Visibility

Step 1: Configure MS Switch

SNMP

Configure SNMP access to allow for FortiNAC device discovery.

Client Tracking

FortiNAC requires the “MAC Address” Client tracking option in order to collect L2/L3 data.

Navigate to Security & SD-WAN > Configure > Addressing & VLANS.
Under Client tracking, select MAC Address (Default).

Version 1/2c:

Under Network-wide > General > Reporting set SNMP access and SNMP user credentials.

Version 3

Under Network-wide > General > Reporting set SNMP access and SNMP user credentials.
Under Organization > Settings set version, authentication mode and privacy mode.

API Key

Obtain the API Key (this will be used in the FortiNAC Model Configuration). Once generated, the same API Key can be used in multiple devices. If the API key has not already been generated, do the following:

Navigate to Organization > Settings.
Under Dashboard API access, select Enable access to the Cisco Meraki Dashboard API.
Click Profile link.
Under API Access, click Generate new API key.
Copy the generated key and save to a file.

Client Tracking

FortiNAC requires the “MAC Address” Client tracking option in order to collect L2/L3 data.

Navigate to Security & SD-WAN > Configure > Addressing & VLANS.
Under Client tracking, select MAC Address (Default).

Step 2: Configure FortiNAC

In the FortiNAC Administration UI, navigate to Network > Inventory and discover or add the Meraki switch. Use the SNMP values previously configured on the Meraki switch. For instructions see Add or modify a device or Discovery (for multiple devices) in the Administration Guide.

Note: If a “?” appears as the icon, then support needs to be added for that device. See KB article 198477 to add the device using an existing model.
Select the newly added model and click the Credentials tab.
Enter the following under CLI Settings and Save:

Username: <should display the Serial Number>

Password: REST API Key
If no MX router is being polled by FortiNAC, ensure each Switch has L3 polling enabled:

a. Right click on the model and select Group Membership.

b. Select the box next to L3 (IP-->MAC) and click OK.

c. Click the Polling tab.

d. Select the box next to L3 (IP-->MAC) Polling and set the interval to 30 minutes.

e. Click Poll Now. Verify the timestamps for Last Successful Poll and Last Attempted Poll update to the current time.

Step 3: Validate Visibility

Click on the Ports tab of the switch.
Review the values populated for each port (Label, Connection State, etc) and verify they are accurate.

Note: Current VLAN values may not be accurate for switches authenticating using RADIUS (such as Meraki). At this time, the port view only allows for a single port-based VLAN to be displayed for the Current VLAN. This VLAN usually does not match the dynamic VLAN assigned to the clients that have authenticated using RADIUS.
If the Adapter tab is not already visible, click the Show Details Panel button at the bottom of the window.
Verify connection information for hosts currently connected is accurate by clicking on one of the ports showing a connection. The adapter tab below should reflect the correct Adapter Status, Host Status, IP Address, Physical (MAC) Address, Location and Access Value.

If unexpected results occur, see Troubleshooting.

Control

Step 4: Configure MS Switch

Enable full control of network connections to enforce compliance and provision network access.

Reference article

https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_MS_Switches

Navigate to Switch > Configure > Access Policies

Configure an Access Policy. The values in the table below are required when integrating with FortiNAC. Configure all other settings (Host Mode, Access Policy Type, etc) as appropriate.

Authentication Method	my RADIUS server
Host	FortiNAC eth0 IP Address High Availability (HA) Environments: Add both Primary and Secondary Servers. Do not use Shared IP Address.
Port	Proxy RADIUS Mode: 1812 Local RADIUS Mode: Value defined in Local RADIUS Server configuration in FortiNAC
Secret	Secret must match the secret entered in the FortiNAC device model
RADIUS Testing	Disabled
RADIUS CoA Support	RADIUS CoA enabled
RADIUS Accounting Servers	RADIUS Accounting enabled
Host	FortiNAC eth0 IP Address High Availability (HA) Environments: Add both Primary and Secondary Servers. Do not use Shared IP Address.
Port	1813
Secret	Secret must match the secret entered in the FortiNAC device model
Ensure "Increase access speed"	Unchecked

Assign ports to the Access Policy. Important: An Access Policy must be applied to every port that FortiNAC is intended to manage.
1. Navigate to Switch > Monitor > Switch Ports.
2. Select the port(s) to which the access policy will be applied and press the Edit button.
3. Convert the port type from trunk to access. Note: Access Policies can only apply to access ports.
4. From the Access Policy drop-down box, select the Access Policy and press the Update ports button.

Step 5: Configure RADIUS in FortiNAC

Configure the Appropriate Server Option

FortiNAC can be configured to authenticate RADIUS using external RADIUS server(s), the built-in local RADIUS server or a combination of both. There are two RADIUS Authentication modes available for determining how RADIUS requests are processed:

Proxy
- Authentication: FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.
- Accounting: FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.
- For more information on this option, see Proxy in the Administration Guide.
Local
- Authentication: FortiNAC’s Local RADIUS Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.
- Accounting: The Local RADIUS server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.
- For more information on this option, see Local Servers in the Administration Guide.

These modes can be configured in FortiNAC on a per-device basis.

(FNC-CAX-xx) Configure RADIUS Communication Access

FortiNAC-OS appliances (FNC-CAX-xx) only. Ensure FortiNAC is configured to allow RADIUS communication over port1. If High Availability configuration, the following must be done on both appliances.

Log in as admin to the CLI and type:

show system interface
Confirm the command set allowaccess includes the option applicable to the RADIUS Server type used.

Proxy RADIUS: Both radius and radius-acct

Example:

set allowaccess https-adminui ssh ping radius radius-acct snmp nac-ipc

Local RADIUS: Both radius-local and radius-acct

Example:

set allowaccess https-adminui ssh ping radius-local radius-acct snmp nac-ipc
If the options need to be added, copy the existing set allowaccess line command to buffer. Important: Ensure all protocols listed are copied (depending upon what’s currently configured, this command may be multiple lines in length).
Modify the access list. Type:

config system interface

edit port1

<Paste set allowaccess command copied to buffer> <option1> <option2>

end

end

Example:

config system interface

edit port1

set allowaccess https-adminui ssh ping snmp nac-ipcradius-local radius-acct

end

end
Review the entry to confirm the protocols were added. Type:

show system interface
Type exit to log out of the CLI.

Proceed to the applicable section:

Configure FortiNAC (Proxy RADIUS) - FortiNAC proxies 802.1x RADIUS requests to a 3^rd party RADIUS server

Configure FortiNAC (Local RADIUS) - FortiNAC processes all RADIUS requests

Configure FortiNAC (Proxy RADIUS)

In the FortiNAC Administration UI, add a RADIUS server (such as FortiAuthenticator) to FortiNAC in order to proxy the 802.1x packets to the correct server.

See Proxy in the Administration Guide for instructions.

Important: The RADIUS Secret used must be exactly the same on the RADIUS server.
Create Network Access Policies to assign VLANs for connecting registered hosts. For instructions, see section Network access policies in the Administration Guide.

Important: All VLAN assignments for registered hosts require a Network Access Policy.
Navigate to Network > Inventory.
Select the new Device Model and click the Model Configuration tab.
Click Enable RADIUS authentication for this device and click Proxy.
Configure the appropriate VLAN ID for each Logical Network as they apply (Registration, Quarantine, Dead End, Authentication, etc).
Click Save.

Proceed to Create Enforcement Groups.

Configure FortiNAC (Local RADIUS)

Configure and enable Local RADIUS Services. Refer to the Local RADIUS Server reference manual for instructions.
Create Network Access Policies to provision VLANs. For instructions see Network access policies in the Administration Guide.

Important: All VLAN assignments for registered hosts require a Network Access Policy.

Dynamically Provision Voice VLAN for IP Phones (optional)
- User/Host Profile – Match criteria unique to the IP Phones. The simplest matching criteria to use is Device Type = IP Phone. Other criteria can be used as desired. For details on registering IP Phones, refer to the IP Phone Integrations reference manual in the Document Library.
- Logical Network for the Voice VLAN. For instructions see Configuring Logical Networks.
  - Network Access Configuration to assign the data VLAN’s logical network. For instructions see Network Access Configurations.
    
    Navigate to Network > Inventory.
Select the new Device Model and click the Model Configuration tab.
Click Enable RADIUS authentication for this device and click Local.
Configure the appropriate VLAN ID and RADIUS Attribute Group for each Logical Network as they apply (Registration, Quarantine, Dead End, Authentication, etc).

Isolation/Data VLANs
- Access Value = Data VLAN ID
- RADIUS Attribute Group: RFC_Vlan
  
  Note: Use Default can be used if the Default Attribute Group = RFC_Vlan
  
  Tagged Voice VLAN (optional)
  
  Configure the following for FortiNAC to dynamically assign the tagged Voice VLAN.

Access Value = <Voice VLAN ID >
Create a custom RADIUS Attribute Group

Click the Add icon next to the IP Phone Logical Network.
Enter the RADIUS Attribute Group name (Example: Vlan-Phone).

Add the attributes values using the chart below. Click OK to save.

Hint: Use the Name filter to locate the various attributes in the Available Attributes list.

Attribute Name	Response Value
Tunnel-Medium-Type	IEEE-802
Tunnel-Type	VLAN
Tunnel-Private-Group-Id	%ACCESS_VALUE%
Cisco-AVPair	device-traffic-class=voice

Proceed to Create Enforcement Groups.

Step 6: Create Enforcement Groups

Step 1: Determine the Required Groups

In order for FortiNAC to manage ports, they must be members of the appropriate enforcement group. There are several enforcement groups available. Review the table below to decide which groups will be required.

Enforcement Groups

Group

Definition

Forced Authentication
(Port Group)

Ports that participate in forced authentication when unauthenticated users connect. If you have a port in this group, when a host connects to this port and is unauthenticated, the port is put into isolation VLAN and the host is forced to authenticate.

Forced Registration

(Port Group)

Ports that participate in forced registration when unregistered hosts connect.

Add switch ports that participate in forced registration when an Unregistered Host connects to the Forced Registration port group. Only ports that participate have their VLAN ID set to the Registration VLAN when an Unregistered Host connects.

Forced Remediation

(Port Group)

Ports that participate in forced remediation VLAN switching when hosts connect.

Role-Based Access

(Port Group)

Required in order to apply Network Access Policies. If port is not a member of this group, FortiNAC will not switch VLAN based upon a matching Network Access Policy.

Physical Address Filtering

(Device Group)

Devices that participate in the enabling and disabling of hosts.

Add switches that participate in host disabling to this group. If a host is connected to a switch that is not in the Physical Address Filtering group, and that host is disabled through FortiNAC, the host remains connected to the network and is displayed as in violation. Add the switch regardless of whether a host is disabled through a Dead End VLAN, or through MAC address security.

Step 2: Configure Groups for Enforcement

Port Groups: Configure port groups to which ports will be added to enable enforcement. Port Group configuration can be done in several ways. One approach is to create a group that will be a member of all desired enforcement groups. This simplifies the enforcement process, as the administrator only needs to add the port to one port group as opposed to multiple in order to enable enforcement. It is recommended to remain consistent with whichever method is decided upon for group organization.

Device Groups (for use with Physical Address Filtering): Device Group configuration can be done in several ways. One approach is to create location-based device groups to be members of the Physical Address Filtering Group. It is recommended to remain consistent with whichever method is decided upon for group organization.

Note: Device groups are suggested for organizational purposes. It is possible to add a switch directly to the Physical Address Filtering group if desired.

Example

Requirements for devices connecting to Switch 1A in the Corp IT Department:

Devices will register prior to being granted access to the network.
Devices will be scanned for posture. If scan fails, device must remediate prior to accessing the network.
Once registered, network access will be provisioned based upon matching a certain Network Access Policy.
Ability to disable registered hosts and isolate them from the rest of the network.

Procedure

Navigate to System > Groups.
Create port group named “Switch 1A Ports”.
Right click on “Switch 1A Ports” and select Group Member Of.
Select the check boxes for the desired enforcement groups and click OK:

Forced Registration

Forced Remediation

Role-Based Access
Create device group named “Corp IT Switches”.
Right click on “Corp IT Switches” and select Group Member Of.
Select the check box for Physical Address Filtering and click OK.

For more information, see Groups in the Administration Guide.

Step 7: Review Enforcement Checklist

Before enabling enforcement, verify the following:

The Current and Default VLANS are correct on each switch. (Current and Default should match, or there will be a VLAN switch when ports go live, unless a network access policy overrides the default)
All uplinks are marked as uplinks in Topology
There are little or no rogue MAC addresses on the switch(es).

Important: Rogue MAC addresses detected on enforced ports will be isolated.
Isolation VLANS are working.
Each switch model configuration has the appropriate isolation VLAN for all desired enforcement states.

Step 8: Enable Enforcement

Add the desired ports/switches to the appropriate enforcement group.

Important: Always test behavior on a small number of ports prior to enforcing the entire switch.

Example

Enable enforcement on Switch 1A ports 1-5

Navigate to System > Groups.
Right click on group “Switch 1A Ports” and select Modify.
In the left column, expand Switch 1A to reveal ports.
Select ports 1-5 and click “>” to move to the Selected Members column.
Click OK.
Right click on group “Corp IT Switches” and select Modify.
In the left column, select Switch 1A and click “>” to move to the Selected Members column.
Click OK.

For more information, see Groups in the Administration Guide.

Step 9: Validate Control

Connect a rogue host to one of the newly enforced ports.
Verify the following:

Host is moved to the Isolation VLAN
Host is able to access the captive portal (if configured)
Register the system and make sure it gets moved to the appropriate VLAN.
Host is moved to the Dead End VLAN when disabled in Host view.

If unexpected results occur, see Troubleshooting.

Visibility

Step 1: Configure MS Switch

SNMP

Configure SNMP access to allow for FortiNAC device discovery.

Client Tracking

FortiNAC requires the “MAC Address” Client tracking option in order to collect L2/L3 data.

Navigate to Security & SD-WAN > Configure > Addressing & VLANS.
Under Client tracking, select MAC Address (Default).

Version 1/2c:

Under Network-wide > General > Reporting set SNMP access and SNMP user credentials.

Version 3

Under Network-wide > General > Reporting set SNMP access and SNMP user credentials.
Under Organization > Settings set version, authentication mode and privacy mode.

API Key

Navigate to Organization > Settings.
Under Dashboard API access, select Enable access to the Cisco Meraki Dashboard API.
Click Profile link.
Under API Access, click Generate new API key.
Copy the generated key and save to a file.

Client Tracking

FortiNAC requires the “MAC Address” Client tracking option in order to collect L2/L3 data.

Navigate to Security & SD-WAN > Configure > Addressing & VLANS.
Under Client tracking, select MAC Address (Default).

Step 2: Configure FortiNAC

In the FortiNAC Administration UI, navigate to Network > Inventory and discover or add the Meraki switch. Use the SNMP values previously configured on the Meraki switch. For instructions see Add or modify a device or Discovery (for multiple devices) in the Administration Guide.

Note: If a “?” appears as the icon, then support needs to be added for that device. See KB article 198477 to add the device using an existing model.
Select the newly added model and click the Credentials tab.
Enter the following under CLI Settings and Save:

Username: <should display the Serial Number>

Password: REST API Key
If no MX router is being polled by FortiNAC, ensure each Switch has L3 polling enabled:

a. Right click on the model and select Group Membership.

b. Select the box next to L3 (IP-->MAC) and click OK.

c. Click the Polling tab.

d. Select the box next to L3 (IP-->MAC) Polling and set the interval to 30 minutes.

e. Click Poll Now. Verify the timestamps for Last Successful Poll and Last Attempted Poll update to the current time.

Step 3: Validate Visibility

Click on the Ports tab of the switch.
Review the values populated for each port (Label, Connection State, etc) and verify they are accurate.

Note: Current VLAN values may not be accurate for switches authenticating using RADIUS (such as Meraki). At this time, the port view only allows for a single port-based VLAN to be displayed for the Current VLAN. This VLAN usually does not match the dynamic VLAN assigned to the clients that have authenticated using RADIUS.
If the Adapter tab is not already visible, click the Show Details Panel button at the bottom of the window.
Verify connection information for hosts currently connected is accurate by clicking on one of the ports showing a connection. The adapter tab below should reflect the correct Adapter Status, Host Status, IP Address, Physical (MAC) Address, Location and Access Value.

If unexpected results occur, see Troubleshooting.

Control

Step 4: Configure MS Switch

Enable full control of network connections to enforce compliance and provision network access.

Reference article

https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_MS_Switches

Navigate to Switch > Configure > Access Policies

Configure an Access Policy. The values in the table below are required when integrating with FortiNAC. Configure all other settings (Host Mode, Access Policy Type, etc) as appropriate.

Authentication Method	my RADIUS server
Host	FortiNAC eth0 IP Address High Availability (HA) Environments: Add both Primary and Secondary Servers. Do not use Shared IP Address.
Port	Proxy RADIUS Mode: 1812 Local RADIUS Mode: Value defined in Local RADIUS Server configuration in FortiNAC
Secret	Secret must match the secret entered in the FortiNAC device model
RADIUS Testing	Disabled
RADIUS CoA Support	RADIUS CoA enabled
RADIUS Accounting Servers	RADIUS Accounting enabled
Host	FortiNAC eth0 IP Address High Availability (HA) Environments: Add both Primary and Secondary Servers. Do not use Shared IP Address.
Port	1813
Secret	Secret must match the secret entered in the FortiNAC device model
Ensure "Increase access speed"	Unchecked

Assign ports to the Access Policy. Important: An Access Policy must be applied to every port that FortiNAC is intended to manage.
1. Navigate to Switch > Monitor > Switch Ports.
2. Select the port(s) to which the access policy will be applied and press the Edit button.
3. Convert the port type from trunk to access. Note: Access Policies can only apply to access ports.
4. From the Access Policy drop-down box, select the Access Policy and press the Update ports button.

Step 5: Configure RADIUS in FortiNAC

Configure the Appropriate Server Option

Proxy
- Authentication: FortiNAC processes RADIUS MAC but proxies 802.1x EAP authentication to a customer-owned (external) RADIUS server.
- Accounting: FortiNAC proxies accounting traffic to a customer-owned (external) RADIUS server.
- For more information on this option, see Proxy in the Administration Guide.
Local
- Authentication: FortiNAC’s Local RADIUS Server processes RADIUS MAC and 802.1x EAP authentication without the need to proxy to an external RADIUS server.
- Accounting: The Local RADIUS server does not provide accounting. If accounting is required, FortiNAC can be configured to proxy Accounting traffic to an external RADIUS server.
- For more information on this option, see Local Servers in the Administration Guide.

These modes can be configured in FortiNAC on a per-device basis.

(FNC-CAX-xx) Configure RADIUS Communication Access

FortiNAC-OS appliances (FNC-CAX-xx) only. Ensure FortiNAC is configured to allow RADIUS communication over port1. If High Availability configuration, the following must be done on both appliances.

Log in as admin to the CLI and type:

show system interface
Confirm the command set allowaccess includes the option applicable to the RADIUS Server type used.

Proxy RADIUS: Both radius and radius-acct

Example:

set allowaccess https-adminui ssh ping radius radius-acct snmp nac-ipc

Local RADIUS: Both radius-local and radius-acct

Example:

set allowaccess https-adminui ssh ping radius-local radius-acct snmp nac-ipc
If the options need to be added, copy the existing set allowaccess line command to buffer. Important: Ensure all protocols listed are copied (depending upon what’s currently configured, this command may be multiple lines in length).
Modify the access list. Type:

config system interface

edit port1

<Paste set allowaccess command copied to buffer> <option1> <option2>

end

end

Example:

config system interface

edit port1

set allowaccess https-adminui ssh ping snmp nac-ipcradius-local radius-acct

end

end
Review the entry to confirm the protocols were added. Type:

show system interface
Type exit to log out of the CLI.

Proceed to the applicable section:

Configure FortiNAC (Proxy RADIUS) - FortiNAC proxies 802.1x RADIUS requests to a 3^rd party RADIUS server

Configure FortiNAC (Local RADIUS) - FortiNAC processes all RADIUS requests

Configure FortiNAC (Proxy RADIUS)

In the FortiNAC Administration UI, add a RADIUS server (such as FortiAuthenticator) to FortiNAC in order to proxy the 802.1x packets to the correct server.

See Proxy in the Administration Guide for instructions.

Important: The RADIUS Secret used must be exactly the same on the RADIUS server.
Create Network Access Policies to assign VLANs for connecting registered hosts. For instructions, see section Network access policies in the Administration Guide.

Important: All VLAN assignments for registered hosts require a Network Access Policy.
Navigate to Network > Inventory.
Select the new Device Model and click the Model Configuration tab.
Click Enable RADIUS authentication for this device and click Proxy.
Configure the appropriate VLAN ID for each Logical Network as they apply (Registration, Quarantine, Dead End, Authentication, etc).
Click Save.

Proceed to Create Enforcement Groups.

Configure FortiNAC (Local RADIUS)

Configure and enable Local RADIUS Services. Refer to the Local RADIUS Server reference manual for instructions.
Create Network Access Policies to provision VLANs. For instructions see Network access policies in the Administration Guide.

Important: All VLAN assignments for registered hosts require a Network Access Policy.

Dynamically Provision Voice VLAN for IP Phones (optional)
- User/Host Profile – Match criteria unique to the IP Phones. The simplest matching criteria to use is Device Type = IP Phone. Other criteria can be used as desired. For details on registering IP Phones, refer to the IP Phone Integrations reference manual in the Document Library.
- Logical Network for the Voice VLAN. For instructions see Configuring Logical Networks.
  - Network Access Configuration to assign the data VLAN’s logical network. For instructions see Network Access Configurations.
    
    Navigate to Network > Inventory.
Select the new Device Model and click the Model Configuration tab.
Click Enable RADIUS authentication for this device and click Local.
Configure the appropriate VLAN ID and RADIUS Attribute Group for each Logical Network as they apply (Registration, Quarantine, Dead End, Authentication, etc).

Isolation/Data VLANs
- Access Value = Data VLAN ID
- RADIUS Attribute Group: RFC_Vlan
  
  Note: Use Default can be used if the Default Attribute Group = RFC_Vlan
  
  Tagged Voice VLAN (optional)
  
  Configure the following for FortiNAC to dynamically assign the tagged Voice VLAN.

Access Value = <Voice VLAN ID >
Create a custom RADIUS Attribute Group

Click the Add icon next to the IP Phone Logical Network.
Enter the RADIUS Attribute Group name (Example: Vlan-Phone).

Add the attributes values using the chart below. Click OK to save.

Hint: Use the Name filter to locate the various attributes in the Available Attributes list.

Attribute Name	Response Value
Tunnel-Medium-Type	IEEE-802
Tunnel-Type	VLAN
Tunnel-Private-Group-Id	%ACCESS_VALUE%
Cisco-AVPair	device-traffic-class=voice

Proceed to Create Enforcement Groups.

Step 6: Create Enforcement Groups

Step 1: Determine the Required Groups

Enforcement Groups

Group

Definition

Forced Authentication
(Port Group)

Forced Registration

(Port Group)

Ports that participate in forced registration when unregistered hosts connect.

Forced Remediation

(Port Group)

Ports that participate in forced remediation VLAN switching when hosts connect.

Role-Based Access

(Port Group)

Required in order to apply Network Access Policies. If port is not a member of this group, FortiNAC will not switch VLAN based upon a matching Network Access Policy.

Physical Address Filtering

(Device Group)

Devices that participate in the enabling and disabling of hosts.

Step 2: Configure Groups for Enforcement

Note: Device groups are suggested for organizational purposes. It is possible to add a switch directly to the Physical Address Filtering group if desired.

Example

Requirements for devices connecting to Switch 1A in the Corp IT Department:

Devices will register prior to being granted access to the network.
Devices will be scanned for posture. If scan fails, device must remediate prior to accessing the network.
Once registered, network access will be provisioned based upon matching a certain Network Access Policy.
Ability to disable registered hosts and isolate them from the rest of the network.

Procedure

Navigate to System > Groups.
Create port group named “Switch 1A Ports”.
Right click on “Switch 1A Ports” and select Group Member Of.
Select the check boxes for the desired enforcement groups and click OK:

Forced Registration

Forced Remediation

Role-Based Access
Create device group named “Corp IT Switches”.
Right click on “Corp IT Switches” and select Group Member Of.
Select the check box for Physical Address Filtering and click OK.

For more information, see Groups in the Administration Guide.

Step 7: Review Enforcement Checklist

Before enabling enforcement, verify the following:

The Current and Default VLANS are correct on each switch. (Current and Default should match, or there will be a VLAN switch when ports go live, unless a network access policy overrides the default)
All uplinks are marked as uplinks in Topology
There are little or no rogue MAC addresses on the switch(es).

Important: Rogue MAC addresses detected on enforced ports will be isolated.
Isolation VLANS are working.
Each switch model configuration has the appropriate isolation VLAN for all desired enforcement states.

Step 8: Enable Enforcement

Add the desired ports/switches to the appropriate enforcement group.

Important: Always test behavior on a small number of ports prior to enforcing the entire switch.

Example

Enable enforcement on Switch 1A ports 1-5

Navigate to System > Groups.
Right click on group “Switch 1A Ports” and select Modify.
In the left column, expand Switch 1A to reveal ports.
Select ports 1-5 and click “>” to move to the Selected Members column.
Click OK.
Right click on group “Corp IT Switches” and select Modify.
In the left column, select Switch 1A and click “>” to move to the Selected Members column.
Click OK.

For more information, see Groups in the Administration Guide.

Step 9: Validate Control

Connect a rogue host to one of the newly enforced ports.
Verify the following:

Host is moved to the Isolation VLAN
Host is able to access the captive portal (if configured)
Register the system and make sure it gets moved to the appropriate VLAN.
Host is moved to the Dead End VLAN when disabled in Host view.

If unexpected results occur, see Troubleshooting.

Cisco Meraki Wired Integration

Visibility

Visibility

Step 1: Configure MS Switch

SNMP

API Key

Step 2: Configure FortiNAC

Step 3: Validate Visibility

Control

Step 4: Configure MS Switch

Step 5: Configure RADIUS in FortiNAC

Configure the Appropriate Server Option

(FNC-CAX-xx) Configure RADIUS Communication Access

Configure FortiNAC (Proxy RADIUS)

Configure FortiNAC (Local RADIUS)

Step 6: Create Enforcement Groups

Step 1: Determine the Required Groups

Step 2: Configure Groups for Enforcement

Step 7: Review Enforcement Checklist

Step 8: Enable Enforcement

Step 9: Validate Control

Visibility

Step 1: Configure MS Switch

SNMP

API Key

Step 2: Configure FortiNAC

Step 3: Validate Visibility

Control

Step 4: Configure MS Switch

Step 5: Configure RADIUS in FortiNAC

Configure the Appropriate Server Option

(FNC-CAX-xx) Configure RADIUS Communication Access

Configure FortiNAC (Proxy RADIUS)

Configure FortiNAC (Local RADIUS)

Step 6: Create Enforcement Groups

Step 1: Determine the Required Groups

Step 2: Configure Groups for Enforcement

Step 7: Review Enforcement Checklist

Step 8: Enable Enforcement

Step 9: Validate Control