RADIUS Authentication

Sends notifications to FortiNAC for endpoints connecting to downstream devices that are themselves connected to the FortiSwitch such as hubs or IP Phones (as well as directly connecting to the switch).

MAC-based Authentication: Endpoints are authenticated based on the MAC address. This requires no configuration on the endpoint.
802.1x Authentication: Endpoints are authenticated based on user information. This requires supplicant configuration on the endpoint.

See Wireless Authentication in the Appendix for more information.

Note:

FortiNAC does not control the Guest and Auth-Fail VLANs. Endpoints placed in those VLANs may not be managed.
There is no immediate notification to FortiNAC of when an endpoint disconnects. FortiNAC must rely on polling the switch for L2 information to determine an endpoint has disconnected.

802.1x RADIUS Server Requirements

In 802.1X environments, the encryption method for user names and passwords passed between FortiNAC and the RADIUS server must be set to PAP. This affects the following accounts or user names and passwords created on the RADIUS server:

The validation account created for communication with FortiNAC and entered in the RADIUS Server Profile configuration.

Network Requirements

Do not use asymmetric routing between your device and the FortiNAC server. RADIUS requests and responses between the FortiNAC server and the wireless device must travel through the same interface on the FortiNAC server.

Controllers/APs

Network devices should have static IP addresses or dynamic IP addresses that are reserved. Once a device that provides network services had been identified in FortiNAC there is no mechanism to automatically update the IP address for that device if there is a change. If the IP address on the device itself is changed, the device appears in FortiNAC to be offline or to have a communication error.
For some wireless devices, FortiNAC supports management of individual SSIDs in which different treatment is provided to hosts depending on the SSID to which they are connected. To use this feature, you must create an SSID configuration for each SSID that you wish to manage differently from the parent device that controls the SSID. If no SSID configuration exists, the Model Configuration for the device is used. For example if you have a corporate SSID and a guest SSID, you may want to allow the guest SSID to provide Internet access only and the corporate SSID to provide access to the corporate network. They can be configured separately.
Do not set FortiNAC as the trap receiver on any wireless devices. FortiNAC does not process traps from wireless devices.
When a network device supports hot standby with virtual IP assignment, special considerations can apply since FortiNAC must be able to identify the device sending the request. If the RADIUS request originates from an address different than the one discovered and modeled by FortiNAC, the request must identify the device by information in the RADIUS request packet. FortiNAC looks for this device identity information in the NAS- IP and NAS-ID attributes.

RADIUS Authentication

MAC-based Authentication: Endpoints are authenticated based on the MAC address. This requires no configuration on the endpoint.

802.1x Authentication: Endpoints are authenticated based on user information. This requires supplicant configuration on the endpoint.

See Wireless Authentication in the Appendix for more information.

Note:

FortiNAC does not control the Guest and Auth-Fail VLANs. Endpoints placed in those VLANs may not be managed.

There is no immediate notification to FortiNAC of when an endpoint disconnects. FortiNAC must rely on polling the switch for L2 information to determine an endpoint has disconnected.

802.1x RADIUS Server Requirements

In 802.1X environments, the encryption method for user names and passwords passed between FortiNAC and the RADIUS server must be set to PAP. This affects the following accounts or user names and passwords created on the RADIUS server:

The validation account created for communication with FortiNAC and entered in the RADIUS Server Profile configuration.

Network Requirements

Do not use asymmetric routing between your device and the FortiNAC server. RADIUS requests and responses between the FortiNAC server and the wireless device must travel through the same interface on the FortiNAC server.

Controllers/APs

Network devices should have static IP addresses or dynamic IP addresses that are reserved. Once a device that provides network services had been identified in FortiNAC there is no mechanism to automatically update the IP address for that device if there is a change. If the IP address on the device itself is changed, the device appears in FortiNAC to be offline or to have a communication error.

For some wireless devices, FortiNAC supports management of individual SSIDs in which different treatment is provided to hosts depending on the SSID to which they are connected. To use this feature, you must create an SSID configuration for each SSID that you wish to manage differently from the parent device that controls the SSID. If no SSID configuration exists, the Model Configuration for the device is used. For example if you have a corporate SSID and a guest SSID, you may want to allow the guest SSID to provide Internet access only and the corporate SSID to provide access to the corporate network. They can be configured separately.

Do not set FortiNAC as the trap receiver on any wireless devices. FortiNAC does not process traps from wireless devices.

When a network device supports hot standby with virtual IP assignment, special considerations can apply since FortiNAC must be able to identify the device sending the request. If the RADIUS request originates from an address different than the one discovered and modeled by FortiNAC, the request must identify the device by information in the RADIUS request packet. FortiNAC looks for this device identity information in the NAS- IP and NAS-ID attributes.

FortiAP Integration