Aruba Wireless Network Options
Before setting up the Aruba controller to integrate with FortiNAC, review the scenarios listed below to determine the configuration that best suits your environment. These include:
-
Use of VLANs Only
-
Use of Aruba Server Derivation Rules to determine Aruba Roles on the controller
VLANs Only
In this scenario VLANs are used to control network access. The PEF license is not required. No Aruba roles are configured. This is a very basic configuration.
On the Aruba controller, create the VLANs that correspond to the host states you wish to enforce. These connection states include default (production) and isolation states including Registration, Quarantine, Authentication, and Dead-end (disabled).
In this configuration, when a host connects to the network the controller sends a RADIUS authentication request to FortiNAC. FortiNAC sends a RADIUS response that contains the VLAN assignment. This forces the host to automatically disassociate or disconnect for each state/VLAN change causing a delay while a new IP address is issued.
Table 1: VLANs Only Sample Configuration
|
|
Aruba Role |
Network VLAN |
DHCP Server |
Redirect Method |
Transition Method |
|
Registration |
|
10 |
FortiNAC |
DNS Wildcard |
Blacklist |
|
Authentication |
|
20 |
FortiNAC |
DNS Wildcard |
Blacklist |
|
Quarantine |
|
30 |
FortiNAC |
DNS Wildcard |
Blacklist |
|
Dead-End |
|
40 |
FortiNAC |
DNS Wildcard |
Blacklist |
|
|
|
|
|
|
|
|
Staff |
|
100 |
Customer |
N/A |
Blacklist |
|
Admin |
|
200 |
Customer |
N/A |
Blacklist |
|
Guests |
|
300 |
Customer |
N/A |
Blacklist |
Roles With VLANs
In this scenario, roles are configured on the controller and each role is associated with a VLAN or VLAN pool (see VLAN Pools under Considerations).
Each role can have its own VLAN or some roles can share VLANs. The key differentiating factor with this configuration is that at least one role is associated with a VLAN that is different than all of the other roles. When VLANS are used as the control mechanism for access to the network, the host is forced to renew its IP address when the host is moved from one VLAN to another, such as from Isolation to Production. As with VLAN only mode, this mode employs session blacklisting to disassociate sessions during state transitions to facilitate the acquisition of a new IP address.
On the Aruba controller, create Roles that correspond to the host states you wish to enforce. These include default (production) and isolation states including: registration, quarantine, authentication, and dead-end (disabled). Associate each role with a VLAN.
In this configuration, when a host connects to the network the controller sends a RADIUS authentication request to FortiNAC. FortiNAC sends a RADIUS response that contains the Role assignment.
Table 2: Roles With VLANs Sample Configuration
|
|
Aruba Role |
Network VLAN |
DHCP Server |
Redirect Method |
Transition Method |
|
Registration |
Reg |
10 |
FortiNAC |
DNS Wildcard |
Blacklist |
|
Authentication |
Auth |
10 |
FortiNAC |
DNS Wildcard |
Blacklist |
|
Quarantine |
Quar |
40 |
FortiNAC |
DNS Wildcard |
Blacklist |
|
Dead-End |
DE |
40 |
FortiNAC |
DNS Wildcard |
Blacklist |
|
|
|
|
|
|
|
|
Staff |
Staff |
200 |
Customer |
N/A |
Blacklist |
|
Admin |
Admin |
200 |
Customer |
N/A |
Blacklist |
|
Guests |
Guest |
300 |
Customer |
N/A |
Blacklist |
All Roles Share the Same VLAN
In this scenario Firewall Policies or ACLs associated with Roles are used to control network access. Unlike the previous modes, the host retains the same IP address throughout the session.
When hosts are placed into a Role configured for an isolation state (i.e..Registration, Quarantine, etc.) the controller must force user web access to the FortiNAC Captive Portal. When using VLANs, this is accomplished through DNS redirection where wireless hosts in an isolation state are provided a FortiNAC interface as their DNS server address within their DHCP assignment.
When all roles share a single VLAN, it is still possible to provide connecting hosts with a FortiNAC interface address as one of the DNS servers returned from DHCP. However, it is not the best solution because many handheld devices support only two DNS addresses. When sharing a single VLAN, a better method of redirecting web access to FortiNAC's captive portal is to use Aruba's DST-NAT feature.
DST-Nat can be configured in either of two ways. If you need to allow hosts to access other sites for remediation purposes, such as AV/AS updates, you must redirect
DNS Traffic to FortiNAC. Do this by using DST-Nat to redirect all DNS traffic to the FortiNAC isolation interface. If your hosts would never need to be redirected to any destination other than FortiNAC, use DST-Nat to redirect only HTTP traffic to FortiNAC.
Configuration
-
Create a Role for each host state you wish to enforce. These include default (production) and isolation states including: registration, quarantine, authentication, and dead-end (disabled).
-
Configure a production IP Interface/VLAN. For this interface enable Inter- VLAN Routing and assign a static IP address and mask. Associate each role with the same VLAN.
-
Create Firewall Policies or ACLs that control access to the network and associate policies with the appropriate role
Table 3: Roles With A Single VLAN Sample Configuration
|
|
Aruba Role |
Network VLAN |
Redirect Method |
Transition Method |
|
Registration |
Reg |
10 |
DST-Nat |
Direct Role Change |
|
Authentication |
Auth |
10 |
DST-Nat |
Direct Role Change |
|
Quarantine |
Quar |
10 |
DST-Nat |
Direct Role Change |
|
Dead-End |
DE |
10 |
DST-Nat |
Direct Role Change |
|
|
|
|
|
|
|
Staff |
Staff |
10 |
DST-Nat |
Direct Role Change |
|
Admin |
Admin |
10 |
DST-Nat |
Direct Role Change |
|
Guests |
Guest |
200 |
DST-Nat |
Direct Role Change |
Wired Hosts
With the controller configured with all roles in the same VLAN, you can manage hosts that connect to the controller via a wired port. These hosts authenticate through RADIUS and are managed using the same process as a wireless host. However, the VLAN assigned to the port must be the same VLAN associated with the host role.
Controller As An In-line Device
Aruba controllers can be configured to pass through traffic from another device that is connected directly to the controller, such as a VPN concentrator. In this configuration, there is no RADIUS setup required. FortiNAC sees only a list of sessions and IP addresses but does not see the MAC addresses of connecting hosts. The IP addresses used must be configured on the connecting device (e.g. the VPN), then Aruba rules control that series of IP addresses.
Each physical port on the controller can be trusted or untrusted. If the port is trusted, the traffic just passes through. If the port is untrusted, firewall rules are applied based on the role applied to the session. A default role can be set.
Initially, FortiNAC has no mechanism to set the role because it does not have any user data. VPN web pages in Fortinet’s Captive portal are used to force the user to download the agent and run it on the host. The agent returns the MAC address to FortiNAC. This allows FortiNAC to identify the host machine, determine its state and whether the host should be isolated or not.
Using Server Derivation Rules On Aruba Controllers
In some cases, you may want to determine the role of a connecting host based on the SSID on which they connect or some other criteria. The controller provides a powerful facility called Server Derivation Rules that has the ability to use several criteria to determine and assign roles for connecting hosts. To use this controller feature you must be familiar with the use of Server Derivation Rules.
To allow the controller to assign a role to a connecting host, FortiNAC properties files must be modified. These modifications enable the use of a different RADIUS attribute than the attribute normally used to transmit the host Role. The attribute sent must be modified since the default attribute returned by FortiNAC takes precedence over all other values. A common attribute replacement is the standard RADIUS Filter-ID attribute.
To send a role using the Filter-ID attribute, the following property file must be modified:
/bsc/campusMgr/master_loader/properties_plugin/radiusDevice.properties
Important: This property file is overwritten and changes are lost each time FortiNAC is upgraded. Therefore, make a backup copy of the file or be sure to change the properties file again after upgrade.
Contact Support for assistance.
Procedure
-
Login to the FortiNAC CLI as root.
-
Navigate to the /bsc/campusMgr/master_loader/properties_plugin directory.
-
Use an editor such as vi to open radiusDevice.properties.
-
Comment out the following lines:
// VSA definitions com.bsc.plugin.packets.RadiusPacket.ARUBA.vendorCode=14823 com.bsc.plugin.packets.RadiusPacket.14823.vlan.vsa.role=1 com.bsc.plugin.packets.RadiusPacket.14823.vsaType.1.name=ArubaUserRolecom.bsc.plugin.packets.RadiusPacket.14823.vsaType.1.dataType=String com.bsc.plugin.packets.RadiusPacket.14823.vlan.vsa.vlan=2com.bsc.plugin.packets.RadiusPacket.14823.vsaType.2.name=ArubaUserVlancom.bsc.plugin.packets.RadiusPacket.14823.vsaType.2. dataType=Integer -
Uncomment the following lines:
//com.bsc.plugin.packets.RadiusPacket.ARUBA.vendorCode=1//com.bsc.plugin.packets.RadiusPacket.ARUBA.rfc.val.role=11//com.bsc.plugin.packets.RadiusPacket.ARUBA.rfc.dataType.11. role=String//com.bsc.plugin.packets.RadiusPacket.ARUBA.rfc.val.vlan=11//com.bsc.plugin.packets.RadiusPacket.ARUBA.rfc.dataType.11.vlan=StringNote: Wrapping or line breaks displayed above are caused by the limited size of the page. Lines in the properties file do not break in the middle of the line. Do not introduce any line breaks as you are editing the file. -
Save the changes to the file.
-
Restart FortiNAC using the following command: