Professional Documents
Culture Documents
FortiNAC Ubiquiti UniFi Access Point Integration v9
FortiNAC Ubiquiti UniFi Access Point Integration v9
Ubiquiti UniFi
Access Point Integration
Rev: H
1
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET BLOG
http://blog.fortinet.com
FORTINET COOKBOOK
http://cookbook.fortinet.com
NSE INSTITUTE
http://training.fortinet.com
FORTIGUARD CENTER
http://fortiguard.com
FORTICAST
http://forticast.fortinet.com
2
Contents
Overview ............................................................................................................................................... 4
What it Does ...................................................................................................................................... 4
How it Works ..................................................................................................................................... 4
Requirements .................................................................................................................................... 5
Considerations ................................................................................................................................... 5
Ubiquiti UniFi Integration ................................................................................................................... 6
Configure Access Points .................................................................................................................... 6
Configure FortiNAC ........................................................................................................................ 10
RADIUS Server (Required for 802.1x Authentication) ............................................................... 10
Model the Device .......................................................................................................................... 10
Configure RADIUS and Network Access .................................................................................... 10
Add Remaining VLANs Configured in Device ............................................................................ 11
Prevent SSID Removal After Failed Read .................................................................................. 12
Validate ........................................................................................................................................... 12
Troubleshooting .................................................................................................................................. 13
Related KB Articles ......................................................................................................................... 13
Debugging ........................................................................................................................................ 13
3
Overview
The information in this document provides guidance for configuring Ubiquiti UniFi Access Points
to be managed by FortiNAC. This document details the items that must be configured.
Note: We attempt to provide as much information as possible about the integration of this device
with your FortiNAC software. However, the hardware vendor may have made modifications to the
device’s firmware that invalidate portions of this document. If having problems configuring the
device, contact the vendor for additional support.
Tip: For hyperlinks referencing other documentation, right-click the link and select Open in New
Tab.
What it Does
FortiNAC provides network visibility (where endpoints connect) and manages VLAN assignment
at the point of connection for the host. This is accomplished by sending the appropriate
configuration commands to the device and acting as the authentication source.
How it Works
Visibility
FortiNAC learns where endpoints are connected on the network using the following methods:
RADIUS communication
L2 Polling (MAC address table read)
Control
FortiNAC provisions an endpoint’s network access by managing VLAN assignments based
on the UniFi AP’s model configuration or an applicable network access policy and the host
state of the endpoint. The VLAN configuration is modified using the appropriate method
based upon the vendor and model (see chart below).
For more information regarding wireless integrations with FortiNAC, refer to the Wireless
Integration Overview reference manual in the Fortinet Document Library.
4
Requirements
Ubiquiti
o Supported Controller version: 5.12.35
o Supported Access Point firmware version: 4.0.69.10871
o SNMP community or account per Access Point
o Account for SSH access per Access Point
FortiNAC
o Minimum version: 8.7.1 or greater
Considerations
In current versions of Ubiquiti firmware, CoA is not supported.
This causes the following behaviors:
o Prevents FortiNAC from dynamically changing VLANs.
o Clients must manually disconnect then reconnect to the wireless in order to be
assigned the proper VLAN after completing registration. The Captive Portal content
can be edited to instruct users to disconnect and reconnect in order to change
network access.
o Network access for clients that are marked to be restricted (disabled or At-Risk) will
not change network access until they disconnect from the wireless and reconnect.
UniFi Access Points are autonomous and interact directly with FortiNAC for CLI, SNMP
and RADIUS. The “Controller” in the Ubiquiti UniFi solution is used for Access Point
configuration only.
VLAN IDs that are statically assigned to SSIDs cannot be re-used on the same Access Point
for RADIUS assigned VLANs.
Example: If VLAN 10 is statically set for SSID A, then it cannot be used for SSID B
(managed by FortiNAC) on the same AP.
5
Ubiquiti UniFi Integration
Configure Access Points
Note: It is recommended that Ubiquiti APs are configured with a static IP address.
1. Login to the UniFi Controller management interface. Configure a RADIUS profile for the
FortiNAC Server
a. Navigate to Settings > Profiles and click CREATE NEW RADIUS PROFILE.
b. The values in the table below are required when integrating with FortiNAC. Configure
all other settings as appropriate. Refer to vendor documentation for additional
information.
6
RADIUS IP Address: FortiNAC Server/Control Server eth0 IP Address
Accounting
Port: 1813
Servers
Shared Secret: The RADIUS Secret used must be exactly the
same on the wireless device, on the RADIUS server and in the
FortiNAC software under RADIUS Settings and Model
Configuration.
High Availability (HA) Environments: Click ADD
ACCOUNTING SERVER and add Secondary Server
information (Do not use Shared IP Address).
Enable Interim Update Select Enable value = 60
This function periodically updates FortiNAC concerning the
endpoint connection information.
2. Create a Network object for each required VLAN (isolation and production VLANS).
a. Navigate to Settings > Networks and click CREATE NEW NETWORK.
b. The values in the table below are required when integrating with FortiNAC.
Configure all other settings as appropriate. Refer to vendor documentation for
additional information.
Note: VLAN IDs that are statically assigned to SSIDs cannot be re-used on the
same Access Point for RADIUS assigned VLANs.
7
3. Configure SNMP access to allow for FortiNAC device discovery. Navigate to Settings >
System and enable the appropriate SNMP version (either v1/v2 or v3).
Note: If using SNMP Version 3, the defined Password acts as both the SHA1 and AES-128
Passwords. The protocol versions and passwords cannot be defined individually.
SNMP v3 Example
4. Create SSID
a. Navigate to Settings > WiFi and click Create New WiFi Network.
b. The values in the table below are required when integrating with FortiNAC.
Configure all other settings as appropriate. Refer to vendor documentation for
additional information.
8
MAC address aa:bb:cc:dd:ee:ff
Format
9
Configure FortiNAC
RADIUS Server (Required for 802.1x Authentication)
FortiNAC acts as a proxy for 802.1x requests. Add a RADIUS server (such as FortiAuthenticator)
to FortiNAC in order to proxy the 802.1x packets to the correct server. For instructions, see section
Configure RADIUS Settings of the Administration Guide in the Fortinet Document Library.
Important: The RADIUS Secret used must be exactly the same on the RADIUS server.
Note: FortiNAC does not proxy RADIUS requests when using MAC authentication.
3. Once discovered, configure CLI Credentials under the Credentials tab and click Save.
Validate
1. Configure test SSID to send RADIUS requests to FortiNAC.
2. Connect a rogue host to the newly enforced SSID.
3. Verify the following:
Host is moved to the isolation VLAN
Host is able to access the captive portal (if configured)
Register the system
Disable the WiFi on the host
Enable WiFi on the host and make sure it is assigned the appropriate VLAN.
If any of the above do not work as expected, refer to the Troubleshooting section of this document.
12
Troubleshooting
Related KB Articles
Refer to the applicable KB article(s):
Troubleshooting SNMP Communication Issues
Troubleshooting Poll Failures
Wired hosts displaying incorrect status
Online wireless hosts displaying offline status
Rogue Wireless Clients Cannot Connect to SSID
Troubleshooting RADIUS clients not connecting
Troubleshooting Wireless Clients Moved to the Wrong VLAN
Debugging
Use the following KB article to gather the appropriate logs using the debugs below.
Gather logs for debugging and troubleshooting
Note: Debugs disable automatically upon restart of FortiNAC control and management processes.
radiusd -X -l
RADIUS Service /var/log/radius/radius.log
/var/log/radius/radius.log
(Local RADIUS)
Stop logging: Ctrl-C
L2 related
nacdebug –name BridgeManager true /bsc/logs/output.master
activity
SSH/Telnet CLI
nacdebug –name TelnetServer true /bsc/logs/output.master
activity
SNMP activity nacdebug –name SnmpV1 true /bsc/logs/output.master
Disable debug nacdebug –name <debug name> false N/A
Disable:
nacdebug -logger 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55'
13
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other
jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective
owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables,
different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties,
whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified
product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract
shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make
any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in
full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication
without notice, and the most current version of the publication shall be applicable.
14