This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Integrating Fortinet / Meru WLC into Extreme Control w/ Captive Portal

Integrating Fortinet / Meru WLC into Extreme Control w/ Captive Portal

guayc
New Contributor

‎03-18-2019 12:47 PM

I'm trying to get my Fortinet gear to talk to my Extreme Control NAC like my Extreme wireless does.

I have a 6+ year old article that references Enterasys NAC (Legacy NAC Manager looks very similar) and an old Meru branded WLC (Enterasys NAC with Meru Wireless Integration Guide). While these environments are similar to my setup (Extreme Control + Fortinet branded appliance), there seems to be some setting differences between the editions.

Also, since I've inherited this system, I was told by Extreme Engineers that my current Extreme system is using a COS_40 setup to send traffic to the NAC. Is that something I should be able to leverage on the Fortinet end?

This is all to get a BYOD SSID up and running at multiple sites. Obviously the Extreme wireless works very well, but integrating the remaining Fortinet is causing me some issues.
0 Kudos
2 REPLIES 2

Avinash_Paul
New Contributor

‎01-28-2020 09:35 AM

Hi,

 

Is any one have integration guide (Enterasys NAC with Meru Wireless Integration Guide)?

0 Kudos

Tomasz
Valued Contributor II

‎04-02-2019 09:48 PM

Hi guayc,

To confirm that I understand, you have some switches and a Fortinet as a default gateway, and want to use Fortinet to redirect users (wired/wireless) to a Captive Portal hosted at Extreme Access Control?
You have couple of options for Captive Portal redirection, the most generic ones are Policy Based Routing and DNS Proxy. "COS_40" sounds like the first one, and that's how it works:
  1. Your new client device walks through MAC authentication on a switch (EAC as a RADIUS server), due to NAC profiling rules it gets Unregistered policy.
  2. That policy, applied on a switch (could be some script or RFC3580-induced VLAN with relevant ACL applied to it) results in having TCP port 80 traffic marked with DSCP.
  3. When that web traffic (some HTTP request) reaches the gateway, it has an ACL for PBR that results in using NAC as a next-hop for that TCP 80 traffic with DSCP marking.
  4. NAC gets the request and takes over the web communication with a client device.
Please let us know if that's more less what you were thinking about.

Kind regards,
Tomasz
0 Kudos
GTM-P2G8KFN