Fortinet black logo

Administration Guide

Device profiler implementation

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:189978
Download PDF

Device profiler implementation

The initial implementation of Device Profiler is performed by a FortiNAC administrator. Day-to-day management of Device Profiler can be done by an administrative user with an Admin Profile, referred to here as a Device manager profile. This section of the documentation outlines the implementation process in the order in which it should be done.

Administrator

Administrators have full rights to all parts of the FortiNAC system and can fully implement Device Profiler without needing a Device manager user to manage devices. However, in most organizations these responsibilities are divided up. To begin implementing Device Profiler, you must do the following:

  • Create or modify device profile rules that help identify new devices. See Device profiling rules.
  • If you plan to have a Device manager manage new devices you must create a Device manager Admin Profile that can be attached to an administrative user and provide the appropriate permissions. Keep in mind that an Admin Profile can be created so that the same administrative user can also be responsible for Guest Manager. Guest Manager permissions are provided via an Admin Profile. See Administrative user profiles for device managers.
  • Once the Device manager Admin Profile has been created with the appropriate permissions, you must attach that profile to an administrative user. Administrative users can only have one profile attached. See Add an administrative user for device profiler.
  • If you decide to use the role-based access features of FortiNAC for hosts managed in Topology View you must go to Role Management and configure settings for the device roles. You can create and use additional roles also. In this case, the devices that are managed by Device Profiler are considered hosts. Roles are assigned to devices as they are added to FortiNAC. Every device and host must have a role. If no role is selected, devices and hosts are added to the NAC Default role. See Role management for additional information.

    Note

    In order to use Role Management you must have access to the entire FortiNAC product.

  • For hosts managed in the Hosts View role is an attribute of the host and can be used as a filter in User/Host Profiles. Those profiles determine which Network Access Policy, Endpoint Compliance Policy, Supplicant EasyConnect Policy and Portal Policy is applied. See Policies.
  • Device Profiler processes can generate events and alarms that you may want to monitor. See Device profiler events and alarms.
  • Device Profiling rules allow you to limit access to the network based on time of day or day of week. During the time that the device is not allowed to access the network it is marked "At Risk" for the Guest No Access admin scan. If you choose to implement this feature for any rule, the following requirements must be met:
    • You must have a quarantine or remediation VLAN on your network.
    • Ports through which a device would connect must be in the Forced Remediation Group (applies only to wired ports). See Groups view.
    • The Access Time feature can only be enabled for rules that register a device in the Host View .
    • The Model Configuration for all switches to which devices connect must have an entry for the Quarantine VLAN. This applies to both wired and wireless switches and access points. See Model configuration.
    • The Access Time feature can only be enabled for rules that register a device in the Host View or both Host and Topology View.

Device manager

Device managers have the following responsibilities. Administrators can perform these functions also.

Device managers can manage devices or end-stations that have been categorized by Device Profiler. Management options include registering, deleting and enabling/disabling devices. In addition, the Device manager can add notes to a device record and export a list of records in multiple formats. See Profiled devices for more information.

Device profiler implementation

The initial implementation of Device Profiler is performed by a FortiNAC administrator. Day-to-day management of Device Profiler can be done by an administrative user with an Admin Profile, referred to here as a Device manager profile. This section of the documentation outlines the implementation process in the order in which it should be done.

Administrator

Administrators have full rights to all parts of the FortiNAC system and can fully implement Device Profiler without needing a Device manager user to manage devices. However, in most organizations these responsibilities are divided up. To begin implementing Device Profiler, you must do the following:

  • Create or modify device profile rules that help identify new devices. See Device profiling rules.
  • If you plan to have a Device manager manage new devices you must create a Device manager Admin Profile that can be attached to an administrative user and provide the appropriate permissions. Keep in mind that an Admin Profile can be created so that the same administrative user can also be responsible for Guest Manager. Guest Manager permissions are provided via an Admin Profile. See Administrative user profiles for device managers.
  • Once the Device manager Admin Profile has been created with the appropriate permissions, you must attach that profile to an administrative user. Administrative users can only have one profile attached. See Add an administrative user for device profiler.
  • If you decide to use the role-based access features of FortiNAC for hosts managed in Topology View you must go to Role Management and configure settings for the device roles. You can create and use additional roles also. In this case, the devices that are managed by Device Profiler are considered hosts. Roles are assigned to devices as they are added to FortiNAC. Every device and host must have a role. If no role is selected, devices and hosts are added to the NAC Default role. See Role management for additional information.

    Note

    In order to use Role Management you must have access to the entire FortiNAC product.

  • For hosts managed in the Hosts View role is an attribute of the host and can be used as a filter in User/Host Profiles. Those profiles determine which Network Access Policy, Endpoint Compliance Policy, Supplicant EasyConnect Policy and Portal Policy is applied. See Policies.
  • Device Profiler processes can generate events and alarms that you may want to monitor. See Device profiler events and alarms.
  • Device Profiling rules allow you to limit access to the network based on time of day or day of week. During the time that the device is not allowed to access the network it is marked "At Risk" for the Guest No Access admin scan. If you choose to implement this feature for any rule, the following requirements must be met:
    • You must have a quarantine or remediation VLAN on your network.
    • Ports through which a device would connect must be in the Forced Remediation Group (applies only to wired ports). See Groups view.
    • The Access Time feature can only be enabled for rules that register a device in the Host View .
    • The Model Configuration for all switches to which devices connect must have an entry for the Quarantine VLAN. This applies to both wired and wireless switches and access points. See Model configuration.
    • The Access Time feature can only be enabled for rules that register a device in the Host View or both Host and Topology View.

Device manager

Device managers have the following responsibilities. Administrators can perform these functions also.

Device managers can manage devices or end-stations that have been categorized by Device Profiler. Management options include registering, deleting and enabling/disabling devices. In addition, the Device manager can add notes to a device record and export a list of records in multiple formats. See Profiled devices for more information.