Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 6.4.2 Administration Guide

EMS tags in NAC policies

6.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Copy Link
Copy Doc ID 4dcf9363-d124-11ea-8b7d-00505692583a:556343
Download PDF

EMS tags in NAC policies

The EMS server generates a dynamic address with a MAC address. A MAC-based EMS tag can be used as a matching condition in a switch controller NAC policy. The EMS server must be running version 6.4.1 or later.

The following example uses synchronized FortiClient EMS tags from the EMS server. For more information, see Synchronizing FortiClient EMS tags and configurations.

To use an EMS tag in a NAC policy in the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies and click Create New.
  2. Enter a policy name.
  3. For Category, select EMS Tag.
  4. In the FortiClient EMS Tag dropdown, select a MAC-based tag.

  5. Configure the other settings as needed.
  6. Click OK.
To use an EMS tag in a NAC policy in the CLI:
  1. Configure the firewall address:
    config firewall address
    edit "MAC_FCTEMS0000100000_ems134_vulner_critical_tag"
        set type dynamic
        set sub-type ems-tag
        set comment ''
        set associated-interface ''
        set color 0
        set obj-type mac
    next
end
  2. Configure the NAC policy:
    config user nac-policy
    edit "nac01"
        set description ''
        set category ems-tag
        set status enable
        set ems-tag "MAC_FCTEMS0000100000_ems134_win10_tag"
        set switch-fortilink "FortiLink01"
        set switch-auto-auth global
        set switch-port-policy ''
        set switch-mac-policy "nac01"
    next
end
Previous
Next

EMS tags in NAC policies

The EMS server generates a dynamic address with a MAC address. A MAC-based EMS tag can be used as a matching condition in a switch controller NAC policy. The EMS server must be running version 6.4.1 or later.

The following example uses synchronized FortiClient EMS tags from the EMS server. For more information, see Synchronizing FortiClient EMS tags and configurations.

To use an EMS tag in a NAC policy in the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies and click Create New.
  2. Enter a policy name.
  3. For Category, select EMS Tag.
  4. In the FortiClient EMS Tag dropdown, select a MAC-based tag.

  5. Configure the other settings as needed.
  6. Click OK.
To use an EMS tag in a NAC policy in the CLI:
  1. Configure the firewall address:
    config firewall address
    edit "MAC_FCTEMS0000100000_ems134_vulner_critical_tag"
        set type dynamic
        set sub-type ems-tag
        set comment ''
        set associated-interface ''
        set color 0
        set obj-type mac
    next
end
  2. Configure the NAC policy:
    config user nac-policy
    edit "nac01"
        set description ''
        set category ems-tag
        set status enable
        set ems-tag "MAC_FCTEMS0000100000_ems134_win10_tag"
        set switch-fortilink "FortiLink01"
        set switch-auto-auth global
        set switch-port-policy ''
        set switch-mac-policy "nac01"
    next
end
Previous
Next