Fortinet white logo
Fortinet white logo

Administration Guide

7.4.0

Implementation

Implementation

The initial implementation of device profiler is performed by a FortiNAC administrator. Day-to-day management of device profiler can be done by an administrator with an administrator profile, referred to here as a Device manager profile. This section of the documentation outlines the implementation process in the order in which it should be done.

Administrator

Administrators have full rights to all parts of the FortiNAC system and can fully implement device profiler without needing a Device manager user to manage devices. However, in most organizations these responsibilities are divided up. To begin implementing device profiler, you must do the following:

  • Create or modify device profile rules that help identify new devices. See Device profiling rules.
  • If you plan to have a Device manager manage new devices you must create a Device manager administrator profile that can be attached to an administrator and provide the appropriate permissions. Keep in mind that an administrator profile can be created so that the same administrator can also be responsible for guest manager. Guest manager permissions are provided via an administrator profile. See Profiles for device managers.
  • Once the Device manager administrator profile has been created with the appropriate permissions, you must attach that profile to an administrator. Administrators can only have one profile attached. See Add an administrator.
  • If you decide to use the role-based access features of FortiNAC for hosts managed in Inventory you must go to role management and configure settings for the device roles. You can create and use additional roles also. In this case, the devices that are managed by device profiler are considered hosts. Roles are assigned to devices as they are added to FortiNAC. Every device and host must have a role. If no role is selected, devices and hosts are added to the NAC Default role. See Roles for additional information.

  • For hosts managed in the Hosts View role is an attribute of the host and can be used as a filter in user/host profiles. Those profiles determine which network access policy, endpoint compliance policy, Supplicant EasyConnect Policy and Portal Policy is applied. See Policy & Objects.
  • Device profiler processes can generate events and alarms that you may want to monitor. See Events and alarms.
  • Device Profiling rules allow you to limit access to the network based on time of day or day of week. During the time that the device is not allowed to access the network it is marked "At Risk" for the Guest No Access admin scan. If you choose to implement this feature for any rule, the following requirements must be met:
    • You must have a quarantine or remediation VLAN on your network.
    • Ports through which a device would connect must be in the Forced Remediation Group (applies only to wired ports). See Groups.
    • Access time can only be enabled for rules that register a device in the Host View.
    • The Model Configuration for all switches to which devices connect must have an entry for the quarantine VLAN. This applies to both wired and wireless switches and access points. See Model configuration.
    • Access time can only be enabled for rules that register a device in the Host View or both Host View and Inventory.

Device manager

Device managers have the following responsibilities. Administrators can perform these functions also.

Device managers can manage devices or end-stations that have been categorized by device profiler. Management options include registering, deleting and enabling/disabling devices. In addition, the Device manager can add notes to a device record and export a list of records in multiple formats. See Configure profiled devices for more information.

Implementation

Implementation

The initial implementation of device profiler is performed by a FortiNAC administrator. Day-to-day management of device profiler can be done by an administrator with an administrator profile, referred to here as a Device manager profile. This section of the documentation outlines the implementation process in the order in which it should be done.

Administrator

Administrators have full rights to all parts of the FortiNAC system and can fully implement device profiler without needing a Device manager user to manage devices. However, in most organizations these responsibilities are divided up. To begin implementing device profiler, you must do the following:

  • Create or modify device profile rules that help identify new devices. See Device profiling rules.
  • If you plan to have a Device manager manage new devices you must create a Device manager administrator profile that can be attached to an administrator and provide the appropriate permissions. Keep in mind that an administrator profile can be created so that the same administrator can also be responsible for guest manager. Guest manager permissions are provided via an administrator profile. See Profiles for device managers.
  • Once the Device manager administrator profile has been created with the appropriate permissions, you must attach that profile to an administrator. Administrators can only have one profile attached. See Add an administrator.
  • If you decide to use the role-based access features of FortiNAC for hosts managed in Inventory you must go to role management and configure settings for the device roles. You can create and use additional roles also. In this case, the devices that are managed by device profiler are considered hosts. Roles are assigned to devices as they are added to FortiNAC. Every device and host must have a role. If no role is selected, devices and hosts are added to the NAC Default role. See Roles for additional information.

  • For hosts managed in the Hosts View role is an attribute of the host and can be used as a filter in user/host profiles. Those profiles determine which network access policy, endpoint compliance policy, Supplicant EasyConnect Policy and Portal Policy is applied. See Policy & Objects.
  • Device profiler processes can generate events and alarms that you may want to monitor. See Events and alarms.
  • Device Profiling rules allow you to limit access to the network based on time of day or day of week. During the time that the device is not allowed to access the network it is marked "At Risk" for the Guest No Access admin scan. If you choose to implement this feature for any rule, the following requirements must be met:
    • You must have a quarantine or remediation VLAN on your network.
    • Ports through which a device would connect must be in the Forced Remediation Group (applies only to wired ports). See Groups.
    • Access time can only be enabled for rules that register a device in the Host View.
    • The Model Configuration for all switches to which devices connect must have an entry for the quarantine VLAN. This applies to both wired and wireless switches and access points. See Model configuration.
    • Access time can only be enabled for rules that register a device in the Host View or both Host View and Inventory.

Device manager

Device managers have the following responsibilities. Administrators can perform these functions also.

Device managers can manage devices or end-stations that have been categorized by device profiler. Management options include registering, deleting and enabling/disabling devices. In addition, the Device manager can add notes to a device record and export a list of records in multiple formats. See Configure profiled devices for more information.