FortiNAC

Appliance Installation Guide
Version: 8.5
Date: 5/28/2019
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE
https://video.fortinet.com
FORTINET KNOWLEDGE BASE
http://kb.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTINET COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING AND CERTIFICATION PROGRAM
https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com/
FORTIGUARD CENTER
https://fortiguard.com
FORTICAST
http://forticast.fortinet.com
END USER LICENSE AGREEMENT
https://www.fortinet.com/doc/legal/EULA.pdf
Tuesday, May 28, 2019
FortiNAC Appliance Installation Guide
49-830-503677-20190731
Contents
Naming Conventions
1
Ethernet Connections
2
Process Overview
3
Hardware Setup
4
Connect To The Appliance
4
Login To Configuration Wizard - Hardware Setup
5
Verify License Key
6
Assign IP Address
7
Configuration Wizard - Passwords
9
Connect To The Network
11
Software Configuration
12
Login To Configuration Wizard - Software
12
Password Setup
14
Network Type
17
Layer 2 Network - VLANs
18
Layer 2 Network - Configure VLANS
19
Layer 2 Network - Additional Routes
24
Layer 2 Network - Summary
24
Layer 3 Network - Route Scopes
25
Layer 3 Network - Configure Route Scopes
27
Importing Route Scopes
35
Layer 3 Network - Additional Routes
37
Results: Layer 2/Layer3 Networks Or Control Manager
39
Log In To The Admin User Interface
41
Change Passwords After Configuration
42
Appliance Installation Guide
iii
Naming Conventions
Before you begin the installation, you need to determine the Product Descriptor for the product
you are configuring.
•
Refer to the Appliance Identification Details page in the information packet that
came with your appliance. Locate your Appliance Identifier.
•
If you don’t have the Appliance Identification Details page, check the Appliance Identifier
tag located on the metal casing on the back or the top of the appliance.
-
Using the Appliance Identifier information, refer to the tables below to determine
the Product Descriptor. The Product Descriptor is used throughout this
document.
In addition, the Appliance Identifier contains the BFN number for the type of appliance you are
configuring. Refer to this number as you go through the Hardware Setup procedures identify
your appliance and its corresponding Ethernet ports.
Refer to the Tables in this section. If your appliance is not listed, contact Customer Support. You
can download electronic versions of the Appliance Installation Guides through the Configuration
Wizard. See Login To Configuration Wizard - Software on page 12.
Note: The Configuration Wizard uses the Product Descriptor as a common naming scheme
when referring to the different products. Tables in this section show this relationship.
Table 1: Naming Conventions For Appliance FNT 330 and 440
FORTINET Part
Number
Part Type
FORTINAC 600 HIGH PERF CONTROL
APP SERVER
FNC-CA-600C
System
SYC-FNT440-010
FORTINAC NETWORK CONTROL
MANAGER
FNC-M-550C
System
SYC-FNT440-020
FORTINAC ANALYTICS SERVER
FNC-R-650C
System
SYC-FNT440-030
FORTINAC 1000C HIGH PERF
CONTROL SERVER
FNC-C-1000C
System
SKU Number
Description
SYC-FNT440-000
SYC-FNT440-040
FORTINAC 1000A HIGH PERF
APPLICATION SERVER
FNC-A-1000C
System
SYC-FNT440XL100
FORTINAC 700 ULTRA HIGH PERF
CONTROL APP SERVER
FNC-CA-700C
System
1
SKU Number
Description
FORTINET Part
Number
Part Type
SYC-FNT440XL110
FORTINAC 2000C ULTRA HIGH PERF
CONTROL SERVER
FNC-C-2000C
System
SYC-FNT440XL120
FORTINAC 2000A ULTRA HIGH PERF
APP SERVER
FNC-A-2000C
System
SYC-FNT330000*
FORTINAC 500 HIGH PERF CONTROL
APP SERVER
FNC-CA-500C
System
Ethernet Connections
Each Ethernet port is used for a different purpose during initial configuration and normal
operation. The following table provides details on the options for each appliance type and its
corresponding Ethernet ports.
Note: Manual configuration is required for eth2. The eth3 or fourth interface is reserved for future
use. Contact Customer Support for assistance.
Table 2: Ethernet Connections
Appliance
Product
Port
Port Used During Initial (Basic Network) Configuration
FNT330
All Products
eth1
Used temporarily during configuration until the IP address,
mask, default gateway, and host name are setup.
FNT440
Configuration Wizard DHCP Service—Disabled once
appliance is rebooted (or shutdown and restarted).
Appliance
FNT330
FNT440
2
Product
Port
Port Used During Normal Operations (After Basic
Network Configuration Complete)
All Products
eth0
Management
FortiNac Server
eth1
Isolation networks, such as Registration or Remediation.
FortiNac
Application Server
eth1
Isolation networks, such as Registration or Remediation.
FortiNac Control Server
eth1
Either DHCP detection or not used.
FortiNac Control Manager
eth1
Not used.
FortiNac Server
eth2
Rogue DHCP detection, additional isolation networks (for
example, Remote Registration and Remote Scan), access
point management, or not used.
FortiNac
Application Server
eth2
Additional isolation networks (for example, Remote
Registration and Remote Scan), access point
management, or not used.
Process Overview
The following is a summary of the steps you will use to configure your appliance.
Important: The FortiNac appliance set (physical or virtual) are intended forFortinet software,
tools and services use only.Fortinetc does not confirm for use any other software, tools or
services.
Table 3: Hardware And Software Configuration Overview
Process
Steps
Prerequisites
Physically connect your laptop to
the appliance using eth1.
None
Hardware Setup
Connect appliance to the network.
See Hardware Setup on the
next page.
Launch Configuration Wizard and
login.
Validate license.
License key if not already
installed.
Assign IP address and other basic
networking information, such as,
mask, DNS, or hostname.
IP address for this appliance
Disconnect laptop from eth1 and
connect appliance to network on
eth0.
None
Software Configuration
Specify forwarding DNS for all
isolation networks and enter time
zone information.
None
Set up passwords.
Return to Configuration Wizard to
enter basic setup data. See
Software Configuration on page
12.
Select network type: Layer 2 or
Layer 3.
Have information available for
Layer 2 VLAN network or Layer 3
routed network.
Create additional routes.
Optional routes for network traffic
typically used in a Layer 3
environment.
View Summary and apply the
configuration. Reboot.
None
Re-run the Configuration Wizard at any time to reconfigure settings. To re-run the Configuration
Wizard see Login To Configuration Wizard - Software on page 12 and enter the URL as
shown.
3
Hardware Setup
Hardware Setup
Unpack and power up the appliance(s) as described in the Hardware Setup Guide included with
the appliance. For some appliances, the power supply fan goes on when the appliance is first
plugged in.
Note: On some appliances the power switch is located behind the bezel on the front of the
machine. Be sure to remove the bezel and power up the appliance first.
DO NOT CONNECT THE APPLIANCE(S) TO THE NETWORK AT THIS TIME.
Connect To The Appliance
1. See Figures 1 through 7. Note that the port etched with number 1 is eth0 and the port
etched with number 2 is eth1 or the left most port is eth0 and the next port to the right is
eth1.
2. Use either a straight-through or crossover RJ45 cable to connect your PC to eth1 of the
appliance. Port eth1 serves DHCP in the 192.168.1.x range. The appliance itself has an
IP address of 192.168.1.1. Be certain to connect the RJ45 cable to the correct Ethernet
port. LED 1 on the front of the appliance lights to indicate when eth0 has established
connection. LED 2 lights to indicate when eth1 has established connection.
Note: Not all models of the appliance have LED lights on the front.
Note: When a FortiNac Control Server and Application Server are paired, configure the
FortiNac Application Server hardware first to assign an IP address. The FortiNac
Control Server must know the IP address of the FortiNac Application Server in order to
communicate with it.
3. On the PC, bring up a web browser. To launch the Configuration Wizard, navigate to:
http://192.168.1.1:8080/configWizard
Note: Appliances have a LCD panel on the front that displays the Appliance Type, such as
FortiNac Control Server, and the FortiNac Version number installed. This information does not
display until the FortiNac software is started.
Figure 1: Appliance FNT440
4
Hardware Setup
Figure 2: Appliance FNT330
Login To Configuration Wizard - Hardware Setup
1. If you have not done so already, bring up a web browser and navigate to:
http://192.168.1.1:8080/configWizard
2. Enter the User Name and Password credentials to gain access to the Configuration
Wizard.
User Name = config
Password = config
3. Click OK.
Note: You will be required to change the Configuration Wizard password during the
setup process.
5
Verify License Key
Verify License Key
Each appliance requires a unique License Key to run the application. The License Key contains
the license count, license time, feature set, and high availability options.
Note: When the License Key Validation window opens, if you do not see a license key, contact
Customer Support or your sales representative to obtain it. For customer identification, have the
MAC Address of the appliance ready when you call for assistance. The MAC Address is located
on the shipping label, the Appliance Identification Details document and on the back or the top
of the metal casing of the appliance.
1. If a license key appears in the text area, click OK. If there is no key, contact Customer
Support or your sales representative.
2. On the next screen you can download PDF versions of the documentation to your PC
and then click OK to continue.
Figure 3: License Key Validation Window
6
Assign IP Address
Assign IP Address
The initial Basic Network screen displays the Product Descriptor and the type of system you are
configuring. See Naming Conventions on page 1.
1. Configure the FortiNac appliance and enter the values based on the definitions in Basic
Network Window Field Definitions below.
WARNING: Do not use the following as the Host Name for the appliance: nac,
isolation, registration, remediation, remotereg, remotescan, vpn, authentication, hub,
access point management, or deadend. These names are reserved for system use.
WARNING: Host names should contain only letters, numbers or hyphens (-).
Uppercase letters are converted to lowercase automatically.
2. Click Apply.
3. Review the information in the Results page. If there are errors or omissions, click Back
on the browser. Make the changes and reapply them.
4. Reboot or shut down the appliance. The DHCP service accessed via eth1 during
installation is disabled.
Note: The data displayed in the Configuration Wizard may not represent the current
configuration of the appliance. When you make edits in the Configuration Wizard, your
modifications are stored in a temporary file. This allows you to exit the Configuration
Wizard before you save your changes permanently.
Table 4: Basic Network Window Field Definitions
Field
Definition
FortiNac Product
Host Name
Name of the appliance you are configuring. Host names should contain only
letters, numbers or hyphens (-). Uppercase letters are converted to lowercase
automatically.
Note: Do not use nac, isolation, registration, remediation,
remotereg, remotescan, vpn, authentication, hub, or deadend.
These names are reserved for system use.
eth0 IP Address
Management IPv4 address of the appliance you are configuring.
Default Gateway
Default Gateway IPv4 address for the appliance you are configuring. A
default gateway is the device that passes traffic from the local subnet to
devices on other subnets.
eth0 IPv6 Address
Management of IPv6 address of the appliance you are configuring.
IPv6 Default Gateway
Default Gateway IPv6 address for the appliance you are configuring. A
default gateway is the device that passes traffic from the local subnet to
devices on other subnets.
7
Assign IP Address
Field
Definition
Mask
Subnet IPv4 mask for the appliance you are configuring. A subnet is a logical
grouping of connected network devices; the mask defines the boundaries of
the subnet.
IPv6 Mask in CIDR notation
Subnet IPv6 mask for the appliance you are configuring, in CIDR format (e.g.,
64).
DNS
Primary IP Address
IP address of the Primary DNS Server. This is used in the basic IP network
configuration for the appliance.
Secondary IP Address
IP address of the Secondary DNS Server. This is used in the basic IP network
configuration for the appliance.
Domain
Enter your domain name, such as megatech.com or megatech.edu.
Forwarding DNS for all Isolation Networks
Use Primary and
Secondary DNS
Select this option to use the Primary and Secondary DNS IP addresses.
Specify [Use semi-colon (;)
to separate]
Select this option to specify a different DNS IP address, and enter the
address(es).
NTP and Time Zone
8
NTP Server [example:
pool.ntp.org]
The address of the NTP (Network Time Protocol) server used to keep system
clocks up-to-date with official time.
Time Zone
Specify which timezone where the system is located to show the correct time
for your timezone.
Configuration Wizard - Passwords
Figure 4: Basic Network - Assign IP Address
Configuration Wizard - Passwords
Password fields appear empty until you modify a password. Passwords can be modified again
later by accessing the Change Passwords screen. See Change Passwords After Configuration
on page 42.
CLI/SSH and Configuration Wizard passwords must be eight characters or longer and contain a
lowercase letter, an uppercase letter, a number, and one of the following symbols:
Required Symbols
!
#
%
*
exclamation point
pound
percent
asterisk
@
$
^
?
at
dollar
caret
question mark
_ underscore
~ tilde
- hyphen
Note: The symbols listed below are not permitted in CLI/SSH and Configuration Wizard
passwords.
9
Configuration Wizard - Passwords
Prohibited Symbols
(
)
'
&
+
=
|
\
open parenthesis
close parenthesis
back quote
ampersand
plus
equal
pipe
back slash
space
; semicolon
: colon
" double quote
' single quote
< less than
> greater than
{
}
[
]
,
.
/
open curly bracket
close curly bracket
open square bracket
close square bracket
comma
period
forward slash
Password types include:
•
admin—CLI/SSH password you use to log into the appliance. Must be at least 8
characters and no more than 64 characters.
•
root—CLI/SSH password Customer Support uses to log into the appliance. Must be at
least 8 characters and no more than 64 characters. Notify Customer Support if you
change this password.
•
Configuration Wizard—Password you use to log into the Configuration Wizard.
Note: FortiNac Application Server Passwords only display when you configure a FortiNac
Control Server.
10
Connect To The Network
Connect To The Network
1. Disconnect the PC from the eth0 port on the appliance.
2. Connect eth0 of the appliance to the network. If you have a FortiNac Control Server and
FortiNac Application Server pair, connect eth0 of each appliance to the network. Port
eth0 is the management interface for the appliance. If a management VLAN exists,
connect eth0 to a management VLAN network port.
Note: See Ethernet Connections on page 2 and Hardware Setup on page 4 for additional
information and pictures of each appliance type and corresponding ports.
WARNING: DO NOT use a firewall between any FortiNac appliances because the firewall
interferes with the connection between those appliances. There should never be a firewall
between any of the following:
-FortiNac Control Server and FortiNac Application Server
-FortiNac Control Manager and the appliances it manages
-Primary and Secondary servers in a High Availability Environment
-FortiNac Integrated RADIUS Server and the FortiNac Control Server and FortiNac Application
Server
-FortiNac Integrated RADIUS Server and the FortiNac Server
-Host running the Admin UI and the FortiNac Control Server
-Host running the Admin UI and FortiNac Server
-Host running the Admin UI and FortiNac Control Manager
11
Software Configuration
Software Configuration
Now that your appliance has been assigned an IP address and is connected to the network, you
are ready to configure your NTP, time zone, routes, and DHCP scopes associated with your
Layer 2 or Layer 3 network.
Use the following buttons and links to navigate through the Configuration Wizard.
•
Steps pane—This is the panel displayed on the left of each Configuration window.
Each step is a link to its corresponding window. It is not required that you follow the
configuration steps sequentially.
•
Help—Displays a PDF version of this document.
•
Reset—Click Reset to return field values to what they were when you opened the view.
If you move to another window, you can no longer reset field values.
•
Summary—Lists all configured settings. You can view a summary at any point in the
configuration process and apply those settings.
Login To Configuration Wizard - Software
1. Bring up a web browser and point it to the IP Address of the FortiNac Server, FortiNac
Control Server or FortiNac Management Server. Use one of the following URLs:
http://<IP Address>:8080/configWizard
http://<Host Name of the appliance>:8080/configWizard
Note: The Configuration Wizard writes files configured on the FortiNac Control Server
to the FortiNac Application Server. No direct configuration of the FortiNac Application
Server is required after the initial basic network setup is completed and it is connected
to the network.
2. Enter the User Name and Password credentials that you configured when assigning
an IP address to gain access to the Configuration Wizard.
3. Click OK.
4. Click OK on the License Key screen.
5. Download the documentation needed to configure and administer the product. These
files are in PDF format and require a PDF viewer to read them. Click the Download
button to save the files, then click OK.
12
Software Configuration
Figure 5: Download Documentation Window
13
Password Setup
Password Setup
Figure 6: Change Passwords
Figure 7: Configuration Wizard - Password Setup
14
Password Setup
Table 5: Password Field Definitions
Field
Definition
admin Password
The CLI/SSH Password used to access the appliance (max. 64 characters). You are
required to change this password.
root Password
The CLI/SSH Password used by Customer Support to access the appliance (max. 64
characters). You are required to change this password. Call Customer Support to
inform them of the password. This facilitates support for your appliance in the future.
Configuration
Wizard Password
The Password used to access the Configuration Wizard (max. 64 characters). You are
required to change this password.
New CLI/SSH root
Password
Retype CLI/SSH
root
Password
New CLI/SSH
admin
Password
The CLI/SSH Password used by Customer Support to access the appliance (max. 64
characters). You are required to change this password. Call Customer Support to
inform them of the password. This facilitates support for your appliance in the future.
The CLI/SSH Password used to access the appliance (max. 64 characters). You are
required to change this password.
Retype CLI/SSH
admin Password
New Configuration
Wizard Password
Retype
Configuration
Wizard Password
The Password used to access the Configuration Wizard. You are required to change
this password.
You are asked if you would like to restart tomcat-admin. If you are working your way
through the Configuration Wizard, do not restart at this time. The system will be
restarted at the end of the process.
Configure Passwords
To setup passwords:
1. On the Passwords window, click Change Passwords.
2. For each password that you modify, click in the Existing Password field and type the
current password.
3. Click in the New Password field and type the new password (8 to 64 characters).
4. Click in the Retype Password field and enter the new password again.
5. Click Apply. Root and admin password changes take effect immediately. The
Configuration Wizard password change will not take effect until tomcat-admin has been
restarted.
6. You are asked if you would like to restart tomcat-admin. If you are working your way
through the Configuration Wizard, do not restart at this time. The system will be
restarted at the end of the process. If you are only changing passwords, you should click
OK to restart.
15
Password Setup
7. Close the window or tab.
8. Click Next to continue.
16
Network Type
Network Type
At this point you must indicate whether you are connecting to a Layer 2 or a Layer 3 network.
Important: In a High Availability environment with an L3 configuration where redundant FortiNac
servers are on different subnets and do not use a shared IP address, you must select the Layer 3
network option. L3 High Availability configurations are not supported with Layer 2 Isolation
settings.
•
Select the Layer 2 network option to specify VLAN isolation networks and their
corresponding IP addresses. See Layer 2 Network - VLANs on page 18.
•
Select the Layer 3 network option to specify routed isolation networks and their
corresponding IP addresses. See Layer 3 Network - Route Scopes on page 25.
Click Next.
Figure 8: Network Type
17
Layer 2 Network - VLANs
Layer 2 Network - VLANs
VLANs are the basic networking construct used to limit network access. When you implement
network access control, include at least one non-production VLAN. In the Configuration Wizard
this is the Isolation VLAN. If there is the need to separate clients based on state, such as known
vs. unknown or out-of-compliance, configure multiple VLANs. In the Configuration Wizard these
additional VLANS are the Registration, Remediation, Dead End, VPN, Authentication, Isolation,
and Access Point Management VLANs.
If you intend to use FortiNac only to monitor network access, configuring VLANs is not
necessary. If in the future you choose to control access to the network, re-run the Configuration
Wizard to configure VLANs at that time.
If you do not configure VLANs at this time, click Next on the Isolation, Registration, Remediation,
Dead End, VPN, Authentication and Access Point Management screens. Proceed to Layer 2
Network - Summary on page 24.
Note: The Configuration Wizard dynamically writes all files configured on the FortiNac Control
Server to the FortiNac Application Server. No direct configuration of the FortiNac Application
Server is required after the initial basic network setup is completed.
Table 6: Layer 2 VLAN Types
VLAN Type
Definition
Layer 2 Isolation
Isolates all clients connecting to the network and redirects them to the
appropriate isolation web pages. In the Isolation VLAN the state of the client,
such as known vs. unknown or out-of-compliance, determines the access
control information presented to the client via the web browser or persistent
agent. If you use this VLAN type, the configuration of the other VLAN types is
optional. You can use the Isolation VLAN with Registration, Remediation,
Dead End, VPN, Authentication, or Access Point Management VLANs as
another non-production network.
Layer 2 Registration
Isolates unregistered clients from the production network during client
registration.
Layer 2 Remediation
Isolates clients from the production network who pose a security risk because
they failed a policy scan.
Layer 2 Dead End
Isolates disabled clients with limited or no network connectivity from the
production network.
Layer 2 Virtual Private
Network
Used for clients who connect to the network through VPN services.
Layer 2 Authentication
Isolates registered clients from the Production network during user
authentication.
Layer 2 Access Point
Management
18
Used for clients that connect through devices managed by Access Point
Management. You can manage clients connected to hubs or simple access
points by using DHCP as a means to control or restrict client access. Once
you have completed your configuration and started FortiNac, access Help for
additional information about the Access Point Management Plugin.
Layer 2 Network - Configure VLANS
Layer 2 Network - Configure VLANS
The configuration views for the Isolation, Registration, Remediation, Dead End, VPN,
Authentication and VLAN types are similar. The Access Point Management VLAN configuration
view is slightly different in that it contains sections for both authorized and unauthorized clients.
Samples of the Isolation and the Access Point Management views are shown below.
For each VLAN type you are configuring:
1. Click Next to proceed to the next configuration screen if you are not configuring the
displayed VLAN type.
2. To configure the VLAN type displayed, select the check box next to the VLAN type,
such as Isolation or Registration, and enter the required information. See the table
below for definitions of the fields if needed.
3. To Add Subnets, click the Add button in the Isolation DNS Subnets section.
4. Click Next.
Table 7: VLAN Isolation Network Field Definitions
Field
Definition
VLAN Type Interface eth1
Interface IPv4
Address
IP4 address for the VLAN interface on eth1. Use a different IP for each VLAN you
configure.
Mask
Subnet mask.
Gateway
Gateway for eth1 when clients connect through this VLAN.
VLAN ID
Number used to identify this VLAN throughout the system. This number is used within
FortiNac when modeling switch configurations and when setting up Network Access
VLANS.
Interface IPv6
Address
IPv6 address for the VLAN interface on eth1. Use a different IP for each VLAN you
configure.
Interface IPv6
Mask in CIDR
notation
Subnet IPv6 mask for the VLAN interface in CIDR notation format (e.g., 64).
Interface IPv6
Gateway
IPv6 Gateway for the VLAN interface for eth1 when clients connect through this VLAN.
Lease Pool
Start
End
Starting and ending IP addresses that delineate the range of IP addresses available on
this VLAN.
Domain
19
Layer 2 Network - Configure VLANS
Field
Definition
Identifies the domain for this range of IP addresses. To help identify the VLAN,
incorporate part of the name in the domain. For example, for the isolation VLAN use
megatech-iso.com or for the registration VLAN use megatech-reg.com.
Domain
Note: Note: If you use agents for OS X, iOS, and some Linux systems,
using a .local suffix in Domain fields may cause communications issues.
Example:
Incorrect dns suffix for reg: tech-reg.megatech.local
Correct dns suffix for reg: tech.megatech-reg.edu
Lease Time
Time in seconds that an IP address in this domain is available for use. When this time
has elapsed the user is served a new IP address. The recommended lease time for
Isolation, Registration, Remediation, Authentication, Dead End and VPN is 60
seconds.
Isolation IP Subnets
IP Subnets are optional and used in situations like Client control via FlexCLI or roles
only Aruba/Xirrus integration.
Subnets
List of IP Addresses and corresponding Subnet Masks indicating IP addresses for
which FortiNac will serve DNS. Should only be used for hosts that are being isolated by
FortiNac.
Can be any address on any subnet, as long as the same address is added to the filters
as an isolation address when configuring the device.
20
Layer 2 Network - Configure VLANS
Figure 9: Layer 2 Isolation
Figure 10: Add Subnet
21
Layer 2 Network - Configure VLANS
Table 8: Layer 2 Access Point Management Field Definitions
Field
Definition
Access Point Management Interface eth1
Interface IP
Address
IP address for the VLAN interface on eth1. This VLAN is used when more than one
MAC address is detected on a single port. Typically occurs when network users
connect to a hub or an unmanaged router.
Mask
Subnet mask.
Access Point Management: Production Network Scopes
Gateway
Gateway for eth1 when clients connect through this VLAN using the IP addresses
defined for the Production Network.
VLAN ID
Number used to identify this VLAN throughout the system. This number is used by
FortiNac. Network users in this VLAN are divided into authenticated users and
unauthenticated users. Authenticated users can access the production network using a
range of specified IP addresses. Unauthenticated users are isolated from the
production network based on a separate range of IP addresses. However, all users
remain in the same VLAN.
Lease Pool
Start
End
Starting and ending IP addresses that delineate the range of IP addresses available on
this VLAN.
Domain
Domain
Identifies the domain for this range of IP addresses. To help identify the VLAN,
incorporate part of the name in the domain. For example, for the isolation VLAN use
megatech-iso.com or for the registration VLAN use megatech-reg.com.
Note: Note: If you use agents for OS X, iOS, and some Linux systems,
using a .local suffix in Domain fields may cause communications issues.
Example:
Incorrect dns suffix for reg: tech-reg.megatech.local
Correct dns suffix for reg: tech.megatech-reg.edu
Lease Time
Time in seconds that an IP address in this domain is available for use. When this time
has elapsed the user is served a new IP address. The recommended lease time for
Access Point Management/Production is 3600 seconds.
Production DNS
Primary
IP address of the Primary DNS Server.
Production DNS
Secondary
IP address of the Secondary DNS Server.
Access Point Management: Isolation Network Scopes
Gateway
22
Gateway for eth1 when clients connect through this VLAN using the IP addresses
defined for the Isolation Network.
Layer 2 Network - Configure VLANS
Field
Definition
Mask
Subnet mask.
Lease Pool
Start
End
Starting and ending IP addresses that delineate the range of IP addresses available for
unauthenticated users on this VLAN.
Domain
Identifies the domain for this range of IP addresses. To help identify the VLAN,
incorporate part of the name in the domain. For example, for the isolation VLAN use
megatech-iso.com or for the registration VLAN use megatech-reg.com.
Domain
Note: Note: If you use agents for OS X, iOS, and some Linux systems,
using a .local suffix in Domain fields may cause communications issues.
Example:
Incorrect dns suffix for reg: tech-reg.megatech.local
Correct dns suffix for reg: tech.megatech-reg.edu
Lease Time
Time in seconds that an IP address in this domain is available for use. When this time
has elapsed the user is served a new IP address. The recommended lease time for
Access Point Management/Isolation is 60.
23
Layer 2 Network - Additional Routes
Figure 11: Layer 2 Access Point Management
Layer 2 Network - Additional Routes
If you want to configure additional routes within your Layer 2 network, see Layer 3 Network Additional Routes on page 37 for steps. Configuration is the same for both network types.
After you have configured additional routes, click Summary. See Layer 2 Network - Summary
on page 24 for an example.
Layer 2 Network - Summary
1. Review the data on the Summary View to confirm the configured settings.
Important: Confirm that you have selected the check boxes for the VLANs you are
configuring. If they have not been selected, click the Back button to move through the
configuration screens and select the check box (es) you need. Click Next to return to
the Summary view.
2. Click Apply. The Configuration Wizard writes the data to the files on the appliances.
This process may take several minutes to complete. When completed, the Results page
appears. See Results: Results: Layer 2/Layer3 Networks Or Control Manager on
page 39.
24
Layer 3 Network - Route Scopes
Figure 12: Summary Of Layer 2 Network VLAN Configuration
Layer 3 Network - Route Scopes
If you are configuring the appliance in a routed environment, as opposed to a Layer 2
environment, use the Layer 3 selection on the Network Type window. See Network Type on
page 17. Instead of trunking VLANs on eth1, eth1 is connected to a single VLAN on an untagged
port. Network traffic is routed to the clients rather than the clients connecting on the local Isolation
VLANs.
Multiple scopes are allowed for each of the routes (Registration, Remediation, Dead End, VPN,
Authentication, Isolation, and Access Point Management). Within these scopes, multiple ranges
in the lease pool are also permitted. In addition you can add static routes. See Layer 3 Network Additional Routes on page 37.
If you are not configuring routes at this time move to another step by doing one of the following:
select the step from the list on the left or click Next in each route screen. Re-run the
Configuration Wizard to configure routes at a later time.
25
Layer 3 Network - Route Scopes
Note: The Configuration Wizard dynamically writes all files configured on the FortiNac Control
Server to the FortiNac Application Server. No direct configuration of the FortiNac Application
Server is required after the initial basic network setup is completed.
Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of
DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_",
"ISOL_", "VPN_", or "HUB_". These are reserved.
WARNING: If you are setting up appliance for High Availability in an environment where
redundant servers do not use a shared IP address and reside in different subnets on your
network, you must enter Route Scopes in the Configuration Wizard for both the Primary and
Secondary server.
Table 9: Layer 3 Route Scopes
Route Scopes
Definition
Layer 3 Isolation
Isolates all clients connecting to the network and redirects them to the
appropriate isolation web pages. In the Isolation route scope the state of the
client, such as known vs. unknown or out-of-compliance, determines the
access control information presented to the client via the web browser or
persistent agent. If you use these scopes, configuring the other scopes
(Registration, Remediation, Dead End, VPN, Authentication, or Access Point
Management) is optional. You can use the Isolation scope with these scopes
for other non-production network access.
Layer 3 Registration
Isolates unregistered clients from the production network during client
registration.
Layer 3 Remediation
Isolates clients from the production network who pose a potential threat after a
failed policy sca.
Layer 3 Dead End
Isolates disabled clients with limited or no network connectivity from the
production network.
Layer 3 Virtual Private
Network
Used for clients who connect to the network through VPN services.
Layer 3 Authentication
Isolates registered clients from the Production network during user
authentication.
Layer 3 Access Point
Management
26
Used for clients that connect through devices managed by Access Point
Management. You can manage clients connected to hubs or simple access
points by using DHCP as a means to control or restrict client access. Once
you have completed your configuration and started FortiNac, access Help for
additional information about the Access Point Management Plugin.
Layer 3 Network - Configure Route Scopes
Layer 3 Network - Configure Route Scopes
The configuration views for the Isolation, Registration, Remediation, Dead End, VPN and
Authentication scopes are similar. The Access Point Management scopes configuration view
contains sections for both Production and Isolation clients. Sample Isolation and Access Point
Management views are shown below.
For each set of route scopes you are configuring:
1. Click Next to proceed to the next configuration screen if you are not configuring the
displayed type or select the type from the left-hand navigation pane.
2. To configure the route scopes displayed, select the check box next to the name, such
as Isolation or Registration, and enter the required information. See the table below for
definitions of the fields.
3. Click Add to add scopes or Modify to change existing scope information for this route.
4. Enter the Label, Gateway, and Mask.
5. In the Lease Pools section, click Add to add the lease pool information for the scope.
6. Enter the IP Addresses for Start and End of the lease pool range, then click Add.
7. Repeat steps 3 through 6 to create additional scopes and lease pools.
8. In the Isolation IP Subnets section, enter the list of IP Addresses and corresponding
Subnet Masks indicating IP addresses for which FortiNac will serve DNS.
9. For the Access Point Management scopes, enter the Interface IP Address and
Mask.
10. Enter the Access Point Management Scopes and Lease Pool information. Add or
modify scopes and associated lease pools.
11. Enter the Domain information in both the Production and Isolation sections.
12. Click Next when finished.
Table 10: Layer 3 Isolation Field Definitions
Field
Definition
Route Scope Interface eth1
Interface IP
Address
IP address for the Route Scope interface on eth1. Use a different IP for each route
scope type you configure.
Mask
The subnet mask for the interface IP address. Note that the mask is shared between
route scope types. If you modify the mask in one route scope, it changes in all others.
27
Layer 3 Network - Configure Route Scopes
Field
Definition
This field is optional and does not need to be configured if the appliance and all of the
managed devices are on the same subnet.
Gateway
If the appliance and any managed devices are on different subnets, enter the IP
address of the routing device. A gateway is the device that passes traffic from the local
subnet to devices on other subnets.
Routes are automatically created for each Isolation Subnet to the Isolation Gateway.
Routes traffic through eth1.
Isolation Scopes
Label
User specified name for the scope. Can be associated with a location, such as
Building-B, or a function within the organization, such as Accounting.
Note: When setting up Layer 3 Network Configurations in the Configuration
Wizard, labels of DHCP Scopes should not begin with any of these strings:
"REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These
are reserved.
Gateway
Default gateway for the client lease pool you are adding. Do not use the default
gateway for eth1.
Mask
Subnet mask for the default gateway.
Domain
Identifies the domain for this range of IP addresses. To help identify the VLAN,
incorporate part of the name in the domain. For example, for the isolation VLAN use
megatech-iso.com or for the registration VLAN use megatech-reg.com.
Note: Note: If you use agents for OS X, iOS, and some Linux systems,
using a .local suffix in Domain fields may cause communications issues.
Example:
Incorrect dns suffix for reg: tech-reg.megatech.local
Correct dns suffix for reg: tech.megatech-reg.edu
Lease Pools
Starting and ending IP addresses that delineate the range of IP addresses available on
this route. You can use multiple ranges.
Lease Time
Lease Time in
seconds
Time in seconds that an IP address is available for use. When this time has elapsed
the user is served a new IP address. The recommended lease time for Isolation,
Registration, Remediation, Dead End, VPN and Authentication is 60 seconds.
Isolation IP Subnets
Subnets
IP Subnets are optional and used in situations like Client control via FlexCLI or roles
only Aruba/Xirrus integration.
List of IP Addresses and corresponding Subnet Masks indicating IP addresses for
which FortiNac will serve DNS. Should only be used for hosts that are being isolated by
FortiNac.
Can be any address on any subnet, as long as the same address is added to the filters
as an isolation address when configuring the device.
28
Layer 3 Network - Configure Route Scopes
Figure 13: Layer 3 Network Configuration - Isolation Scopes
29
Layer 3 Network - Configure Route Scopes
Figure 14: Add/Modify Layer 3 Scopes And Lease Pools
Figure 15: Layer 3 Scopes - Add Lease Pool IP Range
Table 11: Layer 3 Access Point Management Field Definitions
Field
Definition
Access Point Management Interface eth1
Interface IP
Address
30
IP address for the VLAN interface on eth1. This VLAN is used when more than one
MAC address is detected on a single port. Typically occurs when network users
connect to a hub or an unmanaged router.
Layer 3 Network - Configure Route Scopes
Field
Definition
Mask
Subnet mask.
Access Point Management Scopes
Label
User specified name for the scope. Can be associated with a location, such as
Building-B, or a function within the organization, such as Accounting.
Note: When setting up Layer 3 Network Configurations in the Configuration
Wizard, labels of DHCP Scopes should not begin with any of these strings:
"REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These
are reserved.
Production Def
Gateway
Default gateway for the client lease pool you are adding. Do not use the default
gateway for eth1.
Production Mask
Subnet mask for Production IP addresses.
Identifies the domain for this range of IP addresses. To help identify the VLAN,
incorporate part of the name in the domain. For example, for the isolation VLAN use
megatech-iso.com or for the registration VLAN use megatech-reg.com.
Production
Domain
Note: Note: If you use agents for OS X, iOS, and some Linux systems,
using a .local suffix in Domain fields may cause communications issues.
Example:
Incorrect dns suffix for reg: tech-reg.megatech.local
Correct dns suffix for reg: tech.megatech-reg.edu
Production Lease
Pools
Starting and ending IP addresses that delineate the range of IP addresses available for
authenticated users in this scope.
Isolation Def
Gateway
Default gateway for eth1 when connecting through this scope using the IP addresses
defined for the Isolation Network.
Isolation Mask
Subnet mask for Production IP addresses.
Identifies the domain for this range of IP addresses. To help identify the VLAN,
incorporate part of the name in the domain. For example, for the isolation VLAN use
megatech-iso.com or for the registration VLAN use megatech-reg.com.
Isolation Domain
Note: Note: If you use agents for OS X, iOS, and some Linux systems,
using a .local suffix in Domain fields may cause communications issues.
Example:
Incorrect dns suffix for reg: tech-reg.megatech.local
Correct dns suffix for reg: tech.megatech-reg.edu
Isolation Lease
Pools
Starting and ending IP addresses that delineate the range of IP addresses available for
unauthenticated users in this scope.
31
Layer 3 Network - Configure Route Scopes
Field
Definition
Access Point Management: Production Network Scopes
Lease Time
Time in seconds that an IP address in this domain is available for use. When this time
has elapsed the user is served a new IP address. The recommended lease time for
Access Point Management/Production is 3600 seconds.
Production DNS
Primary
IP address of the Primary DNS Server.
Production DNS
Secondary
IP address of the Secondary DNS Server.
Access Point Management: Isolation Network Scopes
Lease Time In
Seconds
32
Time in seconds that an IP address in this domain is available for use. When this time
has elapsed the user is served a new IP address. The recommended lease time for
Access Point Management/Isolation is 60.
Layer 3 Network - Configure Route Scopes
Figure 16: Layer 3 Access Point Management
33
Layer 3 Network - Configure Route Scopes
Figure 17: Layer 3 Add Access Point Management Scopes
34
Layer 3 Network - Configure Route Scopes
Importing Route Scopes
To import route scopes from a csv file, use one of the following formats:
Single Route Format
ScopeLabel,Default Gateway,Mask,Domain,Lease Pool “start
address-end address,start address-end address”
Access Point Management Route Format
ScopeLabel,Production Default Gateway,Production
Mask,Production Domain,Production Lease Pool “start addressend address,start address-end address”,Isolation Default
Gateway,Isolation Mask,Isolation Domain,Isolation Lease Pool
“start address-end address, start address-end address”
Double quotes are accepted surrounding any field but are not required. On Lease Pools quotes
should surround the entire list of lease pools.
Note: The ScopeLabel field must be unique for each route scope that you import. If it is not
unique, the record with the first instance of the ScopeLabel field is duplicated for each
subsequent instance of the identical ScopeLabel.
Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of
DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_",
"ISOL_", "VPN_", or "HUB_". These are reserved.
Examples:
Single Route Scope
building-1,172.16.220.1,255.255.255.0,companyreg.com,"172.16.220.100-172.16.220.150,172.16.220.200172.16.220.250"
Access Point Management Route Scope
building-1,172.16.220.1,255.255.255.0,company-apmprod.com,"172.16.220.100-172.16.220.150, 172.16.220.200172.16.220.250",172.16.220.1,255.255.255.0,company-apmisol.com,"172.16.220.151-172.16.220.175"
For each scope you are configuring:
1. Navigate to the scope window, for example, Isolation.
2. Click Import.
3. On the Import Scopes File window browse to the csv file and click Apply.
35
Layer 3 Network - Configure Route Scopes
Figure 18: Layer 3 Routes - Import Route Scopes Window
36
Layer 3 Network - Additional Routes
Layer 3 Network - Additional Routes
When a client connects on eth1 from a remote network, the return packet uses the eth0 Default
Gateway unless a network route is added. It is recommended that you configure your network so
that outbound and inbound routing uses the same interface, such as eth1. The routes you
created in Layer 3 Network - Configure Route Scopes on page 27 route back to the clients via
eth0.
Note: In a High Availability environment you must enter additional routes on both the primary
and secondary servers.
When you re-run the Configuration Wizard, the routes that you entered previously appear in the
view. You may have routes in your system routes file that were not entered in the Configuration
Wizard. Be aware of the following issues:
•
If you import the system routes file, they overwrite any existing routes in the Additional
Routes view.
•
If you enter routes in the Additional Routes view and save, these routes overwrite
previous routes.
•
If there are no routes in the Additional Routes view and you save, all routes are erased
from the system routes file except for the Default Gateway.
To import system routes, click the Read File button on the Additional Routes window in the
Configuration Wizard. The number of routes in the system routes file is listed next to the button.
For each route you are configuring:
1. On the Additional Routes screen click Add.
2. Enter the Network IP Address, Mask, and Gateway, then click Add.
Example:
When eth1 IP is 192.168.10.2 and the eth1 gateway is 192.168.10.1 for DHCP Lease
Pool 192.168.110.100-192.168.110.200 add the following route:
Route Setup Field Example
Definition
Network 192.168.110.0
Identifies the network from which packets are coming.
Mask 255.255.255.0
Subnet mask for the network.
Gateway 192.168.10.1
Identifies the gateway for eth1. Do not use the gateway for the network.
3. Repeat step 2 to add additional routes.
Important: The routes you enter into the list on this view are written to the system
routes file when you click Apply on the Summary view. If the list is blank, ALL routes
in the system routes file with the exception of the Default Gateway are removed from
the system routes file.
4. Click Next.
37
Layer 3 Network - Additional Routes
Figure 19: Additional Routes Window
Figure 20: Add Route Window
38
Results: Layer 2/Layer3 Networks Or Control Manager
Results: Layer 2/Layer3 Networks Or Control Manager
1. Review the Results. Errors are noted at the top of the Results page.
2. Scroll down through the results and note errors or warnings. Make changes and apply
them until a successful configuration is written.
3. Click Reboot to continue with the installation and begin network modeling and policy
creation.
OR
Click Shutdown to turn off the appliance.
4. If the appliance has been Shutdown, it may be moved at this time, if necessary.
5. Re-run the Configuration Wizard at a later time to continue with configuration of VLANs
or adjust previous settings.
6. Contact Customer Support for any unresolved issues.
39
Results: Layer 2/Layer3 Networks Or Control Manager
.
Figure 21: Results Window
40
Log In To The Admin User Interface
Log In To The Admin User Interface
Note: The User Name and Password for the Admin User Interface are root/YAMS. These
credentials are not changed in the Configuration Wizard. You will be prompted to change your
credentials when you log in the first time.
1. When the results of the configuration are satisfactory, use one of the following URLs to
access the system’s graphical user interface:
http://<IP Address>:8080/
or
http://<Host Name of the appliance>:8080/
For secure port:
https://<IP Address>:8443/
or
https://<Host Name of the appliance>:8443/
2. Enter the login credentials.
User Name = root
Password = YAMS
Note: User Name and Password fields are case sensitive.
3. Once you have logged into FortiNac review the End User License Agreement and click
Accept to continue.
4. On the Password screen, create a new Administrator user name and password and
click Apply.
5. The Quick Start Wizard is displayed. Go through the steps to set up network access for
users on your network. Click Help > Current View for information on using the
software.
Important: You must run the Auto-Definition Synchronizer scheduled task to retrieve the latest
list of Vendor OUIs and AV/AS Definition updates.
41
Change Passwords After Configuration
Change Passwords After Configuration
Configuration files are overwritten whenever you run the Configuration Wizard. It is strongly
recommended, therefore, that you do not make changes outside of the Configuration Wizard.
Making all changes from within the Configuration Wizard prevents you from having custom
configuration files that can be accidentally overwritten.
Running the Configuration Wizard to change passwords after the initial setup also causes all
configuration files to be overwritten if you use the Next button to scroll through all of the pages. If
no manual changes have been made, this does not cause a problem. However, it is
recommended that you go directly to the Change Password window without running the entire
Configuration Wizard, save the passwords and exit the wizard.
See Configuration Wizard - Passwords on page 9 for additional information on modifying your
passwords.
To go directly to the Change Passwords window, type one of the following URLs:
http://<Host Name>:8080/configWizard/PasswordChange.jsp
http://<IP Address>:8080/configWizard/PasswordChange.jsp
Figure 22: Change Passwords Window
42
Change Passwords After Configuration
43
Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the
U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other
results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by
Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel,
with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific
performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the
same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and
circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant
hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the
publication shall be applicable.