Created on 08-20-2022 04:04 AM Edited on 04-25-2023 06:27 AM By Jean-Philippe_P
Description | This article describes how to assign voice VLAN to IP phones when FortiSwitch is integrated with FortiNAC. |
Scope | FortiNAC, FortiFone and FortiSwitch. |
Solution |
To assign voice VLAN to IP phones connected to FortiSwitch when it is integrated with FortiNAC (FNAC).
VLAN config on FortiGate:
# config switch vlan edit 120 set description "voicenac" <-- VLAN description. next
1) Select Network -> Inventory. 2) Expand the Container icon. 3) Select the device, and then select Virtualized Devices. 4) Then 'double click' on root VDOM.
VLAN name/description is 'voicenac'; '1' has been added to the beginning of the RADIUS AVP 'Egress-VLAN-Name' <tagged/untagged(1 or 2)><VLAN Name String> (example: "1voicenac") to be understood by the FortiSwitch as a tagged VLAN.
Network Policy, and User/host profile to authenticate the ip phone:
LLDP profile configured on FortiGate and assigned to FortiSwitch port2 (as shown in the above screenshot):
# config switch-controller lldp-profile edit "voicefnaclldp" set med-tlvs inventory-management network-policy location-identification set auto-isl disable # config med-network-policy edit "voice" set status enable set vlan-intf "voicenac" set assign-vlan enable set dscp 46 end
FortiNAC must first authenticate the device. Otherwise, it will not receive the LLDP profile.
FortiNAC must send the below 3 Attributes in the Access-Accept packet:
Wed Aug 10 19:57:13 2022 : Debug: (8) Sent Access-Accept Id 8 from 192.168.x.x:1812 to 192.168.x.x:34708 length 0 Wed Aug 10 19:57:13 2022 : Debug: (8) Tunnel-Type = VLAN Wed Aug 10 19:57:13 2022 : Debug: (8) Egress-VLAN-Name = "1voicenac" <- VLAN 120 and 1 for tagged VLAN. Wed Aug 10 19:57:13 2022 : Debug: (8) Tunnel-Medium-Type = IEEE-802 Wed Aug 10 19:57:13 2022 : Debug: (8) Finished request
RADIUS Access-request will always be sent from the FortiSwitch even if it is managed by FortiGate, so make sure to allow RADIUS traffic between FortiSwitch and FortiNAC.
FortiSwitch 802.1x status:
S108 # diagnose switch 802-1x status port2 port2 : Mode: mac-based (mac-by-pass enable) Link: Link up Port State: authorized: ( ) Dynamic Allowed Vlan list: 120 <---- Assigned by FortiNAC. Dynamic Untagged Vlan list: EAP pass-through : Enable EAP egress-frame-tagged : Enable EAP auto-untagged-vlans : Enable Allow MAC Move : Disable Dynamic Access Control List : Disable Quarantine VLAN (4093) detection : Enable Native Vlan : 188 Allowed Vlan list: 120,120,188 <----- VLAN 120 is assigned by FortiNAC, while 120 is assigned by the LLDP profile. Untagged Vlan list: 188 Guest VLAN : Auth-Fail Vlan : AuthServer-Timeout Vlan :
Switch sessions 1/80, Local port sessions:1/20 Client MAC Type Traffic-Vlan Dynamic-Vlan 80:5e:c0:xx:xx:xx MAB 120 0 <----- LLDP voice profile applied VLAN 120. Sessions info: 80:5e:c0:0d:7a:4a Type=MAB,,state=AUTHENTICATED,etime=3,eap_cnt=0 params:reAuth=3600
1) FortiNAC will basically register the device (Think of this part as Authentication).
If FortiNAC does not register the IP-Phone (Meaning the phone remains Rogue), the switch will NOT apply any LLDP profile.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.