Scribd
Upload
66 views15 pages

FortiNAC IP Phone Integration

Uploaded by

Diego Fernando velasco
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
66 views15 pages

FortiNAC IP Phone Integration

Uploaded by

Diego Fernando velasco
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

FortiNAC

IP Phone Integration
Version: 8.x
Date: May 31, 2022
Rev: I

1
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE


http://video.fortinet.com

FORTINET KNOWLEDGE BASE


https://community.fortinet.com/t5/Knowledge-Base/ct-p/knowledgebase

FORTINET BLOG
http://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT


http://support.fortinet.com

FORTINET COOKBOOK
http://cookbook.fortinet.com

NSE INSTITUTE
http://training.fortinet.com

FORTIGUARD CENTER
http://fortiguard.com

FORTICAST
http://forticast.fortinet.com

END USER LICENSE AGREEMENT


http://www.fortinet.com/doc/legal/EULA.pdf

2
Contents

Overview ............................................................................................................................................... 4
What it Does ...................................................................................................................................... 4
How it Works ..................................................................................................................................... 4
Requirements .................................................................................................................................... 6
IP Phones with Voice VLANs Integration ............................................................................................ 6
Configure Switch(es) and Phones ..................................................................................................... 6
Configure FortiNAC .......................................................................................................................... 6
Review Model Configuration for Connecting Switches ................................................................. 6
Automated Voice VLAN Configuration (optional) ........................................................................ 7
Create Host Group for IP Phones .................................................................................................. 8
Add IP Phones to the FortiNAC Database .................................................................................... 8
Validate ................................................................................................................................................. 9
Troubleshooting .................................................................................................................................. 10
Appendix ............................................................................................................................................. 11
Add Phones with Voice VLANs Using Device Profiler (Optional).................................................. 11
Automated Voice VLAN Configuration Using FlexCLI (Optional) ................................................ 12
Automated Voice VLAN Configuration Using RADIUS (Optional) ............................................... 14
Enable IP Phone MAC Notification Trap Processing (Optional) ................................................... 14

3
Overview
Important: This document is intended to be used in environments where IP Phones utilize a
tagged Voice VLAN. This VLAN operates independently of the untagged VLAN that governs other
traffic (data) on the connecting switch port. If the IP Phones to be integrated do not use tagged
Voice VLANs, refer to IP Phone Integration using untagged VLANs reference manual in the
Fortinet Document Library for instructions.

Switch Port IP Phone Computer

Tagged Voice VLAN

Untagged/Data VLAN

What it Does
Provides visibility and control for endpoints connecting behind IP Phones on the network.
FortiNAC does not provide any special integration logic for different IP phone vendors. Typically,
the network administrator deploys the organization's IP phone infrastructure independently of
configuring the FortiNAC. Because FortiNAC's focus is on endpoints daisy-chained to the phone,
the type of phone that is used is unimportant.

How it Works
 IP phone MAC address is ignored when determining the appropriate untagged
VLAN for a port: The untagged VLAN on a given port (data VLAN) will not be switched
based upon the presence of a device with the IP Phone device type. The untagged VLAN
will only switch based upon a device connecting behind the phone.

Example:
1. An unregistered/Rogue IP phone connects to a switch port and is isolated.
2. Device is registered using type IP Phone.
3. Although the device is now registered, the untagged VLAN will not change because
the IP Phone device type is ignored.

 Voice VLAN manipulation: By default, FortiNAC does not provision voice VLANs when
an IP phone connects. Additional configuration is required using one of the following
methods:
o FlexCLI: FortiNAC configures the port to support voice when an IP Phone is detected.
The configuration is removed when the phone disconnects. FortiNAC has limited
support for this by leveraging the FlexCLI feature to specify the switch-specific
commands to manage this process. For a list of supported vendors, refer to the CLI
Configuration section of the Administration Guide.

4
o RADIUS: When IP Phone connects, FortiNAC includes the Voice VLAN
value in the RADIUS response. Switch ports must be configured for
RADIUS authentication.

 IP Phone Connection information: Cisco switches can send CDP notifications triggered
by IP Phone traffic that is transmitted across untagged VLANs. Other switches have the
ability to send MAC Notification messaging as well. FortiNAC has the ability to process
this traffic and update connection information for endpoints already classified as IP Phones.
The ability to process and update IP Phone connectivity information is applicable for the
following use cases:
- Device Profiling: Revalidate IP Phone on connect
- Automated Voice VLAN Configuration

Note: Function is disabled by default.

 Connection information of hosts daisy-chained to the phone: FortiNAC learns when


endpoints come and go from the phone ports through either MAC Notification Traps or
RADIUS authentication. FortiNAC cannot rely on linkUp/linkDown traps since the IP
Phone keeps the link state up.

Note: RADIUS authentication may not provide real time information when an endpoint
disconnects.

Host Connection Process Through Phone Port


1. PC connects to the port on the back of the phone.
2. FortiNAC learns of the connection:
 If MAC Notification Traps are enabled, a trap is sent to FortiNAC.
 If RADIUS is configured, an Access Request is sent to FortiNAC.
 If neither MAC Notification Traps nor RADIUS are configured, then the presence of the host
connection is not detected until the next L2 Poll. The host will connect immediately to the
network or VLAN to which the port is currently set. If the polling interval is very long, a
host may have to wait before being able to register or moving to the correct VLAN.
3. FortiNAC searches for the PC’s MAC address in the database to determine whether or not it is
registered.
4. If it is not registered, the PC is placed in the Registration VLAN but the phone remains in the
Voice VLAN.
5. If it is registered, the PC is placed in the Production VLAN but the phone remains in the Voice
VLAN.

Note: Once an IP Phone is connected to a port, FortiNAC does not bring down the interface to
change VLANs. If there is an agent installed on the connected machine, the agent does a
release/renew of the IP address (see PA Optimization under Device Properties in the
Administration Guide). If there is no agent installed, the user must wait for the IP address lease
to expire. Default lease times for FortiNAC isolation scopes are 60 seconds.
5
Requirements
 RADIUS or MAC Notification Traps for accurate and timely connection information
regarding endpoints behind IP Phones.
Note:
o Some switches may not support MAC Notification Traps or RADIUS. In such cases,
consider increasing the L2 Poll frequency for the switch model.
o When a registered IP Phone connects or moves to another wired port, the change is
not detected until an L2 poll is performed on the switch. By default, MAC
Notification Traps for IP Phones are ignored. This setting can be changed under
System > Settings > Network Device, however, enabling the processing of traps
for IP Phones could potentially impact performance.
 Do not trunk Cisco ports that have IP Phones connected. Configure the access (untagged)
VLAN and Voice VLAN for the port. FortiNAC does not manage trunked ports.

IP Phones with Voice VLANs Integration


Configure Switch(es) and Phones
1. Configure a tagged Voice VLAN on switches to which IP Phones will be connected.
2. Configure RADIUS or MAC Notification traps on the same set of switches. For trap
configuration, see the Configuring Traps for MAC Notification reference manual in
the Fortinet Document Library. If the switches do not support either function, the
L2 Polling frequency can be increased under the Polling tab of the switch model in
Network Devices > Topology.
3. Provision the phones with their proprietary configuration.

Configure FortiNAC
Review Model Configuration for Connecting Switches
1. Ensure the switches to which IP Phones are connecting are modeled in Topology. If
not yet modeled, see Add or modify a device in the Administration Guide.
2. Define Voice VLANs (if necessary):
 The Voice VLAN is automatically detected for most switches. Therefore, if the
Voice VLAN(s) field is present, it can be left blank.
 (Cisco non-IOS switches only): Under Network Devices > Topology, modify
the Model Configuration and enter a comma separated list of Voice VLANs in
the Voice VLAN(s) field. This indicates to FortiNAC that devices on that VLAN
should never be moved to any other VLAN.

6
Automated Voice VLAN Configuration (optional)
FortiNAC can automatically configure the Voice VLAN using the following methods:
 FlexCLI: FortiNAC configures the port to support voice when an IP Phone is detected.
The configuration is removed when the phone disconnects. FortiNAC has limited
support for this by leveraging the FlexCLI feature to specify the switch-specific
commands to manage this process. See section in Appendix for instructions.
 RADIUS: When IP Phone connects, FortiNAC includes the Voice VLAN value in
the RADIUS response. Switch ports must be configured for RADIUS
authentication. See section in Appendix for instructions.

7
Create Host Group for IP Phones
Use a host group for configuring automatic removal of stale IP Phone records from the database.
Otherwise, IP Phone records will remain in the database indefinitely (IP Phones do not age based
upon the global age settings in System > Settings > User/Host Management > Aging).

1. In Administrative UI, select System > Groups.


2. From the Group view, click Add.
3. Enter a Group Name such as “IP Phones”.
4. Select Member Type Host. Do not select the IP Phone member type.
5. Configure aging properties:
 Days Valid: Calculates the Expiration Date for each host in the group (regardless of
online status). If left blank, the record will not be removed based on this setting.
 Days Inactive: The number of consecutive days a host is seen offline before
removing from the database. It is recommended to set this value at a minimum.
6. Enter a Group Description (optional).
7. Click OK to save the new group.
8. Proceed with desired method to add phones to the database.

Add IP Phones to the FortiNAC Database


Requirements
 A specific host group created for IP Phones for host record management. See Create Host
Group for IP Phones.
 Define the Device Type as IP Phone. This Device Type indicates to FortiNAC these devices
should be ignored when determining the VLAN for the port.
 Register as a Device.

Methods
IP Phones can be added to the FortiNAC database using one of the following methods:
 Device Profiling Rules: Automatically identify and classify IP Phones. See Add Phones
Using Device Profiler.
 Import using a .csv file: For details, see Import Hosts, Users Or Devices in the
Administration Guide.
 Manually register existing phones: Connect phones to the network then convert host
records to IP Phones using the Register As Device tool. For details, see Register A Host
As A Device in the Administration Guide.
 Manually add phones before they connect: Add a new host record in the Host View,
choose Register As A Device in the Add window, then select IP Phone as the device type.
For details, see Add or Modify a Host in the Administration Guide.

8
Validate
1. Ensure the switch port is configured for enforcement. Right-click on the switch port in Port
View and select Group Membership to verify.
2. Under Hosts > Host View verify FortiNAC IP Phone host record appears with Device Type IP
Phone and shows an online connection status (green adapter record).

3. Check the phone has the proper IP address assigned and is working.
4. Connect an unknown computer behind the phone and attempt to access the network.
5. Verify the following:
 Host shows online and connected to the switch port in Hosts > Host View.
 Ports tab in Topology for the connecting switch model shows the following icon on
the port:

 The port’s untagged (data) VLAN configuration is changed to the isolation VLAN.
Note: Once an IP Phone is connected to a port, FortiNAC does not bring down
the interface to change VLANs. If there is an agent installed on the connected
machine, the agent does a release/renew of the IP address. If there is no agent
installed, the user must wait for the IP address lease to expire. If not using
agents on host machines, configuring shorter lease times for production DHCP
scopes may be desired.
6. Once isolated, register the host.
7. Verify the following:
 Host icon reflects properly in Hosts > Host View.
 Ports tab in Topology for the connecting switch model shows the following icon on
the port:

 The port’s untagged (data) VLAN configuration is changed to the appropriate VLAN.
Note: Once an IP Phone is connected to a port, FortiNAC does not bring down
the interface to change VLANs. If there is an agent installed on the connected
machine, the agent does a release/renew of the IP address. If there is no agent
installed, the user must wait for the IP address lease to expire. Default lease
times for FortiNAC isolation scopes are 60 seconds.

9
Troubleshooting
Related KB Articles
Confirming MAC Notification traps via Administration UI
Troubleshooting VLANs not changing on a wired switch

10
Appendix
Add Phones with Voice VLANs Using Device Profiler (Optional)
Configure Device Profiling Rule(s)
1. Select Hosts > Device Profiling Rules.
2. Click the Add button or select a rule and click Modify.
3. Under the General tab, fill in fields as necessary. For information on each field, see section
Device Profiler/Rules/Adding a rule in the Administration Guide.
Required Settings:
 Type = IP Phone
 Register as = Device in Host View
4. Click Add to Group and select the new IP Phone group created previously.
5. On the Methods tab, one or more methods for identification can be selected. For details on
method selection and rule ranking, see Device Profiler Configuration.

Resulting Workflow
1. Rogue IP phone connects.
2. Device Profiler detects the IP phone.
3. The phone is evaluated. If a rule matches, one of the following occurs:
 Registration = automatic: Phone is registered and searchable in Hosts > Host View.
Phone is listed under Hosts > Profiled Devices.
 Registration = manual: phone is a rogue record and searchable in Hosts > Host View.
Phone is listed under Hosts > Profiled Devices from where the device can be
registered manually.
4. IP Phone Host group: Once registered, the host becomes a member of the new host group,
which then applies to the host record any values set in Days Valid or Days Inactive.
5. Aging: After the defined age time has passed, the IP phone is deleted from the database.
6. If the phone reconnects, it is re-profiled and any configured group aging properties are re-
applied.

Proceed to Validate.

11
Automated Voice VLAN Configuration Using FlexCLI (Optional)
Configure FortiNAC to assign Voice VLAN via RADIUS as IP Phones connect. For a list of
supported vendors, refer to the CLI Configuration section of the Administration Guide.

Cisco CLI example:


interface FastEthernet2/0/10
switchport access vlan 10
switchport mode access
switchport voice vlan 99
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
snmp trap mac-notification change added
snmp trap mac-notification change removed
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!

1. Navigate to Network Devices > CLI Configuration and add the CLI configuration to set
the voice VLAN. See section CLI Configuration/Add or modify a configuration of the
Administration Guide for more details.

2. Navigate to Network Devices > Topology and modify the switch’s Model Configuration
and define the CLI configuration created in the previous step. See section Logical
networks/Assigning access values and CLI configurations of the Administration Guide for
more details.

12
3. Create a Network Access Policy to apply the CLI configuration when the phone connects.

User/Host Profile Requirement


Who/What by Attribute: Host [Device Type: IP Phone]
Or
Who/What by Group: <Group created for phones in previous step>

Configuration Requirement
Logical Network: <Logical Network associated with the CLI Configuration>

See section Network Access Policies/Add or modify a policy of the Administration Guide for
more details.

4. Once ready to start the automated provisioning, add to the Role-Based Access port group
the ports desired to make the CLI change when an IP Phone connects. This can be done via
the Groups or the Ports view. Important: Test with one port to ensure proper behavior
before adding all ports to this group.
5. For real-time Voice VLAN provisioning as phones connect, proceed to Enable IP Phone MAC
Notification Trap Processing.

13
Automated Voice VLAN Configuration Using RADIUS (Optional)
This configuration is required when the device model is set for Proxy RADIUS mode. It is not
required for Local RADIUS mode. For details on modes see Model configuration in the
Administration Guide.

Configure FortiNAC to assign Voice VLAN via RADIUS as IP Phones connect.


 When set to true, FNAC responds with VLAN value via RADIUS.
 When set to false (default), FNAC responds with access accept with no vlan (NativePolicy).

Contact Support for assistance.

1. Login to FortiNAC CLI as root.


2. Modify /bsc/campusMgr/master_loader/.masterPropertyFile and add the following
lines:

FILE_NAME=./properties_plugin/bridgeManager.properties
{
com.bsc.plugin.bridge.BridgeManager.provisionIPPhones=true
}

3. Save file.
4. Restart FortiNAC processes for the change to take affect:
shutdownNAC
<wait 30 seconds>
startupNAC

5. For real-time Voice VLAN provisioning as phones connect, proceed to Enable IP Phone
MAC Notification Trap Processing.

Enable IP Phone MAC Notification Trap Processing (Optional)


The ability to process and update IP Phone connectivity information is applicable for the following
use cases:
- Device Profiling: Revalidate IP Phone on connect
- Automated Voice Provisioning via CLI

Note: This function should only be enabled when necessary. It has been observed some IP Phones
may initiate frequent Notification Traps. FortiNAC must process each trap, and this behavior can
cause unnecessary work.

To enable FortiNAC to process the traffic, navigate to System > Settings > Network device and
de-select the checkbox next to Ignore MAC Notification Traps for IP Phones.

Proceed to Create Host Group for IP Phones.


14
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other
jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except
to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-
identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such
warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto,
whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

15

You might also like