System groups
The groups listed below are default system groups that exist within the FortiNAC database. They cannot be deleted. Some groups need to be fine tuned to your network. Details are included in the table below.
Group |
Definition |
||
---|---|---|---|
Administrator |
|||
All Management |
FortiNAC administrators with all management access rights. Initially contains only admin and root. New administrators are added to this group automatically. This is the default group for e-mail notifications triggered by alarms. Add users to your own specific Administrator groups to give them privileges to manage (disable and enable) specific hosts and ports. If you place a user into your own Administrator group, be sure to remove that user from the All Management group. See Limit user access with groups. |
||
Port |
|||
Access Point |
Ports with authorized access points connected and FortiNAC serving DHCP. Examples are dumb hubs or wireless units. FortiNAC provides management of hosts connecting through these access points. |
||
Authorized Access Points |
Ports that have authorized access points connected. Access points that connect to these ports do not generate Multi Access Point Detected events or alarms and the port is not switched to another VLAN during, for example, Forced Registration or role management VLAN Switching. Access points that connect to ports that are not in this group do generate an event or alarm. Add switch ports that connect to hubs and wireless access points to this group. |
||
Forced Authentication |
Ports that participate in forced authentication when unauthenticated users connect. If you have a port in this group, when a host connects to this port and is unauthenticated, the port is put into isolation VLAN and the host is forced to authenticate. |
||
Forced Registration |
Ports that participate in forced registration when unregistered hosts connect. Add switch ports that participate in forced registration when an Unregistered Host connects to the Forced Registration port group. Only ports that participate have their VLAN ID set to the Registration VLAN when an Unregistered Host connects. |
||
Forced Remediation |
Ports that participate in forced remediation VLAN switching when hosts connect. |
||
Reset Forced Default |
Ports that return to the default VLAN when hosts disconnect. |
||
Reset Forced |
Ports that return to Registration when hosts disconnect. |
||
Role-Based Access |
Ports that participate in role-based access and switch VLANs, based on the role of network devices, such as printers, when they connect. Add switch ports that participate in VLAN switching. Ports that participate have their VLAN ID set to the role specified for the connected network device. Example:A printer is set up with the role “Accounting”. When the printer connects to a port in this group, the printer is switched to the VLAN associated with the “Accounting” role. |
||
System DHCP Port |
The port used to discover unauthorized DHCP servers and validate authorized DHCP servers. |
||
Device |
|||
Authorized DHCP Servers |
Servers that are authorized to serve DHCP on the network. |
||
Bridging Devices |
Devices that support the SNMP bridging MIB.
|
||
Device Interface Status |
Devices created through Discovery or created manually are automatically added to this group. Use this group in conjunction with the task scheduler to periodically update the interface status for each device in the group. |
||
L2 Network Devices |
Devices that support the Standard 802.1d Bridge Table. This group is also used for filtering the list of devices displayed on the L2 Network Devices window. As new L2 devices are discovered they are added automatically to this group and to either L2 Wired Devices or L2 Wireless Devices. |
||
L2 Wired Devices |
A sub-group of L2 Network Devices that is used for filtering on the L2 Network Devices window. L2 Wired Devices are added to this group automatically as they are discovered. Note: Removing a device from this group does not disable L2 (Hosts) Polling under the Polling tab in Inventory. |
||
L2 Wireless Devices |
A sub-group of L2 Network Devices that is used for filtering on the L2 Network Devices window. L2 Wireless Devices are added to this group automatically as they are discovered. Note: Removing a device from this group does not disable L2 (Hosts) Polling under the Polling tab in Inventory. |
||
L3 (IP-->MAC) |
This group must be populated manually with your L3 devices. The L3 group can be used for filtering on the L3 Polling window. |
||
Physical Address |
Devices that participate in the enabling and disabling of hosts. Add switches that participate in host disabling to this group. If a host is connected to a switch that is not in the physical address filtering group, and that host is disabled through FortiNAC, the host remains connected to the network and is displayed as in violation. Add the switch regardless of whether a host is disabled through a Dead End VLAN, or through MAC address security. |
||
Host view |
|||
Forced Scan Exceptions |
Hosts that do not participate in forced scans. |
||
Forced User Authentication Exceptions |
Hosts that do not participate in forced user authentication. |
||
Forced Remediation Exceptions |
Hosts are scanned and can be marked "at risk", but are never put into remediation. Scan results are stored allowing the administrator to review the results and take corrective action without disrupting users on the network. |
||
Global Agent Update Exceptions |
Hosts in this group are excluded from automatic Persistent Agent Updates. Updates are controlled by MAC address. If a host has more than one MAC address, as long as any one of its MAC addresses is listed in this group the host is not updated. |
||
Registered Hosts |
Group of all registered hosts. |
||
Rogue Hosts |
This group has a special property that controls whether or not rogue hosts can access the network. Under Group Properties for this group, the Access field can be set to either Deny or Allow.
Devices that are not in the Inventory but are connected to managed switches are created as rogue hosts. If rogue hosts are denied access to the network, they are disabled. To prevent this from causing problems with new devices such as printers, lab hosts or servers, you must register them as devices or as hosts. See Register a host as a device or Add or modify a host for detailed instructions. |