EMS tags in NAC policies
The EMS server generates a dynamic address with a MAC address. A MAC-based EMS tag can be used as a matching condition in a switch controller NAC policy. The EMS server must be running version 6.4.1 or later.
The following example uses synchronized FortiClient EMS tags from the EMS server. For more information, see Synchronizing FortiClient EMS tags and configurations.
To use an EMS tag in a NAC policy in the GUI:
- Go to WiFi & Switch Controller > FortiSwitch NAC Policies and click Create New.
- Enter a policy name.
- For Category, select EMS Tag.
- In the FortiClient EMS Tag dropdown, select a MAC-based tag.
- Configure the other settings as needed.
- Click OK.
To use an EMS tag in a NAC policy in the CLI:
- Configure the firewall address:
config firewall address edit "MAC_FCTEMS0000100000_ems134_vulner_critical_tag" set type dynamic set sub-type ems-tag set comment '' set associated-interface '' set color 0 set obj-type mac next end
- Configure the NAC policy:
config user nac-policy edit "nac01" set description '' set category ems-tag set status enable set ems-tag "MAC_FCTEMS0000100000_ems134_win10_tag" set switch-fortilink "FortiLink01" set switch-auto-auth global set switch-port-policy '' set switch-mac-policy "nac01" next end