FortiNAC

Ubiquiti UniFi
Access Point Integration

Version: 9.1, 9.2, 9.4

Date: September 9, 2022

Rev: H

1
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET KNOWLEDGE BASE

https://community.fortinet.com/t5/Knowledge-Base/ct-p/knowledgebase

FORTINET BLOG
http://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

http://support.fortinet.com

FORTINET COOKBOOK
http://cookbook.fortinet.com

NSE INSTITUTE
http://training.fortinet.com

FORTIGUARD CENTER
http://fortiguard.com

FORTICAST
http://forticast.fortinet.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

2
Contents

Overview ............................................................................................................................................... 4
What it Does ...................................................................................................................................... 4
How it Works ..................................................................................................................................... 4
Requirements .................................................................................................................................... 5
Considerations ................................................................................................................................... 5
Ubiquiti UniFi Integration ................................................................................................................... 6
Configure Access Points .................................................................................................................... 6
Configure FortiNAC ........................................................................................................................ 10
RADIUS Server (Required for 802.1x Authentication) ............................................................... 10
Model the Device .......................................................................................................................... 10
Configure RADIUS and Network Access .................................................................................... 10
Add Remaining VLANs Configured in Device ............................................................................ 11
Prevent SSID Removal After Failed Read .................................................................................. 12
Validate ........................................................................................................................................... 12
Troubleshooting .................................................................................................................................. 13
Related KB Articles ......................................................................................................................... 13
Debugging ........................................................................................................................................ 13

3
Overview
The information in this document provides guidance for configuring Ubiquiti UniFi Access Points
to be managed by FortiNAC. This document details the items that must be configured.

Note: We attempt to provide as much information as possible about the integration of this device
with your FortiNAC software. However, the hardware vendor may have made modifications to the
device’s firmware that invalidate portions of this document. If having problems configuring the
device, contact the vendor for additional support.

Tip: For hyperlinks referencing other documentation, right-click the link and select Open in New
Tab.

What it Does
FortiNAC provides network visibility (where endpoints connect) and manages VLAN assignment
at the point of connection for the host. This is accomplished by sending the appropriate
configuration commands to the device and acting as the authentication source.

How it Works
Visibility
FortiNAC learns where endpoints are connected on the network using the following methods:
 RADIUS communication
 L2 Polling (MAC address table read)

Control
FortiNAC provisions an endpoint’s network access by managing VLAN assignments based
on the UniFi AP’s model configuration or an applicable network access policy and the host
state of the endpoint. The VLAN configuration is modified using the appropriate method
based upon the vendor and model (see chart below).

Device Support Methods

Endpoint Reading Reading Reading VLAN Assignment De-auth
Connectivity MAC IP Tables VLANs
Notification Address (L3 Poll)
Tables
(L2 Poll)
RADIUS (802.1x CLI N/A N/A RADIUS See
or MAC-auth) See Add See Considerations Considerations
Remaining
VLANs

For more information regarding wireless integrations with FortiNAC, refer to the Wireless
Integration Overview reference manual in the Fortinet Document Library.

4
Requirements
 Ubiquiti
o Supported Controller version: 5.12.35
o Supported Access Point firmware version: 4.0.69.10871
o SNMP community or account per Access Point
o Account for SSH access per Access Point

 FortiNAC
o Minimum version: 8.7.1 or greater

Considerations
 In current versions of Ubiquiti firmware, CoA is not supported.
This causes the following behaviors:
o Prevents FortiNAC from dynamically changing VLANs.
o Clients must manually disconnect then reconnect to the wireless in order to be
assigned the proper VLAN after completing registration. The Captive Portal content
can be edited to instruct users to disconnect and reconnect in order to change
network access.
o Network access for clients that are marked to be restricted (disabled or At-Risk) will
not change network access until they disconnect from the wireless and reconnect.

 UniFi Access Points are autonomous and interact directly with FortiNAC for CLI, SNMP
and RADIUS. The “Controller” in the Ubiquiti UniFi solution is used for Access Point
configuration only.
 VLAN IDs that are statically assigned to SSIDs cannot be re-used on the same Access Point
for RADIUS assigned VLANs.

Example: If VLAN 10 is statically set for SSID A, then it cannot be used for SSID B
(managed by FortiNAC) on the same AP.

For more information, refer to Ubiquiti documentation:

https://dl.ubnt.com/guides/UniFi/UniFi_Controller_V5_UG.pdf

5
Ubiquiti UniFi Integration
Configure Access Points
Note: It is recommended that Ubiquiti APs are configured with a static IP address.

1. Login to the UniFi Controller management interface. Configure a RADIUS profile for the
FortiNAC Server
a. Navigate to Settings > Profiles and click CREATE NEW RADIUS PROFILE.
b. The values in the table below are required when integrating with FortiNAC. Configure
all other settings as appropriate. Refer to vendor documentation for additional
information.

RADIUS Select Enable for Wired Networks

Assigned VLAN
Select Enable for Wireless Networks
Support
Authentication IP Address: FortiNAC Server/Control Server eth0 IP Address
Servers
Port: 1812
Shared Secret: The RADIUS Secret used must be exactly the
same on the wireless device, on the RADIUS server and in the
FortiNAC software under RADIUS Settings and Model
Configuration.
High Availability (HA) Environments: Click Add
Authentication Server and add Secondary Server information
(Do not use Shared IP Address).
Enable Select Enable
Accounting

6
RADIUS IP Address: FortiNAC Server/Control Server eth0 IP Address
Accounting
Port: 1813
Servers
Shared Secret: The RADIUS Secret used must be exactly the
same on the wireless device, on the RADIUS server and in the
FortiNAC software under RADIUS Settings and Model
Configuration.
High Availability (HA) Environments: Click ADD
ACCOUNTING SERVER and add Secondary Server
information (Do not use Shared IP Address).
Enable Interim Update Select Enable value = 60
This function periodically updates FortiNAC concerning the
endpoint connection information.

2. Create a Network object for each required VLAN (isolation and production VLANS).
a. Navigate to Settings > Networks and click CREATE NEW NETWORK.
b. The values in the table below are required when integrating with FortiNAC.
Configure all other settings as appropriate. Refer to vendor documentation for
additional information.

Note: VLAN IDs that are statically assigned to SSIDs cannot be re-used on the
same Access Point for RADIUS assigned VLANs.

Name VLAN name

Router VLAN-only Network
VLAN ID <VLAN ID>
DHCP Guarding Enable
DHCP Server IP: <FortiNAC eth1 IP address for isolation
VLANs>

7
 3. Configure SNMP access to allow for FortiNAC device discovery. Navigate to Settings >
System and enable the appropriate SNMP version (either v1/v2 or v3).

Note: If using SNMP Version 3, the defined Password acts as both the SHA1 and AES-128
Passwords. The protocol versions and passwords cannot be defined individually.

SNMP v3 Example

4. Create SSID
a. Navigate to Settings > WiFi and click Create New WiFi Network.
b. The values in the table below are required when integrating with FortiNAC.
Configure all other settings as appropriate. Refer to vendor documentation for
additional information.

Name Name of SSID

Security Protocol Select one of the following:
 Open
 WPA2
 WPA2 Enterprise
 WPA2/WPA3
 WPA3
 WPA3 Enterprise
RADIUS MAC Enable
Authentication
RADIUS Profile Select RADIUS profile created in step 1

8
MAC address aa:bb:cc:dd:ee:ff
Format

Example (MAC Authentication):

9
Configure FortiNAC
RADIUS Server (Required for 802.1x Authentication)
FortiNAC acts as a proxy for 802.1x requests. Add a RADIUS server (such as FortiAuthenticator)
to FortiNAC in order to proxy the 802.1x packets to the correct server. For instructions, see section
Configure RADIUS Settings of the Administration Guide in the Fortinet Document Library.

Important: The RADIUS Secret used must be exactly the same on the RADIUS server.

Note: FortiNAC does not proxy RADIUS requests when using MAC authentication.

Model the Device

1. Navigate to Network > Inventory.
2. Discover or add all UniFi APs. For instructions, see Add or Modify a Device or
Discovery of the Administration Guide in the Fortinet Document Library.
SNMP Settings: SNMP v1/v2 or v3 credentials previously configured on the Ubiquiti
APs.
Note: If SNMP v3 option is selected in the Ubiquiti UI, select the following in the
device model:
 SNMP Protocol: SNMPv3-AuthPriv
 Authentication Protocol: SHA1
 Privacy Protocol: AES-128

3. Once discovered, configure CLI Credentials under the Credentials tab and click Save.

Configure RADIUS and Network Access

4. Right-click on the model and select Model Configuration. (Note: Do no use the Model
Configuration tab for this step as it does not have the all required configuration fields.)
10
 5. Configure the following:
 RADIUS: RADIUS server definitions if FortiNAC is managing any 802.1x SSIDs.
 Network Access: Access Enforcement for each applicable host state (Registration,
Quarantine, Authentication and DeadEnd). For the corresponding Access Value, enter the
applicable VLAN.

Add Remaining VLANs Configured in Device

6. Add any other VLANs that FortiNAC can assign to connecting hosts. Since VLANs cannot
be read directly from the Ubiquiti APs, this list should include all the VLANs that were
configured on the Ubiquiti AP for all SSIDs controlled by FortiNAC.
a. Under Access Enforcement Descriptions, click Add.
b. Enter VLAN value then click OK.
c. Repeat process for each VLAN.

7. Once all VLANs have been added, click Apply.

8. To complete creating the VLAN interfaces in the FortiNAC database and associating them
to the model, click the Model Configuration tab and click Read VLANs.
9. Configure SSID specific VLAN values (optional)
a. Click the SSIDs tab.
b. Right-click and select SSID Configuration.
c. Make custom modifications as desired. For instructions, refer to SSID
Configuration section of the Administration Guide in the Fortinet Document
Library.
11
Prevent SSID Removal After Failed Read
If FNAC fails to read the SSIDs of an AP or controller, the existing SSIDs already associated with
the device model are deleted (consequently removing SSID configuration and group membership).
To prevent this from occurring, run the following command in the CLI (Note: This attribute is not
set by default). Contact Support for assistance.

device -ip <devip> -setAttr -name PreserveSSIDs -value true

Validate
1. Configure test SSID to send RADIUS requests to FortiNAC.
2. Connect a rogue host to the newly enforced SSID.
3. Verify the following:
 Host is moved to the isolation VLAN
 Host is able to access the captive portal (if configured)
 Register the system
 Disable the WiFi on the host
 Enable WiFi on the host and make sure it is assigned the appropriate VLAN.

If any of the above do not work as expected, refer to the Troubleshooting section of this document.

12
Troubleshooting
Related KB Articles
Refer to the applicable KB article(s):
Troubleshooting SNMP Communication Issues
Troubleshooting Poll Failures
Wired hosts displaying incorrect status
Online wireless hosts displaying offline status
Rogue Wireless Clients Cannot Connect to SSID
Troubleshooting RADIUS clients not connecting
Troubleshooting Wireless Clients Moved to the Wrong VLAN

Debugging
Use the following KB article to gather the appropriate logs using the debugs below.
Gather logs for debugging and troubleshooting

Note: Debugs disable automatically upon restart of FortiNAC control and management processes.

Function Syntax Log File

FortiNAC
Server nacdebug –name RadiusManager true /bsc/logs/output.master
(Proxy
RADIUS)
FortiNAC Server nacdebug –name RadiusAccess true /bsc/logs/output.master
(Local RADIUS)*

radiusd -X -l
RADIUS Service /var/log/radius/radius.log
/var/log/radius/radius.log
(Local RADIUS)
Stop logging: Ctrl-C

L2 related
nacdebug –name BridgeManager true /bsc/logs/output.master
activity

Ubiquiti specific nacdebug –name Ubiquiti true /bsc/logs/output.master

SSH/Telnet CLI
nacdebug –name TelnetServer true /bsc/logs/output.master
activity
SNMP activity nacdebug –name SnmpV1 true /bsc/logs/output.master
Disable debug nacdebug –name <debug name> false N/A

*Logging for a given MAC Address:

nacdebug -logger 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55' -level
FINEST

Disable:
nacdebug -logger 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55'

13
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other
jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective
owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables,
different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties,
whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified
product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract
shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make
any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in
full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication
without notice, and the most current version of the publication shall be applicable.

14