Configuring quarantining on SSID
This guide provides instructions on simple configuration for on SSID. Consider the following for this feature:
l The quarantine function only works with SSID tunnel mode. l The quarantine function is independent of SSID security mode.
The following shows a simple network topology for this recipe:
To quarantine a wireless client on the FortiOS GUI:
- In FortiOS, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
- Edit the SSID:
- Go to WiFi & Switch Controller > SSID, and select the desired SSID.
- Enable Device Detection.
- Enable Quarantine Host.
- Click OK.
- Quarantine a wireless client:
- Do one of the following:
- Go to Security Fabric > Physical Topology. View the topology by access device.
- Go to FortiView > Traffic from LAN/DMZ > Source.
- Do one of the following:
- Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.
- Right-click the wireless client, then click Quarantine Host.
To quarantine a wireless client using the FortiOS CLI:
- Under global quarantine settings, enable quarantine:
config user quarantine set quarantine enable
end
- Under virtual access point (VAP) settings, enable quarantine:
config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set quarantine enable
next
end
- Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:
config user quarantine config targets edit “DESKTOP-Surface” config macs edit b4:ae:2b:cb:d1:72 set description “Surface”
next
end
next
end
end