By Manny Fernandez

April 25, 2019

Basic Deployment of FortiNAC – Part 1

FortiNAC, formally Bradford Networks was acquired by Fortinet in June of 2018.  Although Bradford was a great solution, joining the Fortinet team accelerated its growth from a market share as well as feature perspective.  This will be a series post and will cover different aspects of the deployment.  Deployment (this post), Fortiswitch integration, Compliance checking, Fortigate integration with stitching and automation.  My environment is an existing 802.1x deployment using Cisco ACS, a new infrastructure of FortiSwitches managed by Fortigates that will replace the Cisco switches as well as the 802.1x deployment.

What you are going to need:

  1. The FortiNAC ISO
  2. License files from Fortinet
    1. You will need the VM license (if you are running it on VM
    2. The device licenses
    3. Support contract

  3. Three different password (I use a random password generator)  These passwords cannot contain “( ) ` $ & + | \ { } ; : ” ‘ < > , . / =”  (ignore the beginning and ending “, they are used to separate the characters that are not allowed.)

  4. An Isolation VLAN IP address which will be assigned the second NIC on the VM.

  5. FQDN for the VM and a corresponding DNS entry on the internal DNS

  6. IP address, SNMP (preferably v3) string/credentials, SSH creds for your existing switches

  7. You will need the UUID and MAC address of the VM which will be collected later in the steps.

 

You should have received an email from your reseller/distribution/Fortinet with a series of PDF files that require you to register the serial numbers contained.

If you do not already have a support portal account, go to ‘https://support.fortinet.com‘ and register.

NOTE: You will NOT be able to register the support and device licenses until you have registered the base license.  This is because it ties the support and device license to your server license.

2019-04-05_23-08-40

OVA Deployment

Deploy the .ova file per the normal VMWare deployment method.  You will require two interface if it does not automatically add them.

2019-04-24_13-32-18.png

Default Credentials:

username: admin  password: admin

Once the VM is up and deployed, connect to the console and assign an IP address to the VM.  Assign it an IP address using the following criteria.

sudo configIP   
sudo configIP 192.168.5.244 255.255.255.0 192.168.5.1

 

Connecting to the GUI

You should now be able to connect to the GUI to finish the configuration by pointing your browser to:

http://%ip-address%:8080/configWizard

For this section, the credentials will be

username: config  password: config

2019-04-05_21-33-45.png

The first thing you will see is the license validation.

2019-04-05_20-35-23.png

You will need to click on the ‘Obtain a license key’ which will give you the required information to register this appliance on the support website.

2019-04-05_20-35-34.png

You should copy and paste this information and probably hold on to it for safe keeping.  Once you are here, you will need to log into the portal and register.

2019-04-24_13-46-37.png

Ensure that the Registration Code is for the VM (in my case) and not the device license or the support contract.

2019-04-05_22-21-40.png

You will need to enter the information you copied in the previous steps (UUID and MAC Address).

2019-04-15_16-05-47.png

Once the registration is complete, you can enter the license in the field provided and hit OK.  It will take a little time so don’t freak out.

2019-04-15_16-05-54.png

Once the key is applied, you will see the screen above.  You can click ‘OK’

2019-04-22_21-24-27.png

Next we are going to configure the ‘Basic Networking’ which includes:

(I have included some example info, modify with your information)

2019-04-24_23-46-11.png

Once you fill in the pertinent information, you can hit the ‘Next’ button on either the top or bottom of the screen.

Next, you will need to set up the various passwords:

2019-04-22_21-32-21-1.png

Here you will need to enter the passwords we discussed in the beginning without using the restricted characters.

2019-04-22_21-45-43.png

You will want to choose Layer 3 in most cases. Once you fill in the pertinent information, you can hit the ‘Summary’ button on either the top or bottom of the screen.

2019-04-22_22-03-46.png

Validate your information and hit ‘Apply’.  The VM will reboot.

NOTE: If you changed the IP, you browser will not refresh.  Update the URL.

2019-04-22_22-09-12.png

After the reboot, you will need to log into the VM with the ‘8443’ port.

2019-04-22_22-12-31.png

Although the screenshot above is blue, by default it is set to gray.  I cannot look at it because it makes me depressed.  To change it, go to ‘Help’ and then ‘Preferences’

2019-04-25_00-12-35

Now you can choose the color and choose ‘OK’

2019-04-25_00-13-21.png

Now you are ready to add some devices (switches)

2019-04-22_22-39-25.png

You can now click ‘Network Devices’ from the button bar on the top then ‘Topology’

At the top-level on the Left, you can rename the container.  Now you can create new containers.  I chose to use locations.

2019-04-25_00-15-02.png

Right click the top-level and choose ‘Add Container’  Name it and save.

2019-04-25_00-16-07.png

Right click on the newly created container, and choose ‘Add Device’

2019-04-25_00-16-55

Once you enter the appropriate information, hit ‘Validate Credentials’ and wait for the message saying it is OK.  Then press the ‘OK’ button.

2019-04-25_00-19-00

Once the device has been discovered, click on the ‘Element’ button on the top, then ‘Advanced’, then choose ‘Use the SNMP to read L2/L3 data from the devices’ and ‘Save’

Next post in the series will be ‘Fortiswitch Integration’

 

 

Recent posts

  • In FortiOS 7.4, Fortinet enhanced the ability to do... Full Story

  • Apple shortcuts have been an amazing addition to IOS. ... Full Story

  • Years ago, when I started using FortiGates, I had... Full Story