dynamic vlan assignment fortigate

Fortinet GURU

Fortigate guides and more.

WIFI Dynamic user VLAN assignment

Dynamic user VLAN assignment

Clients connecting to the WiFi network can be assigned to a VLAN. You can do this with RADIUS attributes when the user authenticates or with VLAN pooling when the client associates with a particular FortiAP. You cannot use both of these methods at the same time.

VLAN assignment by RADIUS

You can assign each individual user to a VLAN based on information stored in the RADIUS authentication server. If the user’s RADIUS record does not specify a VLAN ID, the user is assigned to the default VLAN for the SSID.

The RADIUS user attributes used for the VLAN ID assignment are:

IETF 64 (Tunnel Type)—Set this to VLAN.

IETF 65 (Tunnel Medium Type)—Set this to 802

IETF 81 (Tunnel Private Group ID)—Set this to the VLAN ID.  To configure dynamic VLAN assignment, you need to:

• Configure access to the RADIUS server.
• Create the SSID and enable dynamic VLAN assignment.
• Create a FortiAP Profile and add the local bridge mode SSID to it.
• Create the VLAN interfaces and their DHCP servers.
• Create security policies to allow communication from the VLAN interfaces to the Internet.
• Authorize the FortiAP unit and assign the FortiAP Profile to it.

To configure access to the RADIUS server

• Go to User & Device > RADIUS Servers and select Create New .
• Enter a Name , the name or IP address in Primary Server IP/Name , and the server secret in Primary Server Secret .
• Select OK .

To create the dynamic VLAN SSID

• Go to WiFi & Switch Controller > SSID , select Create New > SSID and enter:

• Enable dynamic VLAN in the CLI. Optionally, you can also assign a VLAN ID to set the default VLAN for users without a VLAN assignment.

config wireless-controller vap edit dynamic_vlan_ssid set dynamic-vlan enable set vlanid 10

To create the FortiAP profile for the dynamic VLAN SSID

• Go to WiFi & Switch Controller > FortiAP Profiles , select Create New and enter:

• Adjust other radio settings as needed.

To create the VLAN interfaces

• Go to Network > Interfaces and select Create New > Interface .

• Repeat the preceding steps to create other VLANs as needed.

Security policies determine which VLANs can communicate with which other interfaces. These are the simple Firewall Address policy without authentication. Users are assigned to the appropriate VLAN when they authenticate.

To connect and authorize the FortiAP unit

• Connect the FortiAP unit to the FortiGate unit.
• Go to WiFi & Switch Controller > Managed FortiAPs .
• When the FortiAP unit is listed, double-click the entry to edit it.
• In FortiAP Profile , select the FortiAP Profile that you created.
• Select Authorize .

VLAN assignment by VLAN pool

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN pool can

l assign a specific VLAN based on the AP’s FortiAP Group, usually for network configuration reasons, or l assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)

To assign a VLAN by FortiAP Group – CLI

In this example, VLAN 101, 102, or 103 is assigned depending on the AP’s FortiAP Group.

config wireless-controller vap edit wlan set vlan-pooling wtp-group config vlan-pool edit 101 set wtp-group wtpgrp1

next edit 102 set wtp-group wtpgrp2

next edit 101 set wtp-group wtpgrp3

Configuring user authentication

Load balancing

There are two VLAN pooling methods used for load balancing: The choice of VLAN can be based on any one of the following criteria:

l round-robin – from the VLAN pool, choose the VLAN with the smallest number of clients l hash – choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool

If the VLAN pool contains no valid VLAN ID, the SSID’s static VLAN ID setting is used.

To assign a VLAN by round-robin selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:

config wireless-controller vap edit wlan set vlan-pooling round-robin config vlan-pool edit 101 next edit 102 next edit 103 end

To assign a VLAN by hash-based selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the hash method:

config wireless-controller vap edit wlan set vlan-pooling hash config vlan-pool edit 101 next edit 102 next edit 103 end

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Tumblr (Opens in new window)
• Click to share on Reddit (Opens in new window)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Linux, Fortinet, Life

Fortigate – Dynamic VLAN (tunnel mode)

In this example we will create a wireless VAP in tunnel mode with dynamic VLAN assignment via radius server based on group membership.

First we create a new SSID, traffic mode is “Tunnel to wireless controller”, an IP address doesn’t need to be configured here unless some users/groups won’t be assigned a VLAN.

Next we turn on dynamic vlan via cli:

Now we create a new VLAN (or several depending on the number of required groups), at the time of this writing it is not possible to associate a VLAN with a VAP interface in the GUI so this must be done via CLI:

Edit the newly created VLAN in the GUI to enable the DHCP server:

Now we’re ready to test dynamic VLAN assignment with a wireless client.

Leave a Reply Cancel reply

You must be logged in to post a comment.

Get the Reddit app

Discussing all things Fortinet.

Dynamic VLAN assignment for VPN users

Goal: Users will receive a predefined VLAN access/IP when connecting to fortigate's VPN. The VLAN should be defined as a radius/ldap attribute of the user.

Architecture: We have a fortigate connected to a radius server to authenticate users. (FortiGate -> Freeradius -> OpenLDAP)

We can successfully authenticate users against our radius users using SSL VPN. I have seen multiple guides on how to dynamically assign VLAN for users using 802.1x but I could not find any resource how to achieve it over VPN.

Can this be done? If so, how?

By continuing, you agree to our User Agreement and acknowledge that you understand the Privacy Policy .

Enter the 6-digit code from your authenticator app

You’ve set up two-factor authentication for this account.

Enter a 6-digit backup code

Create your username and password.

Reddit is anonymous, so your username is what you’ll go by here. Choose wisely—because once you get a name, you can’t change it.

Reset your password

Enter your email address or username and we’ll send you a link to reset your password

Check your inbox

An email with a link to reset your password was sent to the email address associated with your account

Choose a Reddit account to continue

Official website of the Cybersecurity and Infrastructure Security Agency

Here’s how you know

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

• Education & Training
• NICCS Education & Training Catalog

FortiSwitch

• Online, Instructor-Led

In this interactive course, you will learn how to deploy, provision, and manage a FortiSwitch with FortiGate using FortiLink. This course also covers the deployment and troubleshooting of Layer 2 and Layer 3 features, as well as the most common FortiSwitch stack topologies, including those that leverage multichassis link aggregation group (MCLAG) for redundancy and higher performance. You will also learn about FortiSwitch in standalone mode, its unique features, and how to manage a standalone switch directly, or from FortiLAN Cloud.

Learning Objectives

• Explore the FortiSwitch portfolio and identify the supported management modes
• Describe and deploy FortiSwitch in managed switch mode (FortiLink mode)
• Understand Ethernet switching, VLANs, link aggregation (LAG), MCLAG, and Layer 2 discovery
• Identify the most common FortiSwitch topologies when deploying FortiSwitch in managed switch mode
• Understand Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree protocol (MSTP) operation and configuration, as well as other loop protection features
• Describe and configure Layer 2 security to filter unwanted traffic and perform anti-spoofing
• Configure Layer 2 authentication using 802.1.X, and leverage 802.1X to assign dynamic VLANs to endpoints
• Implement advanced features to increase port density, control network access, forward multicast traffic more effectively, and quarantine compromised devices
• Prioritize traffic on FortiSwitch by using QoS marking, queuing, and rate limiting features
• Simplify endpoint deployment by using Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED)
• Share FortiSwitch ports across different VDOMs using multi-tenancy
• Monitor FortiSwitch using SNMP, sFlow, and flow sampling
• Describe the most useful troubleshooting tools available on FortiSwitch

Framework Connections

• Design and Development
• Implementation and Operation
• Oversight and Governance
• Protection and Defense

Competency Areas

• Operating Systems (OS) Security
• Operational Technology (OT) Security
• Cybersecurity Architecture
• Defensive Cybersecurity
• Security Control Assessment
• Systems Administration
• Systems Security Analysis

If you would like to provide feedback for this course, please e-mail the NICCS SO at [email protected] .

• Support Forum
• Customer Service
• Internal Article Nominations
• FortiClient
• FortiAnalyzer
• FortiAuthenticator
• FortiBridge
• FortiCarrier
• FortiConnect
• FortiConverter
• FortiDeceptor
• FortiDevSec
• FortiDirector
• FortiExtender
• FortiGate Cloud
• FortiHypervisor
• FortiInsight
• FortiIsolator
• FortiManager
• FortiMonitor
• FortiNDR (on-premise)
• FortiNDRCloud
• FortiPortal
• FortiRecorder
• FortiSandbox
• FortiSwitch
• FortiTester
• FortiWebCloud
• Wireless Controller
• RMA Information and Announcements
• FortiCloud Products
• 4D Documents
• Engage Services
• The EPSP Platform
• The ETSP Platform
• Discussions & Onboarding Information
• Technical Learning
• Getting Started Resources
• Discussions
• Knowledge Base
• Idea Exchange
• Announcements
• Live security workshops
• Fortinet Community

802.1x dynamic vlan assignment in fortilink

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

Created on ‎12-15-2023 06:34 AM

• Mark as New
• Report Inappropriate Content

Nominate a Forum Post for Knowledge Article Creation

Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.

• All forum topics
• Previous Topic

Created on ‎12-15-2023 08:03 AM

Created on ‎12-15-2023 08:44 AM

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

• Site-to-Site VPN with a peer over... 304 Views
• Can FortiNAC identify where I connect... 797 Views
• Fortilink incoming topology issue assignment configuration 342 Views
• Port-Based 802.1x Security Policy and IP... 1740 Views
• Alphabetical
• FortiGate 7,854
• FortiClient 1,570
• FortiManager 659
• FortiAnalyzer 504
• FortiAP 410
• FortiSwitch 407
• FortiClient EMS 351
• FortiMail 296
• FortiAuthenticator v5.5 234
• FortiWeb 187
• SSL-VPN 161
• FortiNAC 153
• FortiGuard 124
• FortiGateCloud 98
• FortiSIEM 93
• FortiCloud Products 93
• FortiToken 84
• Customer Service 74
• Wireless Controller 72
• FortiAuthenticator 60
• FortiProxy 52
• Firewall policy 51
• FortiEDR 50
• FortiADC 49
• Fortivoice 47
• FortiDNS 41
• High Availability 40
• FortiExtender 39
• FortiSandbox 38
• FortiGate v5.4 35
• FortiSwitch v6.4 33
• Interface 29
• Certificate 29
• FortiConnect 25
• FortiWAN 24
• Authentication 24
• FortiGate v5.2 23
• FortiConverter 22
• FortiLink 21
• Virtual IP 19
• Web profile 19
• FortiSwitch v6.2 18
• FortiPortal 18
• FortiMonitor 16
• Traffic shaping 16
• Fortigate Cloud 15
• FortiDDoS 15
• Application control 15
• FortiGate v5.0 14
• SSL SSH inspection 14
• FortiCASB 12
• FortiManager v5.0 11
• FortiPAM 11
• Static route 11
• Web application firewall profile 11
• IP address management - IPAM 11
• FortiRecorder 10
• WAN optimization 10
• FortiSOAR 9
• FortiWeb v5.0 9
• FortiAP profile 9
• FortiGate v4.0 MR3 8
• FortiManager v4.0 8
• FortiBridge 8
• Automation 8
• System settings 8
• FortiAnalyzer v5.0 7
• RMA Information and Announcements 7
• IPS signature 7
• Traffic shaping policy 7
• Proxy policy 7
• FortiCache 6
• DNS filter 6
• Packet capture 6
• Security profile 6
• Intrusion prevention 6
• FortiCarrier 5
• FortiTester 5
• Port policy 5
• FortiDeceptor 4
• FortiToken Cloud 4
• FortiScan 4
• FortiDirector 4
• Antivirus profile 4
• Traffic shaping profile 4
• DLP sensor 4
• Email filter profile 4
• Fabric connector 4
• Web rating 4
• Fortinet Engage Partner Program 4
• FortiHypervisor 3
• Explicit proxy 3
• Internet service database 3
• NAC policy 3
• DLP Dictionary 3
• DLP profile 3
• DoS policy 3
• VoIP profile 3
• Multicast routing 3
• FortiInsight 2
• Application signature 2
• Protocol option 2
• Replacement messages 2
• FortiManager-VM 1
• Subscription Renewal Policy 1
• Video Filter 1
• Authentication rule and scheme 1
• SDN connector 1
• Multicast policy 1
• Cloud Management Security 1

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

• Threat Research
• FortiGuard Labs
• Threat Briefs
• Security Fabric
• Certifications
• Industry Awards
• Social Responsibility
• News Releases
• News Articles

Copyright 2024 Fortinet, Inc. All Rights Reserved.

• Terms of Service
• Privacy Policy
• Cookie Settings