Fortinet black logo

FortiSwitch Integration

Home FortiNAC-F 7.2.0 FortiSwitch Integration
7.2.0
7.4.0
7.2.0

Provision Voice VLANs Using RADIUS

Provision Voice VLANs Using RADIUS

Voice VLANs can be automatically provisioned using one of the following options.

Untagged Voice VLANs Provisioned by FortiNAC

FortiNAC authenticates RADIUS and dynamically provisions the untagged voice VLAN.

FortiSwitch Configuration: Create the voice VLAN on the switch.

FortiNAC Configuration:

  1. Configure IP Phone Logical Network.

  2. Under the FortiSwitch/FortiGate (if managed) Model Configuration tab, set the following:

    Network Access

Logical Network Name

Enforce/Deny

VLAN ID/Name

IP Phone

Enforce

<Voice VLAN>

Default

Enforce

(None)

Tagged Voice VLANs Provisioned using LLDP

IP Phones communicate over tagged voice VLAN. Phones are provisioned by the switch using LLDP. FortiNAC authenticates RADIUS but does not supply a VLAN.

FortiSwitch Configuration:

Configure LLDP as necessary to provision the tagged Voice VLAN. See related FortiSwitch documentation.

FortiNAC Configuration:

  1. Configure IP Phone Logical Network.

  2. Under the FortiSwitch/FortiGate (if managed) Model Configuration tab, set the following:

    Network Access

Logical Network Name

Enforce/Deny

VLAN ID/Name

IP Phone

Enforce

(None)

Default

Enforce

(None)

Tagged Voice VLANs Provisioned by FortiNAC

FortiNAC authenticates RADIUS and dynamically provisions the tagged voice VLAN. FortiNAC includes a set of RADIUS Attributes in the RADIUS response to provision the VLAN.

Requirements:

  • FortiNAC Local RADIUS Service must be configured. For instructions refer to the Local RADIUS Server reference manual in the Document Library.

FortiSwitch Configuration: Create the voice VLAN on the switch.

FortiNAC Configuration:

  1. Confirm Local RADIUS service is running and configured appropriately.

  2. Configure IP Phone Logical Network.

  3. Under the FortiSwitch/FortiGate (if managed) Model Configuration tab, configure the following:

    Network Access

Logical Network Name

Enforce/Deny

VLAN ID/Name

IP Phone

Enforce

(None)

Default

Enforce

(None)

RADIUS

  • RADIUS Mode: Local

  • Logical Network: IP Phone

  • Custom Radius Attribute Group containing the Egress-VLAN-Name attribute

  1. Click the Add icon next to the IP Phone Logical Network.

  2. Enter the RADIUS Attribute Group name.

  3. Add the attributes and the appropriate values using the chart below. Click OK to save.

    Hint: Use the Name filter to locate the various attributes in the Available Attributes list.

Attribute Name

Response Value

Tunnel-Medium-Type

IEEE-802

Tunnel-Type

VLAN

Tunnel-Private-Group-Id

%ACCESS_VALUE%

Egress-VLAN-Name

1<VLAN name>

Example: 1voicenac

Validate:

Example of FortiSwitch debug output:

Sent Access-Accept Id 237 from x.x.x.x:1812 to x.x.x.x:46752 length 0

Tunnel-Type = VLAN

Egress-VLAN-Name = "1voicenac"

Tunnel-Private-Group-Id = "120"

Tunnel-Medium-Type = IEEE-802

FortiSwitch CLI command to verify configuration:

diagnose switch 802-1x status <port_name>

Review the Dynamic Allowed Vlan list entry.

Reference:

https://docs.fortinet.com/document/fortiswitch/7.0.1/administration-guide/110505/dynamic-vlan-assignment

Previous
Next

Provision Voice VLANs Using RADIUS

Voice VLANs can be automatically provisioned using one of the following options.

Untagged Voice VLANs Provisioned by FortiNAC

FortiNAC authenticates RADIUS and dynamically provisions the untagged voice VLAN.

FortiSwitch Configuration: Create the voice VLAN on the switch.

FortiNAC Configuration:

  1. Configure IP Phone Logical Network.

  2. Under the FortiSwitch/FortiGate (if managed) Model Configuration tab, set the following:

    Network Access

Logical Network Name

Enforce/Deny

VLAN ID/Name

IP Phone

Enforce

<Voice VLAN>

Default

Enforce

(None)

Tagged Voice VLANs Provisioned using LLDP

IP Phones communicate over tagged voice VLAN. Phones are provisioned by the switch using LLDP. FortiNAC authenticates RADIUS but does not supply a VLAN.

FortiSwitch Configuration:

Configure LLDP as necessary to provision the tagged Voice VLAN. See related FortiSwitch documentation.

FortiNAC Configuration:

  1. Configure IP Phone Logical Network.

  2. Under the FortiSwitch/FortiGate (if managed) Model Configuration tab, set the following:

    Network Access

Logical Network Name

Enforce/Deny

VLAN ID/Name

IP Phone

Enforce

(None)

Default

Enforce

(None)

Tagged Voice VLANs Provisioned by FortiNAC

FortiNAC authenticates RADIUS and dynamically provisions the tagged voice VLAN. FortiNAC includes a set of RADIUS Attributes in the RADIUS response to provision the VLAN.

Requirements:

  • FortiNAC Local RADIUS Service must be configured. For instructions refer to the Local RADIUS Server reference manual in the Document Library.

FortiSwitch Configuration: Create the voice VLAN on the switch.

FortiNAC Configuration:

  1. Confirm Local RADIUS service is running and configured appropriately.

  2. Configure IP Phone Logical Network.

  3. Under the FortiSwitch/FortiGate (if managed) Model Configuration tab, configure the following:

    Network Access

Logical Network Name

Enforce/Deny

VLAN ID/Name

IP Phone

Enforce

(None)

Default

Enforce

(None)

RADIUS

  • RADIUS Mode: Local

  • Logical Network: IP Phone

  • Custom Radius Attribute Group containing the Egress-VLAN-Name attribute

  1. Click the Add icon next to the IP Phone Logical Network.

  2. Enter the RADIUS Attribute Group name.

  3. Add the attributes and the appropriate values using the chart below. Click OK to save.

    Hint: Use the Name filter to locate the various attributes in the Available Attributes list.

Attribute Name

Response Value

Tunnel-Medium-Type

IEEE-802

Tunnel-Type

VLAN

Tunnel-Private-Group-Id

%ACCESS_VALUE%

Egress-VLAN-Name

1<VLAN name>

Example: 1voicenac

Validate:

Example of FortiSwitch debug output:

Sent Access-Accept Id 237 from x.x.x.x:1812 to x.x.x.x:46752 length 0

Tunnel-Type = VLAN

Egress-VLAN-Name = "1voicenac"

Tunnel-Private-Group-Id = "120"

Tunnel-Medium-Type = IEEE-802

FortiSwitch CLI command to verify configuration:

diagnose switch 802-1x status <port_name>

Review the Dynamic Allowed Vlan list entry.

Reference:

https://docs.fortinet.com/document/fortiswitch/7.0.1/administration-guide/110505/dynamic-vlan-assignment

Previous
Next