Fortinet black logo

FortiWLC Integration

Home FortiNAC 8.3.0 FortiWLC Integration
8.3.0
9.4.0
9.2.0
9.1.0
8.8.0
8.7.0
8.6.0
8.5.0
8.3.0

FortiWLC Device Configuration - 802.1x

FortiWLC Device Configuration - 802.1x

Use a browser to log into the FortiWLC controller. Make sure the following items are configured.

Note

When configuring security strings on network devices or names for items within the configuration, it is recommended that you use only letters, numbers and hyphens (-). Other characters may prevent FortiNAC from communicating with the device, such as #. Some device manufacturers prohibit the use of special characters.

VLANs

Create the VLANs that correspond to the host states you wish to enforce. These connection states include default (production) and isolation states including: registration, quarantine, authentication, and dead-end (disabled). For each VLAN configure the following:

  • VLAN name
  • VLAN ID
  • The DHCP Pass-Through option should be set to On.

AP's Configured for Bridged Mode:Ensure VLANs configured on the AP are also created in the controller. Otherwise, those VLANs cannot be used when provisioning network access. FortiNAC needs visibility to all VLANs that it may be configured to assign. A centralized network is not required for each VLAN, but the VLAN must exist on the controller.

RADIUS Server

  • Define the FortiNAC Server or FortiNAC Control Server as the RADIUS server for the devices you want to manage with FortiNAC. Use the management IP Address of your FortiNAC Server as the IP of the RADIUS Server. The FortiNAC software is preconfigured to use port 1812 for authentication. Set the MAC Address delimiter to colon (:).
  • (No longer required as of FortiNAC version 8.5.2): You must also define the FortiNAC Server or FortiNAC Control Server as the RADIUS Accounting Server for the devices you want to manage with FortiNAC. Use the management IP Address of your FortiNAC Server as the IP of the RADIUS Server. The FortiNAC software is pre-configured to use port 1813 for accounting.
  • In the RADIUS Server Configuration, set the Called-Station-ID Type to MacAddress:SSID.
  • If setting up FortiNAC as the RADIUS server for a device in a Fortinet High Availability environment, the actual IP address of the primary control server must be used, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your FortiNAC appliances can be reached. This would allow users to access the network, but they would not be controlled by FortiNAC.
Caution

The RADIUS Secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration.

MAC Filtering

For MAC Filtering configure the following:

  • FortiWLC Versions prior to 5.3: Make sure the ACL Environment State is set to Deny List Enabled
  • FortiWLC Versions 5.3 and above: Enable RADIUS Change of Authorization (CoA)

For FortiWLC Versions 6.0 and Above

  • MAC filtering feature is only necessary when implementing MAC Authentication, but must not be used for ESS Profiles configured for 802.1X.

For FortiWLC Versions Prior to 6.0

  • MAC Filtering must be configured with 802.1X. If you are configuring only 802.1X SSIDs then the RADIUS profile Name field should be left at the default of "No RADIUS". If you are configuring any MAC 6 FortiNAC FortiWLC Wireless IntegrationAuth SSIDs, then select the RADIUS profile created above that designates your FortiNAC Server as the RADIUS server.

Authentication - Security Profile

On the FortiWLC controller the authentication method is configured as a Security Profile along with an encryption type, and other related parameters. These profiles are later associated with an SSID. It is possible to have multiple SSIDs supported simultaneously, some using one method and others using another.

When configuring a wireless device with multiple SSIDs that will be managed by FortiNAC, FortiNAC only allows a single VLAN mapping for each isolation state per device. For example, if the Remediation VLAN is VLAN 10 on one SSID it has to be VLAN 10 on all SSIDs, and if Dead End is VLAN 25 it has to be VLAN 25 for all SSIDs.

If you choose to use 802.1x Authentication you must create a separate Security Profile for that authentication type. Configure the profile as follows:

  • In the L2 Modes allowed section select WPA or WPA2.
  • Set Primary RADIUS server to the RADIUS profile created above that designates your FortiNAC Server as the RADIUS server.
  • In the Captive Portal section select Disabled.
  • Set the 802.1x Network Initiation to On.
  • Set Mac Filtering to On.

ESS Profile/SSID

SSID characterizes a wireless network on the FortiWLC controller. You can create one or more SSIDs on the controller and you may choose to have FortiNAC manage any number of them. Each SSID is represented by an ESS Profile. For each SSID you wish to have FortiNAC manage, create an ESS Profile aa follows:

  • Create an ESS Profile Name.
  • Create a SSID Name.
  • Set the Enable/Disable field to Enable.
  • Select the 802.1x Security Profile from the list.
  • Set the Tunnel Interface type to RADIUS VLAN Only.
  • Set the IP Prefix Validation field to Off. When enabled, it conflicts with configurations that require a radius change of VLANs via radius.
Previous
Next

FortiWLC Device Configuration - 802.1x

Use a browser to log into the FortiWLC controller. Make sure the following items are configured.

Note

When configuring security strings on network devices or names for items within the configuration, it is recommended that you use only letters, numbers and hyphens (-). Other characters may prevent FortiNAC from communicating with the device, such as #. Some device manufacturers prohibit the use of special characters.

VLANs

Create the VLANs that correspond to the host states you wish to enforce. These connection states include default (production) and isolation states including: registration, quarantine, authentication, and dead-end (disabled). For each VLAN configure the following:

  • VLAN name
  • VLAN ID
  • The DHCP Pass-Through option should be set to On.

AP's Configured for Bridged Mode:Ensure VLANs configured on the AP are also created in the controller. Otherwise, those VLANs cannot be used when provisioning network access. FortiNAC needs visibility to all VLANs that it may be configured to assign. A centralized network is not required for each VLAN, but the VLAN must exist on the controller.

RADIUS Server

  • Define the FortiNAC Server or FortiNAC Control Server as the RADIUS server for the devices you want to manage with FortiNAC. Use the management IP Address of your FortiNAC Server as the IP of the RADIUS Server. The FortiNAC software is preconfigured to use port 1812 for authentication. Set the MAC Address delimiter to colon (:).
  • (No longer required as of FortiNAC version 8.5.2): You must also define the FortiNAC Server or FortiNAC Control Server as the RADIUS Accounting Server for the devices you want to manage with FortiNAC. Use the management IP Address of your FortiNAC Server as the IP of the RADIUS Server. The FortiNAC software is pre-configured to use port 1813 for accounting.
  • In the RADIUS Server Configuration, set the Called-Station-ID Type to MacAddress:SSID.
  • If setting up FortiNAC as the RADIUS server for a device in a Fortinet High Availability environment, the actual IP address of the primary control server must be used, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your FortiNAC appliances can be reached. This would allow users to access the network, but they would not be controlled by FortiNAC.
Caution

The RADIUS Secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration.

MAC Filtering

For MAC Filtering configure the following:

  • FortiWLC Versions prior to 5.3: Make sure the ACL Environment State is set to Deny List Enabled
  • FortiWLC Versions 5.3 and above: Enable RADIUS Change of Authorization (CoA)

For FortiWLC Versions 6.0 and Above

  • MAC filtering feature is only necessary when implementing MAC Authentication, but must not be used for ESS Profiles configured for 802.1X.

For FortiWLC Versions Prior to 6.0

  • MAC Filtering must be configured with 802.1X. If you are configuring only 802.1X SSIDs then the RADIUS profile Name field should be left at the default of "No RADIUS". If you are configuring any MAC 6 FortiNAC FortiWLC Wireless IntegrationAuth SSIDs, then select the RADIUS profile created above that designates your FortiNAC Server as the RADIUS server.

Authentication - Security Profile

On the FortiWLC controller the authentication method is configured as a Security Profile along with an encryption type, and other related parameters. These profiles are later associated with an SSID. It is possible to have multiple SSIDs supported simultaneously, some using one method and others using another.

When configuring a wireless device with multiple SSIDs that will be managed by FortiNAC, FortiNAC only allows a single VLAN mapping for each isolation state per device. For example, if the Remediation VLAN is VLAN 10 on one SSID it has to be VLAN 10 on all SSIDs, and if Dead End is VLAN 25 it has to be VLAN 25 for all SSIDs.

If you choose to use 802.1x Authentication you must create a separate Security Profile for that authentication type. Configure the profile as follows:

  • In the L2 Modes allowed section select WPA or WPA2.
  • Set Primary RADIUS server to the RADIUS profile created above that designates your FortiNAC Server as the RADIUS server.
  • In the Captive Portal section select Disabled.
  • Set the 802.1x Network Initiation to On.
  • Set Mac Filtering to On.

ESS Profile/SSID

SSID characterizes a wireless network on the FortiWLC controller. You can create one or more SSIDs on the controller and you may choose to have FortiNAC manage any number of them. Each SSID is represented by an ESS Profile. For each SSID you wish to have FortiNAC manage, create an ESS Profile aa follows:

  • Create an ESS Profile Name.
  • Create a SSID Name.
  • Set the Enable/Disable field to Enable.
  • Select the 802.1x Security Profile from the list.
  • Set the Tunnel Interface type to RADIUS VLAN Only.
  • Set the IP Prefix Validation field to Off. When enabled, it conflicts with configurations that require a radius change of VLANs via radius.
Previous
Next