9.2.4.7. FortiAP

This section provides a comprehensive guide for configuring the FortiAP 231F in conjunction with OpenNAC Enterprise to ensure proper operation. The configuration described in this section applies to authentication on the network device’s ports.

The model used for the approval of the device and the version of the system are the following:

Model: FortiAP 231F

Tested Version_1: v7.2.2-build0318

9.2.4.7.1. FortiLink

In this case, the configuration detailed in this document will be based on a use case in which the switch will be configured through FortiLink.

This Switch will be managed by a FortiGate connected to the Switch through FortiLink.

Please note that due to the use of FortiLink, some of the settings will need to be done on the FortiGate and others on the FortiSwitch.

Fortilink hyperlink: Fortilink.

9.2.4.7.2. RADIUS Configuration

Configure RADIUS Server:

config user radius
    edit " opennac"
        set server <OpenNAC IP>
        set secret <Radius-Shared-Key>
        set acct-interim-interval 60
        set nas-ip <FortiGate-IP>
        set radius-coa enable
        config accounting-server
            edit 1
                set status enable
                set server <OpenNAC IP>
                set secret <Radius-Shared-Key>
                set port 1812
            next
        end
    next
end

Configure User Group:

config user group
    edit "opennac-grp"
        set member "opennac"
    next
end

9.2.4.7.3. Firewall Policies

To enable communication and authentication between the FortiLink switches and the RADIUS server, it will be necessary to create a policy in the FortiGate to allow the traffic.

To do this, in FortiGate:

    config firewall policy
    edit <policy number>
        set srcintf "fortilink-interface"
        set dstintf "outbound-interface-to-RadiusSVR"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "RADIUS"
        set nat disable
    next
end

This policy is orientative and subject to modifications if a higher level of security is required. RADIUS communication (1812/1813 UDP) between the switches and the radius server must always be respected.

9.2.4.7.4. WPA2-Enterprise

To configure the WPA2-Enterprise security, we must configure the SSID:

config wireless-controller vap
        edit "wifi-ssid"
                set ssid "<SSID-Name>"
                set security wpa2-only-enterprise
                set auth usergroup
                set usergroup "<radius group>"
        next
end

9.2.4.7.5. MAC-Address Bypass (MAB)

To enable the MAC-Authentication functionality (used to perform MAB), we must configure the SSID:

config wireless-controller vap
        edit vap1
                set radius-mac-auth enable
                set radius-mac-auth-server <Radius server>
        end

9.2.4.7.6. 802.1x Features

9.2.4.7.6.1. Dynamic VLAN

VLAN assignment by RADIUS | FortiAP / FortiWiFi 7.2.4 (fortinet.com)

To set the VLAN of the user session through RADIUS we need to configure the following settings:

config wireless-controller vap
        edit dynamic_vlan_ssid
                set dynamic-vlan enable
        end

9.2.4.7.6.2. Default VLAN

VLAN assignment by RADIUS | FortiAP / FortiWiFi 7.2.4 (fortinet.com)

The default VLAN will be the one that will be assigned in case of defining the default VLAN in the OpenNAC policy.

config wireless-controller vap
        edit dynamic_vlan_ssid
                set dynamic-vlan enable
                set vlanid <default VLAN>
        end

9.2.4.7.7. Toggle Port

9.2.4.7.7.1. Firewall Policy

It will be necessary to create a policy that allows the OpenNAC server to make connections against the FortiGate.

To do this we must create a firewall policy that allows it:

config firewall policy
    edit <policy number>
        set srcintf "outbound-interface-to-RadiusSVR"
        set dstintf "fortigate-interface"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat disable
    next
end

This policy is for guidance only and is subject to change if a higher level of security is required. SNMP or CoA communication (161 or 3799 UDP) between the radius and the switches server must always be respected depending of the TogglePort type.

9.2.4.7.7.2. CoA

With FortiAP, the CoA/Disconnect messages must be sent to the FortiGate that manages the Aps. That’s why when defining de radius server (3.1) we must specify the NAS-IP as the FortiGate AP.

In order to perform the policy reevaluation through CoA, it will be necessary to activate this functionality and define de clients with their shared-key:

config user radius
    edit " opennac"
        set radius-coa enable
        next
end

9.2.4.7.8. Captive Portal

9.2.4.7.8.1. POST Method

Configure Captive SSID

config wireless-controller vap
    edit "Forti-Captive"
        set ssid "Forti-Captive"
        set security captive-portal
        set external-web "dc122.opencloudfactory.com"
        set selected-usergroups "Guest-group"
        set security-redirect-url "http://google.com"
        set schedule "always"
    next

config user setting
        set auth-secure-http enable
end

9.2.4.7.9. NetConf & Backup

Since the FortiAPs are managed by FortiGate, NetBackup and NetConf will be done on FortiGate itself.

9.2.4.7.10. Troubleshooting & Monitoring

Show online users:

diagnose wireless-controller wlac -d sta online

Show configuration:

show full-configuration