business plan

fortinac vlan assignment

  • Support Forum
  • Customer Service
  • FortiClient
  • FortiAnalyzer
  • FortiAuthenticator
  • FortiBridge
  • FortiCarrier
  • FortiConnect
  • FortiConverter
  • FortiDeceptor
  • FortiDevSec
  • FortiDirector
  • FortiExtender
  • FortiGate Cloud
  • FortiHypervisor
  • FortiInsight
  • FortiIsolator
  • FortiManager
  • FortiMonitor
  • FortiNDR (on-premise)
  • FortiNDRCloud
  • FortiPortal
  • FortiRecorder
  • FortiSandbox
  • FortiSwitch
  • FortiTester
  • FortiWebCloud
  • Wireless Controller
  • RMA Information and Announcements
  • FortiCloud Products
  • 4D Documents
  • Engage Services
  • The EPSP Platform
  • The ETSP Platform
  • Getting Started Resources
  • Technical Learning
  • Discussions
  • Knowledge Base
  • Idea Exchange
  • Announcements
  • Fortinet Community
  • Technical Tip: Comprehensive guide for a simple Fo...
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Printer Friendly Page
  • Report Inappropriate Content

Sx11

Technical Tip: Comprehensive guide for a simple FortiNAC deployment

Config_wizard_summary.png

  • configuration

Stephen_G

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

  • Threat Research
  • FortiGuard Labs
  • Threat Briefs
  • Security Fabric
  • Certifications
  • Industry Awards
  • Social Responsibility
  • News Releases
  • News Articles

Copyright 2024 Fortinet, Inc. All Rights Reserved.

  • Terms of Service
  • Privacy Policy
  • Cookie Settings

Fortinet GURU

Fortigate guides and more.

Fortinet GURU

WIFI Dynamic user VLAN assignment

Dynamic user VLAN assignment

Clients connecting to the WiFi network can be assigned to a VLAN. You can do this with RADIUS attributes when the user authenticates or with VLAN pooling when the client associates with a particular FortiAP. You cannot use both of these methods at the same time.

VLAN assignment by RADIUS

You can assign each individual user to a VLAN based on information stored in the RADIUS authentication server. If the user’s RADIUS record does not specify a VLAN ID, the user is assigned to the default VLAN for the SSID.

The RADIUS user attributes used for the VLAN ID assignment are:

IETF 64 (Tunnel Type)—Set this to VLAN.

IETF 65 (Tunnel Medium Type)—Set this to 802

IETF 81 (Tunnel Private Group ID)—Set this to the VLAN ID.  To configure dynamic VLAN assignment, you need to:

  • Configure access to the RADIUS server.
  • Create the SSID and enable dynamic VLAN assignment.
  • Create a FortiAP Profile and add the local bridge mode SSID to it.
  • Create the VLAN interfaces and their DHCP servers.
  • Create security policies to allow communication from the VLAN interfaces to the Internet.
  • Authorize the FortiAP unit and assign the FortiAP Profile to it.

To configure access to the RADIUS server

  • Go to User & Device > RADIUS Servers and select Create New .
  • Enter a Name , the name or IP address in Primary Server IP/Name , and the server secret in Primary Server Secret .
  • Select OK .

To create the dynamic VLAN SSID

  • Go to WiFi & Switch Controller > SSID , select Create New > SSID and enter:
  • Enable dynamic VLAN in the CLI. Optionally, you can also assign a VLAN ID to set the default VLAN for users without a VLAN assignment.

config wireless-controller vap edit dynamic_vlan_ssid set dynamic-vlan enable set vlanid 10

To create the FortiAP profile for the dynamic VLAN SSID

  • Go to WiFi & Switch Controller > FortiAP Profiles , select Create New and enter:
  • Adjust other radio settings as needed.

To create the VLAN interfaces

  • Go to Network > Interfaces and select Create New > Interface .
  • Repeat the preceding steps to create other VLANs as needed.

Security policies determine which VLANs can communicate with which other interfaces. These are the simple Firewall Address policy without authentication. Users are assigned to the appropriate VLAN when they authenticate.

To connect and authorize the FortiAP unit

  • Connect the FortiAP unit to the FortiGate unit.
  • Go to WiFi & Switch Controller > Managed FortiAPs .
  • When the FortiAP unit is listed, double-click the entry to edit it.
  • In FortiAP Profile , select the FortiAP Profile that you created.
  • Select Authorize .

VLAN assignment by VLAN pool

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN pool can

l assign a specific VLAN based on the AP’s FortiAP Group, usually for network configuration reasons, or l assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)

To assign a VLAN by FortiAP Group – CLI

In this example, VLAN 101, 102, or 103 is assigned depending on the AP’s FortiAP Group.

config wireless-controller vap edit wlan set vlan-pooling wtp-group config vlan-pool edit 101 set wtp-group wtpgrp1

next edit 102 set wtp-group wtpgrp2

next edit 101 set wtp-group wtpgrp3

Configuring user authentication

Load balancing

There are two VLAN pooling methods used for load balancing: The choice of VLAN can be based on any one of the following criteria:

l round-robin – from the VLAN pool, choose the VLAN with the smallest number of clients l hash – choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool

If the VLAN pool contains no valid VLAN ID, the SSID’s static VLAN ID setting is used.

To assign a VLAN by round-robin selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:

config wireless-controller vap edit wlan set vlan-pooling round-robin config vlan-pool edit 101 next edit 102 next edit 103 end

To assign a VLAN by hash-based selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the hash method:

config wireless-controller vap edit wlan set vlan-pooling hash config vlan-pool edit 101 next edit 102 next edit 103 end

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to share on Reddit (Opens in new window)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

IMAGES

  1. configuration_guide_for_802_1x_vlan_assignment_and_mab

    fortinac vlan assignment

  2. Help us understand VLAN Switching in Fortigate : r/fortinet

    fortinac vlan assignment

  3. FORTINAC

    fortinac vlan assignment

  4. configuration_guide_for_802_1x_vlan_assignment_and_mab

    fortinac vlan assignment

  5. Dynamic VLAN Assignment: Wireless

    fortinac vlan assignment

  6. Segmenting Your Network with Dynamic VLAN Assignment

    fortinac vlan assignment

VIDEO

  1. (AC-S08) Week 08

  2. Travel Healthcare Is Unpredictable: Plans For Our Next Travel Assignment Away From Home

  3. FortiGate” VLAN’s Configuration

  4. FortiNAC Network Access Control

  5. Part 11

  6. FortiNAC GUEST Captive Portal Sponsor

COMMENTS

  1. Comprehensive guide for a simple FortiNAC deployment

    Isolation VLAN: this is where FortiNAC will put Rogue hosts (not profiled hosts). (FortiNAC eth1 IP could also reside in this network.) The FortiNAC Eth1 IP will act as a DHCP and DNS server for all added Isolation subnets. The routed VLAN interfaces in Isolation should be configured through ACL to speak only with Eth1 IP.

  2. PDF FortiNAC FortiSwitch Integration Guide

    FortiNAC provides network visibility (where endpoints connect) and manages VLAN assignment at the point of connection for the endpoint. This is accomplished by sending the appropriate configuration commands to the device. How it Works Visibility FortiNAC learns where endpoints are connected on the network using the following methods:

  3. PDF FortiNAC FortiAP Integration Guide

    FortiNAC provisions a wireless device's network access by managing VLAN assignments based on the Controller/AP's model configuration or an applicable network access policy and the host state of the device. The VLAN configuration is modified using RADIUS (see chart below). FortiAPs are controlled through the FortiGate.

  4. Dynamic VLAN assignment

    In FortiSwitchOS 7.4.2, you can assign a priority to each VLAN. If there is more than one VLAN with the same name (specified in the set description command), FortiSwitchOS selects the VLAN with the lowest assignment-priority value (which is the highest priority) of the VLANs with names (specified in the set description command) that match the RADIUS Egress-VLAN-Name attribute.

  5. FORTINAC

    In Host view it is right click -> policy detail. If that is correct, then you have to verify if FortiNAC is connecting to your switch in order to switch the VLAN or if RADIUS is used if you are sending VLAN ID in RADIUS accept message. Since you are using FortiNAC in virtual environment, there could be other gotchas.

  6. PDF FortiNAC FortiSwitch Integration Guide

    FortiNAC provides network visibility (where endpoints connect) and manages VLAN assignment at the point of connection for the endpoint. This is accomplished by sending the appropriate configuration commands to the device. How it Works Visibility FortiNAC learns where endpoints are connected on the network using the following methods:

  7. PDF FortiNAC Cisco Wireless Controller Integration

    FortiNAC provisions an endpoint's network access by managing VLAN assignments based on the Cisco WLC's model configuration or an applicable network access policy and the host state of the device. The VLAN configuration is modified using the appropriate method based upon the vendor and model (see chart below). Device Support Methods Endpoint

  8. Configuring dynamic user VLAN assignment

    One VLAN ID per user. See Reserved VLAN IDs. To configure dynamic VLAN assignment, you need to: Configure access to the RADIUS server. Create the SSID and enable dynamic VLAN assignment. Create a FortiAP Profile and add the local bridge mode SSID to it. Create the VLAN interfaces and their DHCP servers.

  9. PDF FortiNAC Cisco Wireless Controller Integration

    VLANs from the controllers to make them available for assignment through both FortiNAC policies and client states. Important: All VLANs that an administrator may want to assign to a wireless client through FortiNAC must be configured on the controller. VLAN information is collected by FortiNAC from the WLC. The VLANs can be applied by

  10. WIFI Dynamic user VLAN assignment

    To configure dynamic VLAN assignment, you need to: Configure access to the RADIUS server. Create the SSID and enable dynamic VLAN assignment. Create a FortiAP Profile and add the local bridge mode SSID to it. Create the VLAN interfaces and their DHCP servers. Create security policies to allow communication from the VLAN interfaces to the Internet.

  11. PDF FortiNAC Ubiquiti UniFi Access Point Integration

    FortiNAC provisions an endpoint's network access by managing VLAN assignments based on the UniFi AP's model configuration or an applicable network access policy and the host state of the endpoint. The VLAN configuration is modified using the appropriate method based upon the vendor and model (see chart below). Device Support Methods Endpoint

  12. PDF FortiNAC 9.4 Administration Guide

    Step 4: Model the Device. For the FortiNAC software to recognize the device, it must be added to Inventory either by prompting the FortiNAC software to discover the device or by adding it manually. Regardless of how the device is added, the FortiNAC software must be able to communicate with it.