How it Works
Visibility
FortiNAC learns where endpoints are connected on the network using the following methods:
-
RADIUS communication
-
L2 Polling (MAC address table read)
-
L3 Polling (ARP cache read)
Control
FortiNAC provisions an endpoint’s network access by managing VLAN assignments based on the AP’s model configuration or an applicable network access policy and the host state of the device. The VLAN configuration is modified using the appropriate method based upon the vendor and model (see chart below).
Device Support Methods
|
Endpoint Connectivity Notification |
Reading MAC Address Tables (L2 Poll) |
Reading IP Tables (L3 Poll) |
Reading VLANs |
VLAN Assignment |
Reading SSIDs |
De-auth |
|
RADIUS (802.1x or MAC-auth) |
CLI*
|
CLI*
|
CLI*
|
RADIUS/CLI |
CLI*
|
RADIUS CoA (UDP 3799) |
*Legacy SSH Ciphers: Vulnerable Diffie-Hellman SSH Ciphers were removed from versions 9.2.8, 9.4.4. F7.2.3 and greater. The removal of these ciphers can cause SSH communication to fail between FortiNAC and network infrastructure devices still using these legacy ciphers. Depending upon the device, resulting behavior can vary from failing L2 and L3 polling to failing VLAN switching.
The following events would be generated for the affected AP:
-
L2 Poll Failed
-
L3 Poll Failed
The legacy ciphers must be re-added to FortiNAC via the CLI after upgrade. For details, see KB article 281029.
RADIUS Authentication
FortiNAC learns of endpoints connecting from the Access Points using RADIUS Authentication. When a wireless client attempts to connect, the Access Point sends a RADIUS request to FortiNAC.
-
MAC-based Authentication: Endpoints are authenticated based on the MAC address. This requires no configuration on the endpoint.
-
802.1x Authentication: Endpoints are authenticated based on user information. This requires supplicant configuration on the endpoint and an authentication server (either FortiNAC local RADIUS server or a third party server).