FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff
Article Id 194167

Description

 
The article describes how we can assign Roles based on User Directory group membership.


Scope


FortiNAC-F, FortiNAC


Solution

 
How this works:
 
  1. The user authenticates and the host is registered to that user. (Registration method can by any: 802.1x, Portal, Agent etc.)
  2. Hosts are added as an element in the synchronized Host group in FortiNAC when they are registered with a user who is a member of that LDAP group. 
  3. FortiNAC will assign to the Host the Role mapped to the Group
 
Configure LDAP and select the groups that will be synchronized with FortiNAC.
 
In this example we will test with user: 'jdoe' who is a member of the group 'Network_team'.
 
  • Select the group to be synchronized in System -> Settings -> Authentication -> LDAP>Modify -> Select Groups.
 Group_select.png
Figure 1. Group selection in LDAP
 
Perform a manual synchronization with the directory and verify the Group is added as a Host group in FortiNAC System ->Groups.
At this point, If a user that is part of this group authenticates, FortiNAC will associate that user with the Host after registration.
The host entry will then be moved to the Network_team group in FortiNAC. The host will then be assigned the IT role since it is a role bound to the mapped group.

Add Role-Group mapping.
 
Navigate to Policy & Objects -> Roles, select ADD input a Role name, and select the correct LDAP group.

Role_group_assignment.png
Figure 2. Role to group binding.

 

Roles have an assignment order explained in the below article:

Technical Tip: Role assignment order

 
Validation.
 
In this example, registration will be tested through the Standard User Login in the Captive Portal.
After authenticating FortiNAC will perform a user lookup in Active Directory and update the host record:
 

Log output in output.master:


yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: HostServer.updateHost(DESKTOP-FL3MH7T jdoe 00:15:5D:E4:1F:3B) starting
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: HostServer.updateHost() autoCreate = false host = DESKTOP-FL3MH7T jdoe 00:15:5D:E4:1F:3B type = Server host type = 8
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: HostServer.updateHost() DESKTOP-FL3MH7T jdoe 00:15:5D:E4:1F:3B updating OS to Server Windows
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: HostServer.updateHost() updating host. host = DESKTOP-FL3MH7T jdoe 00:15:5D:E4:1F:3B
com.bsc.plugin.dynamic.HostServer.update() starting: object id = 17yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: Changes =
{128=Server Windows, 4398046511104=Server}
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: HostServer.setRole() role = IT
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: oldHost type = 8
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: newHost type = 8
com.bsc.plugin.dynamic.HostServer replace(17) starting replaceCount = 72yams.HostServer FINER :: 2024-03-27 11:51:37:272 :: #786 :: replace wrote 17, ready to call listeners
yams.HostServer FINER :: 2024-03-27 11:51:37:272 :: #786 :: checkListeners called for object 17, #listeners = 4, type = 3
yams.HostServer FINER :: 2024-03-27 11:51:37:272 :: #786 :: old object = Host Record:
Landscape = 91769544454 00:15:5D:E4:1F:06
ID = 17
hostName = DESKTOP-FL3MH7T
owner = jdoe
policy = null
os = Windows
hardwareType =
application = null
notes = null
Creation Time = Wed Mar 27 11:51:18 CET 2024
Expiration Date =
Inactivity = 1 Days
Inactivity Date =
Last Successful Poll = Never Been Polled
Status = Connected
loggedOnUserId = jdoe
patchManagementVendor = null
patchManagementID = null
role = IT

 

  • In System -> Groups,  confirm that the Host record is added to the Network_team group:

 

Host_in_group.png

 Figure 3. Host added as member of group

 

Verify the host attributes and role in FortiNAC CLIS as follows:

 

dumphostrecords -mac 00:15:5D:E4:1F:3B


Host Record:
Landscape = 91769544454 00:15:5D:E4:1F:06
ID = 18
hostName = DESKTOP-FL3MH7T
owner = jdoe
policy = null
os = Server Windows
Status = Connected
loggedOnUserId = jdoe
patchManagementVendor = null
patchManagementID = null
role = IT

.

.
Adapter[0] = 00:15:5D:E4:1F:3B

 

At this point, both Role and group membership can be used as matching criteria for Network access policies.

 

Related article:

Technical Tip: What causes a host to be moved to an imported LDAP Host Group