Header Only - DO NOT REMOVE - Extreme Networks
Question

Integrating Fortinet / Meru WLC into Extreme Control w/ Captive Portal

  • 18 March 2019
  • 1 reply
  • 492 views

I'm trying to get my Fortinet gear to talk to my Extreme Control NAC like my Extreme wireless does.

I have a 6+ year old article that references Enterasys NAC (Legacy NAC Manager looks very similar) and an old Meru branded WLC (Enterasys NAC with Meru Wireless Integration Guide). While these environments are similar to my setup (Extreme Control + Fortinet branded appliance), there seems to be some setting differences between the editions.

Also, since I've inherited this system, I was told by Extreme Engineers that my current Extreme system is using a COS_40 setup to send traffic to the NAC. Is that something I should be able to leverage on the Fortinet end?

This is all to get a BYOD SSID up and running at multiple sites. Obviously the Extreme wireless works very well, but integrating the remaining Fortinet is causing me some issues.

1 reply

Userlevel 5
Hi guayc,

To confirm that I understand, you have some switches and a Fortinet as a default gateway, and want to use Fortinet to redirect users (wired/wireless) to a Captive Portal hosted at Extreme Access Control?
You have couple of options for Captive Portal redirection, the most generic ones are Policy Based Routing and DNS Proxy. "COS_40" sounds like the first one, and that's how it works:
  1. Your new client device walks through MAC authentication on a switch (EAC as a RADIUS server), due to NAC profiling rules it gets Unregistered policy.
  2. That policy, applied on a switch (could be some script or RFC3580-induced VLAN with relevant ACL applied to it) results in having TCP port 80 traffic marked with DSCP.
  3. When that web traffic (some HTTP request) reaches the gateway, it has an ACL for PBR that results in using NAC as a next-hop for that TCP 80 traffic with DSCP marking.
  4. NAC gets the request and takes over the web communication with a client device.
Please let us know if that's more less what you were thinking about.

Kind regards,
Tomasz

Reply