Register hosts and users with SNMPv3 traps
FortiNAC can use data sent in SNMPv3 traps from external devices to register hosts and users. This speeds up the process of adding hosts and users to your FortiNAC database by taking advantage of information that is readily available from another system. In addition, based on trap parameters hosts and users can be modified or removed from the database.
FortiNAC configuration requirements
- The Trap Sender must be modeled in the Topology View as a pingable device.
- You must enter SNMPv3 settings in System > Settings > System Communication > SNMP that match those of the device to which you are sending traps. Note that if you had previously entered SNMPv1/SNMPv2c settings for external devices querying FortiNAC for information, you must modify settings on those devices to use SNMPv3. See SNMP.
- If you are running FortiNAC in a FortiNAC Control Manager environment, the Trap Sender must be modeled on each FortiNAC Server or Control Server that should receive this information. Note that if you have enabled any of the Copy Registered Host options on the FortiNAC Control Manager it may not be necessary to receive traps on more than one managed server.
- When traps are received they can trigger the events listed below in the Event Log. These events can be mapped to Alarms. Make sure the events are enabled. See Event management. To map events to alarms see Add or modify alarm mapping.
|
Event |
Definition |
|---|---|
|
Add/Modify/Remove Host |
Generated whenever a trap is received that adds, modifies or removes a host record in the database. |
|
Add/Modify/Remove User |
Generated when a trap is received that adds, modifies or removes a user record in the database. |
Trap sender configuration requirements
- Use the Management IP address (eth0) of the FortiNAC Server or Control Server as the destination for the trap.
- Send traps to port 161 on the FortiNAC Server or Control Server.
- If you are running FortiNAC in a High Availability environment, send traps to both the primary and the secondary FortiNAC Servers or Control Servers.
- You must have snmptrap.exe and libsnmp.dll on the device sending the traps. Download the latest binaries for the appropriate operating system from www.net-snmp.org/download.html.
- Configure the traps on the sending device. See the tables below for information on trap parameters.
Hosts
- If a trap is received for an existing host, the host's database record is updated with information from the trap.
- When a trap is received for a host that matches a rogue in FortiNAC, the rogue is converted to a registered host if the trap contains user data. It is converted to a registered device if there is no associated user.
- If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts either send an additional trap that removes the host or you must go to the Host View and delete them manually. See Delete a host.
- If the same host is added twice but with different MAC addresses for separate adapters, it is treated as two separate records in the FortiNAC database. The two adapters are not linked to each other in any way and are not considered siblings in FortiNAC.
- Variables with spaces in the names should be in quotation marks, such as, "Windows Vista".
- Separators in MAC Addresses must be colons, such as, 90:21:55:EB:A3:87.
|
OID |
Description |
Definition |
|---|---|---|
|
1.1.1.1 |
Host Name |
Machine name of the host. |
|
1.1.1.2 |
IP Address |
IP address of the host. |
|
1.1.1.3 |
MAC Address |
Physical Address of the host. Required. |
|
1.1.1.4 |
Host Operating System |
Name of the operating system on the host. |
|
1.1.5 |
Role |
Role assigned to the host. Roles are attributes of hosts used as filters in User/Host Profiles. |
|
1.1.6 |
Action |
Indicates whether this trap is adding or removing a host from the database. Adding an existing host will modify that host's record in the database. 1=Add 2=Remove |
|
1.2.8 |
Element |
Indicates that this trap is registering either a host or a host and its corresponding user. |
Example traps
To add a host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest:
snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1
To remove host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest. Note that only MAC address is required to remove a host.
snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2
Users
- If an LDAP directory is modeled in the Topology View, FortiNAC checks the directory for information about the user included in the trap. If the user exists in the directory, additional fields are populated for that user in the FortiNAC database. If the user does not exist in the directory, a user record is created in FortiNAC with only the data received in the trap.
- If a trap is received for an existing user, the user's database record is updated with information from the trap.
- If a trap is received for an existing user and the trap contains host information, the host is registered to the user. If the host already has a rogue record, the rogue is converted to a registered host and associated with the user.
- If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts you must go to the Host View and delete them manually. See Delete a host.
- When FortiNAC resynchronizes with the directory, user data may be overwritten by data from the directory depending on the directory attribute mappings. See Add/modify directory - User Attributes tab.
- Variables with spaces in the names should be in quotation marks, such as, "Mary Ann".
Trap parameters
|
OID |
Description |
Definition |
|---|---|---|
|
1.1.2.1 |
User Name |
User Name stored in the directory. If the user is not in the directory, this record will still be added, modified or removed. Required. |
|
1.1.2.2 |
User First Name |
|
|
1.1.2.3 |
User Last Name |
|
|
1.1.2.4 |
User Title |
|
|
1.1.2.5 |
|
User's e-mail address. |
|
1.1.5 |
Role |
Role assigned to the User. If this trap is adding both a user and a host, both are set to the same role. |
|
1.1.6 |
Action |
Indicates whether this trap is adding or removing a user from the database. Adding an existing user will modify that user's record in the database. 1=Add 2=Remove |
|
1.2.9 |
Element |
Indicates that this trap is only registering a user. |
Example traps
To add testuser to the database:
snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1
To delete user record for testuser from the database. Note that only User Name is required to remove a user.
snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2