMS connector.
  3. In FortiOS, add an on-premise FortiClient EMS server to the Security Fabric:

     

    config endpoint-control fctems

    edit <ems_name>

    set server <ip_address>

    set certificate <string>

    next

    end

     

    For example:

     

    config endpoint-control fctems

    edit EMS_Server

    set server 1.2.3.4

    set certificate REMOTE_Cert_1

    next

    end

     

  4. In FortiOS, verify the EMS certificate. For example:

     

    execute fctems verify EMS_Server

     

  5. In FortiOS, check that the FortiGate unit and FortiClient are connected:

     

    diagnose user device get <FortiClient_MAC_address>

     

  6. In FortiOS, verify which MAC addresses the dynamic firewall address resolves to:

     

    diagnose firewall dynamic list

     

Using the GUI to create an EMS-tag policy:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select EMS Tag for the category.
  7. Select which FortiClient EMS tag that devices must be assigned.
  8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and enter the VLAN identifier.
  9. If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  10. Select OK to create the new NAC policy.
Using the CLI to create an EMS-tag policy:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category ems-tag

set ems-tag <string>

set status enable

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

next

end

 

For example:

 

config user nac-policy

edit nac_policy_1

set category ems-tag

set ems-tag MAC_FCTEMS0000108427_Low

set switch-fortilink fortilink1

set switch-port-policy port_policy_1

next

end

Creating a port policy

You can apply a port policy to the devices that were matched by the NAC policy. In the port policy, you can specify which LLDP profile, QoS policy, 802.1x policy, and VLAN policy are used on the ports.

config switch-controller port-policy

edit <port_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set lldp-profile <LLDP_profile>

set qos-policy <QoS_policy>

set 802-1x <802.1x_policy>

set vlan-policy <VLAN_policy>

set bounce-port-link {enable | disable}

next

end

 

For example:

 

config switch-controller port-policy

edit port_policy_1

set fortilink fortilink1

set vlan-policy vlan_policy_1

next

end

Creating a VLAN policy

You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether to discard untagged or tagged frames or to not discard any frames.

config switch-controller vlan-policy

edit <VLAN_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set vlan <VLAN_name>

set allowed-vlans <lists_of_VLAN_names>

set untagged-vlans <lists_of_VLAN_names>

set allowed-vlans-all {enable | disable}

set discard-mode {none | all-untagged | all-tagged}

next

end

 

For example:

 

config switch-controller vlan-policy

edit vlan_policy_1

set fortilink fortilink1

set vlan default

next

end

Creating a MAC policy

You can apply a MAC policy to the devices that were matched by the NAC policy. You can specify which VLAN is applied, select which traffic policy is used, and enable or disable packet count.

config switch-controller mac-policy

edit <MAC_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set vlan <VLAN_name>

set traffic-policy <traffic_policy_name>

set count {enable | disable}

next

end

Viewing the devices that match the NAC policy

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select View Matched Devices.
  3. Select Refresh to update the results.
Using the CLI:

To show known NAC devices with a known location that match a NAC policy:

diagnose switch-controller nac-device known

 

To show pending NAC devices with an unknown location that match a NAC policy:

diagnose switch-controller nac-device pending

 

FortiSwitch network access control

You can configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match are assigned to a specific VLAN or have port-specific settings applied to them.

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. See Configuring the FortiSwitch NAC settings.

Summary of the procedure

  1. Define a FortiSwitch NAC VLAN. See Defining a FortiSwitch NAC VLAN.
  2. Configure the FortiSwitch NAC settings. See Configuring the FortiSwitch NAC settings.
  3. Create a FortiSwitch NAC policy. See Defining a FortiSwitch NAC policy.
  4. View the devices that match the NAC policy. See Viewing the devices that match the NAC policy.

Defining a FortiSwitch NAC VLAN

When devices are matched by a NAC policy, you can assign those devices to a FortiSwitch NAC VLAN. By default, there are six VLAN templates:

  • default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
  • quarantine—This VLAN contains quarantined traffic.
  • rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
  • voice—This VLAN is dedicated for voice devices.
  • video—This VLAN is dedicated for video devices.
  • onboarding—This VLAN is for NAC onboarding devices.

You can use the default onboarding VLAN, edit it, or create a new NAC VLAN. If you want to use the default onboarding NAC VLAN, specify it when you configure the FortiSwitch NAC settings. If you want to edit the default onboarding VLAN or create a new NAC VLAN, use the following procedures.

Creating a NAC VLAN

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
    Interface Name VLAN name
    VLAN ID Enter a number (1-4094)
    Color Choose a unique color for each VLAN, for ease of visual display.
    Role Select LAN, WAN, DMZ, or Undefined.
  2. Enable DHCP for IPv4 or IPv6.
  3. Set the Admission access options as required.
  4. Select OK.
Using the CLI:

config system interface

edit <vlan name>

set vlanid <1-4094>

set color <1-32>

set interface <FortiLink-enabled interface>

end

Editing a NAC VLAN

You can edit the default onboarding NAC VLAN.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch VLANs.
  2. Select the onboarding NAC VLAN.
  3. Select Edit.
  4. Make your changes.
  5. Select OK to save your changes.
Using the CLI:

config switch-controller initial-config template

edit onboarding

set vlanid <1-4094>

set allowaccess {ping | https |ssh | snmp | http | telnet | fgfm | radius-acct | probe-response | fabric | ftm}

set auto-ip {enable | disable}

set dhcp-server {enable | disable}

end

Configuring the FortiSwitch NAC settings

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. You can either manually configure the NAC settings or use the NAC wizard. See Using the NAC wizard.

The local mode uses the local port-level settings of managed FortiSwitch units. The global mode applies the NAC to all managed FortiSwitch ports. Be default, the mode is local.

You can set how many minutes that NAC devices are allowed to be inactive. By default, NAC devices can be inactive for 15 minutes. The range of values is 0 to 1 440 minutes. If you set the inactive-timer to 0, there is no limit to how long the NAC devices can be inactive for.

When NAC devices are discovered, they are assigned to the NAC onboarding VLAN. You can specify the default onboarding VLAN or specify another existing VLAN. By default, there is no NAC onboarding VLAN assigned.

When NAC devices are discovered and match a NAC policy, they are automatically authorized by default.

When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the DHCP process for that switch.

When a link goes down, the NAC devices are cleared from all switch ports by default.

Configuring NAC on a global level

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the NAC Settings slider to expand the NAC Settings section.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select All or Specify to apply NAC policies to all FortiSwitch ports.
  6. Select Apply to save your changes.
Using the CLI:

config switch-controller nac-settings

edit <name_of_this_NAC_configuration>

set mode global

set inactive-timer <integer>

set onboarding-vlan <string>

set auto-auth {enable | disable}

set bounce-nac-port {enable | disable}

set link-down-flush {enable | disable}

end

Configuring NAC on a local level

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the NAC Settings slider to expand the NAC Settings section.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select Specify to apply NAC policies to specific FortiSwitch ports.
  6. Select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC policies to.
  7. Select Apply to save your changes.
Using the CLI:

config switch-controller nac-settings

edit <name_of_this_NAC_configuration>

set mode local

set inactive-timer <integer>

set onboarding-vlan <string>

set auto-auth {enable | disable}

set bounce-nac-port {enable | disable}

set link-down-flush {enable | disable}

end

 

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set access-mode nac

next

end

next

end

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Right-click a port.
  3. Select Access Mode > NAC.

Using the NAC wizard

The NAC wizard helps with configuring the FortiSwitch NAC settings and defining a FortiSwitch NAC VLAN. If you do not want to manually configure the FortiSwitch NAC settings, use the NAC wizard instead.

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy.

  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Configure NAC Settings.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select All or Specify to apply NAC policies to all FortiSwitch ports or to specific FortiSwitch ports.
  6. If you selected Specify, select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC policies to.
  7. Select Next.
  8. Select one of the default NAC VLANs to be the onboarding VLAN, create a new NAC VLAN, or edit one of the default NAC VLANs. The default onboarding VLAN is onboarding. See Defining a FortiSwitch NAC VLAN.
  9. Select Submit.

Defining a FortiSwitch NAC policy

In the FortiOS GUI, you can create three types of NAC policies:

  • Device—The NAC policy matches devices with the specified MAC address, hardware vendor, device family, type, operating system, and user.
  • User—The NAC policy matches devices belonging to the specified user group.
  • EMS tag—The NAC policy matches devices with the specified FortiClient EMS tag.

Using the CLI, you can specify a port policy and MAC policy to be applied to devices that have been matched by the NAC policy. See Creating a port policy and Creating a MAC policy.

NOTE: The FortiSwitch NAC settings must be configured before defining a FortiSwitch NAC policy. See Configuring the FortiSwitch NAC settings.

Creating a device policy

A device policy matches devices with the specified criteria and then assigns a specific VLAN to those devices or applies port-level settings to those devices. You can specify the MAC address, hardware vendor, device family, type, operating system, and user for the devices to match.

By default, there is a default device policy, Onboarding VLAN, which uses the default onboarding NAC VLAN. You can use the default Onboarding VLAN policy, edit it, or create a new NAC policy.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select Device for the category.
  7. If you want the device to match a MAC address, move the MAC Address slider and enter the MAC address to match.
  8. If you want the device to match a hardware vendor, move the Hardware Vendor slider and enter the name of the hardware vendor to match.
  9. If you want the device to match a device family, move the Device Family slider and enter the name of the device family to match.
  10. If you want the device to match a device type, move the Type slider and enter the device type to match.
  11. If you want the device to match an operating system, move the Operating System slider and enter the operating system to match.
  12. If you want the device to match a user, move the User slider and enter the user name to match.
  13. If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and enter the VLAN identifier.
  14. If you want to assign port-level settings to the device that matches the specified criteria select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  15. Select OK to create the new NAC policy.
Using the CLI:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category device

set status enable

set mac <MAC_address>

set hw-vendor <hardware_vendor>

set type <device_type>

set family <device_family>

set os <operating_system>

set hw-version <hardware_version>

set sw-version <software_version>

set host <host_name>

set user <user_name>.

set src <source>

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

end

Creating a user policy

A user policy matches devices that are assigned to the specified user group and then assigns a specific VLAN to those devices or applies port-level settings to those devices.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select User for the category.
  7. Select which user group that devices must belong to.
  8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and enter the VLAN identifier.
  9. If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  10. Select OK to create the new NAC policy.
Using the CLI:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category user

set status enable

set user-group <name_of_user_group>

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

end

Creating an EMS-tag policy

An EMS-tag policy matches devices with a specified MAC address and then assigns a specific VLAN to those devices or applies port-level settings to those devices. The MAC address is derived from an Endpoint Management Server (EMS) tag created in FortiClient.

NOTE: The FortiClient EMS server must be 6.4.1 build 1442 or higher. FortiOS must be 6.4.2 build 1709 or higher.

Before creating an EMS-tag policy on a managed FortiSwitch unit:

  1. In FortiClient, group FortiClient Fabric Agent endpoints with an EMS tag.
  2. In FortiClient, share these endpoint groups with a FortiGate unit over the EMS connector.
  3. In FortiOS, add an on-premise FortiClient EMS server to the Security Fabric:

     

    config endpoint-control fctems

    edit <ems_name>

    set server <ip_address>

    set certificate <string>

    next

    end

     

    For example:

     

    config endpoint-control fctems

    edit EMS_Server

    set server 1.2.3.4

    set certificate REMOTE_Cert_1

    next

    end

     

  4. In FortiOS, verify the EMS certificate. For example:

     

    execute fctems verify EMS_Server

     

  5. In FortiOS, check that the FortiGate unit and FortiClient are connected:

     

    diagnose user device get <FortiClient_MAC_address>

     

  6. In FortiOS, verify which MAC addresses the dynamic firewall address resolves to:

     

    diagnose firewall dynamic list

     

Using the GUI to create an EMS-tag policy:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select EMS Tag for the category.
  7. Select which FortiClient EMS tag that devices must be assigned.
  8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and enter the VLAN identifier.
  9. If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  10. Select OK to create the new NAC policy.
Using the CLI to create an EMS-tag policy:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category ems-tag

set ems-tag <string>

set status enable

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

next

end

 

For example:

 

config user nac-policy

edit nac_policy_1

set category ems-tag

set ems-tag MAC_FCTEMS0000108427_Low

set switch-fortilink fortilink1

set switch-port-policy port_policy_1

next

end

Creating a port policy

You can apply a port policy to the devices that were matched by the NAC policy. In the port policy, you can specify which LLDP profile, QoS policy, 802.1x policy, and VLAN policy are used on the ports.

config switch-controller port-policy

edit <port_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set lldp-profile <LLDP_profile>

set qos-policy <QoS_policy>

set 802-1x <802.1x_policy>

set vlan-policy <VLAN_policy>

set bounce-port-link {enable | disable}

next

end

 

For example:

 

config switch-controller port-policy

edit port_policy_1

set fortilink fortilink1

set vlan-policy vlan_policy_1

next

end

Creating a VLAN policy

You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether to discard untagged or tagged frames or to not discard any frames.

config switch-controller vlan-policy

edit <VLAN_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set vlan <VLAN_name>

set allowed-vlans <lists_of_VLAN_names>

set untagged-vlans <lists_of_VLAN_names>

set allowed-vlans-all {enable | disable}

set discard-mode {none | all-untagged | all-tagged}

next

end

 

For example:

 

config switch-controller vlan-policy

edit vlan_policy_1

set fortilink fortilink1

set vlan default

next

end

Creating a MAC policy

You can apply a MAC policy to the devices that were matched by the NAC policy. You can specify which VLAN is applied, select which traffic policy is used, and enable or disable packet count.

config switch-controller mac-policy

edit <MAC_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set vlan <VLAN_name>

set traffic-policy <traffic_policy_name>

set count {enable | disable}

next

end

Viewing the devices that match the NAC policy

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select View Matched Devices.
  3. Select Refresh to update the results.
Using the CLI:

To show known NAC devices with a known location that match a NAC policy:

diagnose switch-controller nac-device known

 

To show pending NAC devices with an unknown location that match a NAC policy:

diagnose switch-controller nac-device pending