FortiAP Management – Configuring quarantining on SSID

Configuring quarantining on SSID

This guide provides instructions on simple configuration for on SSID. Consider the following for this feature:

l The quarantine function only works with SSID tunnel mode. l The quarantine function is independent of SSID security mode.

The following shows a simple network topology for this recipe:

To quarantine a wireless client on the FortiOS GUI:

1. In FortiOS, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
2. Edit the SSID:
   1. Go to WiFi & Switch Controller > SSID, and select the desired SSID.
   2. Enable Device Detection.
   3. Enable Quarantine Host.
   4. Click OK.
3. Quarantine a wireless client:
   1. Do one of the following:
      1. Go to Security Fabric > Physical Topology. View the topology by access device.
      2. Go to FortiView > Traffic from LAN/DMZ > Source.

• Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.

1. Right-click the wireless client, then click Quarantine Host.

To quarantine a wireless client using the FortiOS CLI:

1. Under global quarantine settings, enable quarantine:

config user quarantine set quarantine enable

end

2. Under virtual access point (VAP) settings, enable quarantine:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set quarantine enable

next

end

3. Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:

config user quarantine config targets edit “DESKTOP-Surface” config macs edit b4:ae:2b:cb:d1:72 set description “Surface”

next

end

next

end

end