Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎09-28-2018 07:31 AM

Article Id 192882

Technical Tip: Configuring a Network Access Policy

Description
This article provides the steps to build a Network Access Policy.

Important: Host must appear in Host View with a connection status of online.  Otherwise, the host will not match any network access policy.  

Solution
Configure Policy

A Network Access Policy consists of two components:
  • User/Host Profile
  • Network Access Configuration
Build these components and tie them together to form a policy.

1.  Configure the User/Host Profile with the desired criteria the registered host must match in order for the policy to apply.

Example
Name: Guest Profile
Where (Location): Wireless   
Who/What by Group: Employee_Owned   
Who/What by Attribute:   

Host [Role: Guest]
Host [Role: BYOD]
Adapter [Physical Address: 00:00:1D:43:AA:BB:CC]  <<<  Tip:  Add MAC address of a test machine for validation purposes.  Allows testing without affecting other devices.
       
When: Specify Time
M,Tu,W,Th,F 8:00 AM - 6:00 PM


In order for the online registered host to match Guest Profile, it must fulfill all of the following criteria:
- Is connected to an Access Point/Controller in the Wireless device group
- Is a member of the group named "Employee_Owned"
- Has a host role of Guest OR BYOD
- Is connecting during the work week (Monday through Friday) and between the hours of 8:00am and 6:00 PM
- Has MAC address 00:00:1D:43:AA:BB:CC


2.  Configure the Network Access configuration.  This is the access value (VLAN, Role Assignment, etc) that will be assigned if the host matches the User/Host Profile.

    Example
    Name: Guest Access Configuration  
    Access Value/VLAN: 500   

      
3.  Tie the User/Host Profile and Network Access Configuration together using a Network Access Policy.
     Name: Guest Access
     User/Host Profile: Guest Profile
     Network Access Configuration: Guest Access Configuration

Result: If a host matches the criteria defined in Guest Profile, then the host will be assigned the values as defined in the Guest Access Configuration  (VLAN 500).

 

Validate Policy

1.  Search for the test host in Host View.

2.  Use the Policy Simulator to confirm whether or not the host meets the policy criteria and will match.  For instructions, see section Policy Simulator in the Administration Guide. 

3.  Rank the policy as appropriate.  By default, new policies are listed at the bottom.  Hosts are matched starting from the top (Rank 1), moving downward.  Policies with the most specific criteria should be listed at the top.
    
4.  Connect test host and verify whether or not the policy matches by selecting the host in Host View, right click and select Policy Details

5.  Once policy has been validated, remove the Physical Address from the User/Host profile in order to have the policy match any device with the required criteria.


For additional information on configuring Policies, see section Policies in the Administration Guide. 

For troubleshooting tips, refer to related KB articles below.

Related Articles

Troubleshooting Tip: VLANs not changing on a wired switch

Technical Tip: Troubleshooting policies

Labels:
1602
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.