Fortinet black logo

Cisco Meraki MR Access Points Integration

Home FortiNAC-F 7.2.0 Cisco Meraki MR Access Points Integration
7.2.0
7.4.0
7.2.0

How it Works

How it Works

The integration of Cisco Meraki Devices (MR, MS and MX) and FortiNAC is designed around RADIUS authentication and disconnection. As devices connect to the wireless Meraki network, they are assigned their network posture through Meraki Group Policies. Meraki Group Policies can be created to use VLANs or firewall rules or both (based on how the administrator wishes to isolate their hosts on their network). When FortiNAC needs to change a host's network posture, it disconnects the client using RADIUS (RFC 5176) over port 1700. This causes a new authentication in which a new Group Policy is assigned.

Using Identity Pre-Shared Key (IPSK) with FortiNAC

Note: IPSK requires the FortiNAC Local RADIUS Server. Proxy RADIUS mode is not supported.

  1. Registered host connects to the AP and RADIUS Access Request is sent to FortiNAC.

  2. Host matches a Network Access Policy.

  3. The Logical Network assigned by the Network Access Policy is configured with a tunnel-password RADIUS attribute containing a PSK.

  4. FortiNAC sends a RADIUS Access Accept containing the tunnel-password RADIUS attribute.

  5. Client is prompted for a password. The password must match the PSK provided in the tunnel-password RADIUS attribute.

Device Support Methods

Endpoint Connectivity Notification

Reading MAC Address Tables

(L2 Poll)

VLAN Assignment

Reading SSIDs

De-auth

Connections: RADIUS (802.1x or MAC-auth)

Disconnections: Syslog (514)

Not Supported

RADIUS

SNMP

RADIUS CoA

(RFC 5176)

(UDP 1700)

RADIUS Authentication

FortiNAC learns of endpoints connecting <and disconnecting> from the Meraki AP using RADIUS Authentication. When a wireless client attempts to connect, the Meraki AP sends a RADIUS request to FortiNAC.

  • MAC-based Authentication: Endpoints are authenticated based on the MAC address. This requires no configuration on the endpoint.

  • 802.1x Authentication: Endpoints are authenticated based on user information. This requires supplicant configuration on the endpoint and an authentication server (either FortiNAC local RADIUS server or a third party server).

Authentication Modes in FortiNAC

Two RADIUS Authentication modes are available for determining how RADIUS requests are processed. These modes can be configured in FortiNAC on a per-device basis.

  • Proxy

    • Authentication: FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.

    • Accounting: FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.

    • For more information on this option, see Proxy in the Administration Guide.

  • Local

    • Authentication: FortiNAC’s Local RADIUS Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

    • Accounting: The Local RADIUS server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

For more information on this option, see Local Servers in the Administration Guide.

Previous
Next

How it Works

The integration of Cisco Meraki Devices (MR, MS and MX) and FortiNAC is designed around RADIUS authentication and disconnection. As devices connect to the wireless Meraki network, they are assigned their network posture through Meraki Group Policies. Meraki Group Policies can be created to use VLANs or firewall rules or both (based on how the administrator wishes to isolate their hosts on their network). When FortiNAC needs to change a host's network posture, it disconnects the client using RADIUS (RFC 5176) over port 1700. This causes a new authentication in which a new Group Policy is assigned.

Using Identity Pre-Shared Key (IPSK) with FortiNAC

Note: IPSK requires the FortiNAC Local RADIUS Server. Proxy RADIUS mode is not supported.

  1. Registered host connects to the AP and RADIUS Access Request is sent to FortiNAC.

  2. Host matches a Network Access Policy.

  3. The Logical Network assigned by the Network Access Policy is configured with a tunnel-password RADIUS attribute containing a PSK.

  4. FortiNAC sends a RADIUS Access Accept containing the tunnel-password RADIUS attribute.

  5. Client is prompted for a password. The password must match the PSK provided in the tunnel-password RADIUS attribute.

Device Support Methods

Endpoint Connectivity Notification

Reading MAC Address Tables

(L2 Poll)

VLAN Assignment

Reading SSIDs

De-auth

Connections: RADIUS (802.1x or MAC-auth)

Disconnections: Syslog (514)

Not Supported

RADIUS

SNMP

RADIUS CoA

(RFC 5176)

(UDP 1700)

RADIUS Authentication

FortiNAC learns of endpoints connecting <and disconnecting> from the Meraki AP using RADIUS Authentication. When a wireless client attempts to connect, the Meraki AP sends a RADIUS request to FortiNAC.

  • MAC-based Authentication: Endpoints are authenticated based on the MAC address. This requires no configuration on the endpoint.

  • 802.1x Authentication: Endpoints are authenticated based on user information. This requires supplicant configuration on the endpoint and an authentication server (either FortiNAC local RADIUS server or a third party server).

Authentication Modes in FortiNAC

Two RADIUS Authentication modes are available for determining how RADIUS requests are processed. These modes can be configured in FortiNAC on a per-device basis.

  • Proxy

    • Authentication: FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.

    • Accounting: FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.

    • For more information on this option, see Proxy in the Administration Guide.

  • Local

    • Authentication: FortiNAC’s Local RADIUS Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.

    • Accounting: The Local RADIUS server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.

For more information on this option, see Local Servers in the Administration Guide.

Previous
Next