Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎09-28-2018 07:55 AM Edited on ‎04-22-2024 05:55 AM By Moderator

Article Id 194167

Technical Tip: How to Populate a Role from a Group

Description

 
The article describes how to assign Roles based on User Directory group membership.


Scope


FortiNAC-F, FortiNAC


Solution

 
How this works:
 
  1. The user authenticates and the host is registered to that user. (Registration method can by any: 802.1x, Portal, Agent etc.)
  2. Hosts are added as an element in the synchronized Host group in FortiNAC when they are registered with a user who is a member of that LDAP group. 
  3. FortiNAC will assign to the Host the Role mapped to the Group
 
Configure LDAP and select the groups that will be synchronized with FortiNAC.
 
In this example we will test with user: 'jdoe' who is a member of the group 'Network_team'.
 
  • Select the group to be synchronized in System -> Settings -> Authentication -> LDAP>Modify -> Select Groups.
 Group_select.png
Figure 1. Group selection in LDAP
 
Perform a manual synchronization with the directory and verify the Group is added as a Host group in FortiNAC System ->Groups.
At this point, If a user that is part of this group authenticates, FortiNAC will associate that user with the Host after registration.
The host entry will then be moved to the Network_team group in FortiNAC. The host will then be assigned the IT role since it is a role bound to the mapped group.

Add Role-Group mapping.
 
Navigate to Policy & Objects -> Roles, select ADD input a Role name, and select the correct LDAP group.

Role_group_assignment.png
Figure 2. Role to group binding.

 

Roles have an assignment order explained in Technical Tip: Role assignment order.

 
Validation.
 
In this example, registration will be tested through the Standard User Login in the Captive Portal.
After authenticating FortiNAC will perform a user lookup in Active Directory and update the host record:
 

Log output in output.master:


yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: HostServer.updateHost(DESKTOP-FL3MH7T jdoe 00:15:5D:E4:1F:3B) starting
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: HostServer.updateHost() autoCreate = false host = DESKTOP-FL3MH7T jdoe 00:15:5D:E4:1F:3B type = Server host type = 8
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: HostServer.updateHost() DESKTOP-FL3MH7T jdoe 00:15:5D:E4:1F:3B updating OS to Server Windows
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: HostServer.updateHost() updating host. host = DESKTOP-FL3MH7T jdoe 00:15:5D:E4:1F:3B
com.bsc.plugin.dynamic.HostServer.update() starting: object id = 17yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: Changes =
{128=Server Windows, 4398046511104=Server}
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: HostServer.setRole() role = IT
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: oldHost type = 8
yams.HostServer FINER :: 2024-03-27 11:51:37:270 :: #786 :: newHost type = 8
com.bsc.plugin.dynamic.HostServer replace(17) starting replaceCount = 72yams.HostServer FINER :: 2024-03-27 11:51:37:272 :: #786 :: replace wrote 17, ready to call listeners
yams.HostServer FINER :: 2024-03-27 11:51:37:272 :: #786 :: checkListeners called for object 17, #listeners = 4, type = 3
yams.HostServer FINER :: 2024-03-27 11:51:37:272 :: #786 :: old object = Host Record:
Landscape = 91769544454 00:15:5D:E4:1F:06
ID = 17
hostName = DESKTOP-FL3MH7T
owner = jdoe
policy = null
os = Windows
hardwareType =
application = null
notes = null
Creation Time = Wed Mar 27 11:51:18 CET 2024
Expiration Date =
Inactivity = 1 Days
Inactivity Date =
Last Successful Poll = Never Been Polled
Status = Connected
loggedOnUserId = jdoe
patchManagementVendor = null
patchManagementID = null
role = IT

 

  • In System -> Groups,  confirm that the Host record is added to the Network_team group:

 

Host_in_group.png

 Figure 3. Host added as member of group

 

Verify the host attributes and role in FortiNAC CLIS as follows:

 

dumphostrecords -mac 00:15:5D:E4:1F:3B


Host Record:
Landscape = 91769544454 00:15:5D:E4:1F:06
ID = 18
hostName = DESKTOP-FL3MH7T
owner = jdoe
policy = null
os = Server Windows
Status = Connected
loggedOnUserId = jdoe
patchManagementVendor = null
patchManagementID = null
role = IT

.

.
Adapter[0] = 00:15:5D:E4:1F:3B

 

At this point, both Role and group membership can be used as matching criteria for Network access policies.

 

NOTE:  If a FortiNAC local administrator account is created with the same name as the LDAP user, unexpected behavior in User/Host roles will occur since FortiNAC will have already stored the account as an administrative one in its database. In these cases, there will be no group membership lookup performed since the user will be treated as a local one.

 

Example logs:

 

yams INFO :: 2024-04-09 14:41:48:055 :: #391 :: Not an ldap user. userID = admin authType = CM

 

To identify user type and authentication attributes in the CLI, run the following command (example output is shown):

 

dumpuserrecords -userid admin
UserRecord:
Landscape = 91769544454 00:15:5D:E4:1F:06
ID = 3
Role = NAC-Default
Type = Administrative
Admin Profile DBID = 1
Directory Policy = null
DN = null
Position = null
Email Address = null
First Name = Admin
Last Name = admin
User ID = admin
notes = null
Creation Time = Thu May 18 12:01:28 CEST 2023
Expiration Date = Never
Inactivity Days = Never
Inactivity Date = Not Configured
Last Login Date = Mon Apr 22 14:31:15 CEST 2024
Status = Disconnected
Security Access Value = null
locale = en_US
Extra Info =
Attribute: AuthenticateType = CM

 

For a remote LDAP user, FortiNAC will print the following output:


dumpuserrecords -userid jdoe
UserRecord:
Landscape = 91769544454 00:15:5D:E4:1F:06
ID = 5
Role = IT
Type = UserRecord
Admin Profile DBID = 0
Directory Policy = Fortinet
DN = CN=doe,CN=Users,DC=forti,DC=lab
Position = null
Email Address = null
First Name = john
Last Name = null
User ID = jdoe
notes = null
Creation Time = Fri Apr 19 16:20:40 CEST 2024
Expiration Date = Not Configured
Inactivity Days = Not Configured
Inactivity Date = Not Configured
Last Login Date = Fri Apr 19 16:35:23 CEST 2024
Status = Disconnected
Security Access Value = Fortinet
Extra Info =
Attribute: Directory = 10.10.10.2
Attribute: MODEL_NAME = fortiDC
Attribute: AuthenticateType = LDAP
Attribute: msDS-PrincipalName = FORTI\jdoe

 

Verifying how the user record is stored in FortiNAC will make it possible to identify how FortiNAC validates the user upon host registration, since this would then determine group membership and Role based access.

 

Related article:

Technical Tip: What causes a host to be moved to an imported LDAP Host Group.

Labels:
477
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.