2012 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet.
Objectives Identify the device Identification features of FortiOS and describe device identification techniques Describe how to apply device identification features to a VAP interface Configure to control access of wireless clients based on device type in a hands-on lab
01-05002-RevA-0203-20130520
Device identification (BYOD) Device detection is dependent on the being enabled in the interface via the device-identification command.
co config g syste system interface te ace
edit "port1 set device-identification (enable|disable*) set device-user-identification (enable*|disable)
Global setting of the device types FortiOS detects is hardcoded System process src-vis (device identification) Discovered devices are periodically saved to flash and are restored at boot
4
01-05002-RevA-0203-20130520
end
Device identification (BYOD) User & Devices > Device > device
diag user device list.
01-05002-RevA-0203-20130520
Access List Device access lists may be assigned to interfaces to control inbound access
config system interface edit port1 set device-access-list "name end
01-05002-RevA-0203-20130520
Device-identity Policy Each device-identity policy entry may have one or more devices, device-groups or device categories specified. 3 possible actions
accept (the default) deny Captive portal
10
01-05002-RevA-0203-20130520
11
12
01-05002-RevA-0203-20130520
Device-identity Policy
13
14
01-05002-RevA-0203-20130520
15
16
01-05002-RevA-0203-20130520
-------------wlan(root/0, EAP-Test) acl (Android)----------------------0 0 00:0b:7d:26:2b:4d accept Windows PC wifi 1 0 00:25:bc:45:a5:55 accept iPhone 2 0 00:c0:ca:65:f1:ff accept Linux PC 3 0 18:34:51:43:12:52 accept iPhone 4 0 40:a6:d9:70:c5:28 accept iPhone 5 0 48:60:bc:10:c5:2f accept iPhone 6 0 58:94:6b:53:9f:80 accept Windows PC eric 7 0 a0:0b:ba:b5:ed:2c deny Android Phone 8 0 b4:07:f9:0b:58:cd deny Android Phone 9 0 d0:23:db:35:46:12 accept iPhone 10 0 e0:b9:a5:6f:f4:20 deny Android Phone -------------wlan(root/0, FAP_Test) acl (none)-----------------------------------wlan(root/0, guest) acl (none)-----------------------------------wlan(root/0, wlan(root/0 hotel) acl (none)----------------------(none) -------------wlan(root/0, mesh.root) acl (none)-----------------------------------wlan(root/0, test) acl (none)-----------------------------------wlan(root/0, vlan40) acl (none)-----------------------
ACL in action
17
18
01-05002-RevA-0203-20130520