Fortinet black logo

Control Manager

Home FortiNAC 8.5.0 Control Manager
8.5.0
8.8.0
8.7.0
8.6.0
8.5.0
8.3.0

Customize log in and log out scripts

Customize log in and log out scripts

FortiNAC allows you to register hosts using log in and log out scripts. These scripts are provided for you on the appliance. They contain variables that must be modified to match your environment and requirements. Scripts are located in the following directory:

/bsc/campusMgr/ui/runTime/config/ldap

Scripts that should be modified include sendLogIn.vbs, and sendLogOut.vbs. It is recommended that you review the comments contained within the script. They contain the most up to date information about variables that can be used and additional parameters that can be set.

To use the scripts they must be copied to the directory server, such as your Active Directory Server. After they have been copied, use the information in the Variables and Trap parameters tables below to modify the necessary parameters.

To receive traps from the scripts, you must have the latest versions of snmptrap.exe and libsnmp.dll on the directory server in the same directory that contains the scripts. These two files are part of a package that can be downloaded and installed on your directory server from http://www.net-snmp.org/download.html . Select the latest binaries. From the list of download files select the file that is in the following format: net-snmp-<version number>.exe.

Registration types

There are two types of registration that can be done using scripts. A machine can be registered as a host with an associated user or as a device with no identity. When a machine is registered as a device, the host name of the device is used. Machines can also be left as rogues.

If you are registering shared machines, such as computers in a lab, you may want to modify the script to register the computers as devices.

Registration type

Settings

Host / User

Register the machine as a host by user name.

REG_ROGUE = "0"

REG_BY_USER = "1"

Device

Register the machine as a device by host name.

REG_ROGUE = "0"

REG_BY_USER = "0"
Registration Examples
User View - Registration Type Host/User

Host View - Registration Type Host/User

In the two preceeding examples above, the log in script was set to register by user. Both the machine and the user are shown, first from the User View and second from the Host View. The machine shows as Type - Registered, indicating that it is registered to a user. The machine is associated with or Registered To the user.

User View - Registration Type Device

Host View - Registration Type Device

In the two examples above, the log in script was set to register by device. Both the machine and the user are shown, but there is no association between the machine and the user. The User View example shows Type - Logged On, indicating that the user is logged onto this machine but that the machine is not Registered to a user. The Registered To field is blank. The Host View represents the actual computer. The User View represents the temporary user who logged into the machine.

Variables

Variable

Definition

Required variables

ACTION

Indicates whether this script is for logon or logoff.

Type = Integer
Logoff = 0
Logon = 1
Logon Started = 2

Example: ACTION = "1"

REG_ROGUE

When Register is enabled, machine is registered either by user name or as a device by host name based on the Register by User setting.

If Do not register is enabled, the machine remains a rogue.

Type = Integer
Register = 0
Do not register = 1

Example: REG_ROGUE = "0"

WHITELIST

If enabled, adds the machine to the Forced User Authentication Exceptions group. A user logging in on a machine in this group is not forced to authenticate. Default is disabled.

Type = Integer
Do not add = 0
Add = 1

Example: WHITELIST = "0"

REG_BY_USER

Registers the machine by user name as a host or by host name as a device.

Type = Integer
Register as device = 0
Register by user name = 1

Example: REG_BY_USER = "0"

DIRECTORY_SERVER

Your Active Directory server. If you have more than one Active Directory server for failover, it is recommended that you use your domain name instead of the IP address.

Example: DIRECTORY_SERVER = "192.168.102.2"

Example: DIRECTORY_SERVER = "bradfordnetworks.com"

DIRECTORY_SHARED

Active Directory server's shared directory where the login/logoff scripts, snmptrap.exe and libsnmp.dll files are stored. If you have more than one Active Directory server for failover, it is recommended that you use your domain name instead of the IP address.

Example:
DIRECTORY_SHARED ="\\192.168.102.2\sysvol\eng.local\scripts\"

Example:
DIRECTORY_SHARED ="\\bradfordnetworks.com\sysvol\eng.local\scripts\"

Novell variables

USE_ENV_USERNAME

Indicates whether or not the user name should come from another variable. To enable, set this to True.

If you are not using Novell or if the User Name entered at log in is sufficient, set this to False.

Example: USE_ENV_USERNAME = False

ENV_USERNAME_VARIABLE

The variable containing the User Name. This information is used only if USE_ENV_USERNAME is set to True.

Example: ENV_USERNAME_VARIABLE = "%NWUSERNAME%"

Optional changes - sample

Wscript.Sleep 5000

Add before the last “End If” statement. This makes the script wait 5 seconds allowing more time for processes to start or finish. 

REM End If
Wscript.Sleep 5000
End If
Next
End Function

You may choose to make other modifications to the script to accommodate requirements outside FortiNAC. For example, you may choose to add a timer that waits a few seconds before ending the script.

Trap parameters

The log in and log out scripts send a trap to FortiNAC that contains the values of the variables listed above along with registration parameters from the user. To receive traps from the scripts, you must have the latest versions of snmptrap.exe and libsnmp.dll on the directory server in the same directory that contains the scripts. These two files are part of a package that can be downloaded and installed on your directory server from http://www.net-snmp.org/download.html . Select the latest binaries. From the list of download files select the file that is in the following format: net-snmp-<version number>.exe.

OID

Description

Definition

1.1

Action

Value of the Action variable.

1.2

User Name

User name of the person logging in or out.

Type = String

1.3

Machine Name

Hostname of the machine used to log in or out.

Type = String

1.4

Machine IP

IP address of the machine used to log in or out.

Type = IP Address

1.5

Machine MAC

MAC address of the machine used to log in or out.

Type = String

1.8

Operating
System

Operating System of the machine used to log in or out.

Type = String

1.10

Register Rogue

Value of the Reg_Rogue variable.

1.11

Whitelist

Value of the Whitelist variable.

1.12

Register by User

Value of the Register by User variable.
Previous
Next

Customize log in and log out scripts

FortiNAC allows you to register hosts using log in and log out scripts. These scripts are provided for you on the appliance. They contain variables that must be modified to match your environment and requirements. Scripts are located in the following directory:

/bsc/campusMgr/ui/runTime/config/ldap

Scripts that should be modified include sendLogIn.vbs, and sendLogOut.vbs. It is recommended that you review the comments contained within the script. They contain the most up to date information about variables that can be used and additional parameters that can be set.

To use the scripts they must be copied to the directory server, such as your Active Directory Server. After they have been copied, use the information in the Variables and Trap parameters tables below to modify the necessary parameters.

To receive traps from the scripts, you must have the latest versions of snmptrap.exe and libsnmp.dll on the directory server in the same directory that contains the scripts. These two files are part of a package that can be downloaded and installed on your directory server from http://www.net-snmp.org/download.html . Select the latest binaries. From the list of download files select the file that is in the following format: net-snmp-<version number>.exe.

Registration types

There are two types of registration that can be done using scripts. A machine can be registered as a host with an associated user or as a device with no identity. When a machine is registered as a device, the host name of the device is used. Machines can also be left as rogues.

If you are registering shared machines, such as computers in a lab, you may want to modify the script to register the computers as devices.

Registration type

Settings

Host / User

Register the machine as a host by user name.

REG_ROGUE = "0"

REG_BY_USER = "1"

Device

Register the machine as a device by host name.

REG_ROGUE = "0"

REG_BY_USER = "0"
Registration Examples
User View - Registration Type Host/User

Host View - Registration Type Host/User

In the two preceeding examples above, the log in script was set to register by user. Both the machine and the user are shown, first from the User View and second from the Host View. The machine shows as Type - Registered, indicating that it is registered to a user. The machine is associated with or Registered To the user.

User View - Registration Type Device

Host View - Registration Type Device

In the two examples above, the log in script was set to register by device. Both the machine and the user are shown, but there is no association between the machine and the user. The User View example shows Type - Logged On, indicating that the user is logged onto this machine but that the machine is not Registered to a user. The Registered To field is blank. The Host View represents the actual computer. The User View represents the temporary user who logged into the machine.

Variables

Variable

Definition

Required variables

ACTION

Indicates whether this script is for logon or logoff.

Type = Integer
Logoff = 0
Logon = 1
Logon Started = 2

Example: ACTION = "1"

REG_ROGUE

When Register is enabled, machine is registered either by user name or as a device by host name based on the Register by User setting.

If Do not register is enabled, the machine remains a rogue.

Type = Integer
Register = 0
Do not register = 1

Example: REG_ROGUE = "0"

WHITELIST

If enabled, adds the machine to the Forced User Authentication Exceptions group. A user logging in on a machine in this group is not forced to authenticate. Default is disabled.

Type = Integer
Do not add = 0
Add = 1

Example: WHITELIST = "0"

REG_BY_USER

Registers the machine by user name as a host or by host name as a device.

Type = Integer
Register as device = 0
Register by user name = 1

Example: REG_BY_USER = "0"

DIRECTORY_SERVER

Your Active Directory server. If you have more than one Active Directory server for failover, it is recommended that you use your domain name instead of the IP address.

Example: DIRECTORY_SERVER = "192.168.102.2"

Example: DIRECTORY_SERVER = "bradfordnetworks.com"

DIRECTORY_SHARED

Active Directory server's shared directory where the login/logoff scripts, snmptrap.exe and libsnmp.dll files are stored. If you have more than one Active Directory server for failover, it is recommended that you use your domain name instead of the IP address.

Example:
DIRECTORY_SHARED ="\\192.168.102.2\sysvol\eng.local\scripts\"

Example:
DIRECTORY_SHARED ="\\bradfordnetworks.com\sysvol\eng.local\scripts\"

Novell variables

USE_ENV_USERNAME

Indicates whether or not the user name should come from another variable. To enable, set this to True.

If you are not using Novell or if the User Name entered at log in is sufficient, set this to False.

Example: USE_ENV_USERNAME = False

ENV_USERNAME_VARIABLE

The variable containing the User Name. This information is used only if USE_ENV_USERNAME is set to True.

Example: ENV_USERNAME_VARIABLE = "%NWUSERNAME%"

Optional changes - sample

Wscript.Sleep 5000

Add before the last “End If” statement. This makes the script wait 5 seconds allowing more time for processes to start or finish. 

REM End If
Wscript.Sleep 5000
End If
Next
End Function

You may choose to make other modifications to the script to accommodate requirements outside FortiNAC. For example, you may choose to add a timer that waits a few seconds before ending the script.

Trap parameters

The log in and log out scripts send a trap to FortiNAC that contains the values of the variables listed above along with registration parameters from the user. To receive traps from the scripts, you must have the latest versions of snmptrap.exe and libsnmp.dll on the directory server in the same directory that contains the scripts. These two files are part of a package that can be downloaded and installed on your directory server from http://www.net-snmp.org/download.html . Select the latest binaries. From the list of download files select the file that is in the following format: net-snmp-<version number>.exe.

OID

Description

Definition

1.1

Action

Value of the Action variable.

1.2

User Name

User name of the person logging in or out.

Type = String

1.3

Machine Name

Hostname of the machine used to log in or out.

Type = String

1.4

Machine IP

IP address of the machine used to log in or out.

Type = IP Address

1.5

Machine MAC

MAC address of the machine used to log in or out.

Type = String

1.8

Operating
System

Operating System of the machine used to log in or out.

Type = String

1.10

Register Rogue

Value of the Reg_Rogue variable.

1.11

Whitelist

Value of the Whitelist variable.

1.12

Register by User

Value of the Register by User variable.
Previous
Next