Fortinet black logo

Administration Guide

Customize login and logout scripts

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:970812
Download PDF
Customize login and logout scripts

FortiNAC allows you to register hosts using login and logout scripts. These scripts are provided for you on the appliance. They contain variables that must be modified to match your environment and requirements. Scripts are located in the following directory:

/bsc/campusMgr/ui/runTime/config/ldap

Scripts that should be modified include sendLogIn.vbs, sendLogOut.vbs. It is recommended that you review the comments contained within the script. They contain the most up to date information about variables that can be used and additional parameters that can be set.

To use the scripts they must be copied to the directory server, such as your Active Directory Server. After they have been copied, use the information in the Variables and Trap parameters tables below to modify the necessary parameters.

To receive traps from the scripts, you must have the latest versions of snmptrap.exe and libsnmp.dll on the directory server in the same directory that contains the scripts. These two files are part of a package that can be downloaded and installed on your directory server from http://www.net-snmp.org/download.html . Select the latest binaries. From the list of download files select the file that is in the following format: net-snmp-<version number>.exe.

Registration types

There are two types of registration that can be done using scripts. A host can be registered as a host with an associated user or as a device with no identity. When a host is registered as a device, the host name of the device is used. Hosts can also be left as rogues.

If you are registering shared hosts, such as computers in a lab, you may want to modify the script to register the computers as devices.

Registration Type

Settings

Host / User

Register the host as a host by user name.

REG_ROGUE = "0"

REG_BY_USER = "1"

Device

Register the host as a device by host name.

REG_ROGUE = "0"

REG_BY_USER = "0"

Registration examples

In the two examples above, the login script was set to register by user. Both the host and the user are shown, first from the User View and second from the Host View. The host shows as Type - Registered, indicating that it is registered to a user. The host is associated with or Registered To the user.

In the two examples above, the login script was set to register by device. Both the host and the user are shown, but there is no association between the host and the user. The User View example shows Type - Logged On, indicating that the user is logged onto this host but that the host is not Registered to a user. The Registered To field is blank. The Host View represents the actual computer. The User View represents the temporary user who logged into the host.

Variables

Variable

Definition

Required variables

ACTION

Indicates whether this script is for logon or logoff.

Type = Integer
Logoff = 0
Logon = 1
Logon Started = 2

Example: ACTION = "1"

REG_ROGUE

When Register is enabled, host is registered either by user name or as a device by host name based on the Register by User setting.

If Do not register is enabled, the host remains a rogue.

Type = Integer
Register = 0
Do not register = 1

Example: REG_ROGUE = "0"

WHITELIST

If enabled, adds the host to the Forced User Authentication Exceptions group. A user logging in on a host in this group is not forced to authenticate. Default is disabled.

Type = Integer
Do not add = 0
Add = 1

Example: WHITELIST = "0"

REG_BY_USER

Registers the host by user name as a host or by host name as a device.

Type = Integer
Register as device = 0
Register by user name = 1

Example: REG_BY_USER = "0"

DIRECTORY_SERVER

Your Active Directory server. If you have more than one Active Directory server for failover, it is recommended that you use your domain name instead of the IP address.

Example: DIRECTORY_SERVER = "192.168.102.2"

Example: DIRECTORY_SERVER = "bradfordnetworks.com"

DIRECTORY_SHARED

Active Directory server's shared directory where the login/logoff scripts, snmptrap.exe and libsnmp.dll files are stored. If you have more than one Active Directory server for failover, it is recommended that you use your domain name instead of the IP address.

Example:
DIRECTORY_SHARED ="\\192.168.102.2\sysvol\eng.local\scripts\"

Example:
DIRECTORY_SHARED ="\\bradfordnetworks.com\sysvol\eng.local\scripts\"

Novell specific variables

USE_ENV_USERNAME

Indicates whether or not the user name should come from another variable. To enable, set this to True.

If you are not using Novell or if the User Name entered at login is sufficient, set this to False.

Example: USE_ENV_USERNAME = False

ENV_USERNAME_VARIABLE

The variable containing the User Name. This information is used only if USE_ENV_USERNAME is set to True.

Example: ENV_USERNAME_VARIABLE = "%NWUSERNAME%"

Optional changes - sample

Wscript.Sleep 5000

Add before the last “End If” statement. This makes the script wait 5 seconds allowing more time for processes to start or finish.

REM End If
Wscript.Sleep 5000
End If
Next
End Function

You may choose to make other modifications to the script to accommodate requirements outside FortiNAC. For example, you may choose to add a timer that waits a few seconds before ending the script.

Trap parameters

The login and logout scripts send a trap to FortiNAC that contains the values of the variables listed above along with registration parameters from the user. To receive traps from the scripts, you must have the latest versions of snmptrap.exe and libsnmp.dll on the directory server in the same directory that contains the scripts. These two files are part of a package that can be downloaded and installed on your directory server from http://www.net-snmp.org/download.html . Select the latest binaries. From the list of download files select the file that is in the following format: net-snmp-<version number>.exe.

OID

Description

Definition

1.1

Action

Value of the Action variable.

1.2

User Name

User name of the person logging in or out.

Type = String

1.3

Host Name

Name of the host used to log in or out.

Type = String

1.4

Host IP

IP address of the host used to log in or out.

Type = IP Address

1.5

Host MAC

MAC address of the host used to log in or out.

Type = String

1.8

Operating
System

Operating System of the host used to log in or out.

Type = String

1.10

Register Rogue

Value of the Reg_Rogue variable.

1.11

Whitelist

Value of the Whitelist variable.

1.12

Register by User

Value of the Register by User variable.

Customize login and logout scripts

FortiNAC allows you to register hosts using login and logout scripts. These scripts are provided for you on the appliance. They contain variables that must be modified to match your environment and requirements. Scripts are located in the following directory:

/bsc/campusMgr/ui/runTime/config/ldap

Scripts that should be modified include sendLogIn.vbs, sendLogOut.vbs. It is recommended that you review the comments contained within the script. They contain the most up to date information about variables that can be used and additional parameters that can be set.

To use the scripts they must be copied to the directory server, such as your Active Directory Server. After they have been copied, use the information in the Variables and Trap parameters tables below to modify the necessary parameters.

To receive traps from the scripts, you must have the latest versions of snmptrap.exe and libsnmp.dll on the directory server in the same directory that contains the scripts. These two files are part of a package that can be downloaded and installed on your directory server from http://www.net-snmp.org/download.html . Select the latest binaries. From the list of download files select the file that is in the following format: net-snmp-<version number>.exe.

Registration types

There are two types of registration that can be done using scripts. A host can be registered as a host with an associated user or as a device with no identity. When a host is registered as a device, the host name of the device is used. Hosts can also be left as rogues.

If you are registering shared hosts, such as computers in a lab, you may want to modify the script to register the computers as devices.

Registration Type

Settings

Host / User

Register the host as a host by user name.

REG_ROGUE = "0"

REG_BY_USER = "1"

Device

Register the host as a device by host name.

REG_ROGUE = "0"

REG_BY_USER = "0"

Registration examples

In the two examples above, the login script was set to register by user. Both the host and the user are shown, first from the User View and second from the Host View. The host shows as Type - Registered, indicating that it is registered to a user. The host is associated with or Registered To the user.

In the two examples above, the login script was set to register by device. Both the host and the user are shown, but there is no association between the host and the user. The User View example shows Type - Logged On, indicating that the user is logged onto this host but that the host is not Registered to a user. The Registered To field is blank. The Host View represents the actual computer. The User View represents the temporary user who logged into the host.

Variables

Variable

Definition

Required variables

ACTION

Indicates whether this script is for logon or logoff.

Type = Integer
Logoff = 0
Logon = 1
Logon Started = 2

Example: ACTION = "1"

REG_ROGUE

When Register is enabled, host is registered either by user name or as a device by host name based on the Register by User setting.

If Do not register is enabled, the host remains a rogue.

Type = Integer
Register = 0
Do not register = 1

Example: REG_ROGUE = "0"

WHITELIST

If enabled, adds the host to the Forced User Authentication Exceptions group. A user logging in on a host in this group is not forced to authenticate. Default is disabled.

Type = Integer
Do not add = 0
Add = 1

Example: WHITELIST = "0"

REG_BY_USER

Registers the host by user name as a host or by host name as a device.

Type = Integer
Register as device = 0
Register by user name = 1

Example: REG_BY_USER = "0"

DIRECTORY_SERVER

Your Active Directory server. If you have more than one Active Directory server for failover, it is recommended that you use your domain name instead of the IP address.

Example: DIRECTORY_SERVER = "192.168.102.2"

Example: DIRECTORY_SERVER = "bradfordnetworks.com"

DIRECTORY_SHARED

Active Directory server's shared directory where the login/logoff scripts, snmptrap.exe and libsnmp.dll files are stored. If you have more than one Active Directory server for failover, it is recommended that you use your domain name instead of the IP address.

Example:
DIRECTORY_SHARED ="\\192.168.102.2\sysvol\eng.local\scripts\"

Example:
DIRECTORY_SHARED ="\\bradfordnetworks.com\sysvol\eng.local\scripts\"

Novell specific variables

USE_ENV_USERNAME

Indicates whether or not the user name should come from another variable. To enable, set this to True.

If you are not using Novell or if the User Name entered at login is sufficient, set this to False.

Example: USE_ENV_USERNAME = False

ENV_USERNAME_VARIABLE

The variable containing the User Name. This information is used only if USE_ENV_USERNAME is set to True.

Example: ENV_USERNAME_VARIABLE = "%NWUSERNAME%"

Optional changes - sample

Wscript.Sleep 5000

Add before the last “End If” statement. This makes the script wait 5 seconds allowing more time for processes to start or finish.

REM End If
Wscript.Sleep 5000
End If
Next
End Function

You may choose to make other modifications to the script to accommodate requirements outside FortiNAC. For example, you may choose to add a timer that waits a few seconds before ending the script.

Trap parameters

The login and logout scripts send a trap to FortiNAC that contains the values of the variables listed above along with registration parameters from the user. To receive traps from the scripts, you must have the latest versions of snmptrap.exe and libsnmp.dll on the directory server in the same directory that contains the scripts. These two files are part of a package that can be downloaded and installed on your directory server from http://www.net-snmp.org/download.html . Select the latest binaries. From the list of download files select the file that is in the following format: net-snmp-<version number>.exe.

OID

Description

Definition

1.1

Action

Value of the Action variable.

1.2

User Name

User name of the person logging in or out.

Type = String

1.3

Host Name

Name of the host used to log in or out.

Type = String

1.4

Host IP

IP address of the host used to log in or out.

Type = IP Address

1.5

Host MAC

MAC address of the host used to log in or out.

Type = String

1.8

Operating
System

Operating System of the host used to log in or out.

Type = String

1.10

Register Rogue

Value of the Reg_Rogue variable.

1.11

Whitelist

Value of the Whitelist variable.

1.12

Register by User

Value of the Register by User variable.