User/host profiles
User/Host Profiles are used to map sets of hosts and users to Network Access Policies, Endpoint Compliance Policies, Supplicant EasyConnect Policies, Portal Policies, or Security Rules (ATR must be enabled). User/Host Profiles can be reused across many different policies.
For example, Network Access Policies are used to assign the VLAN in which a host is placed. Each Network Access Policy has a specific User/Host profile and a Network Access Configuration containing a VLAN, CLI Configuration or VPN Group. When a host requires network access, FortiNAC looks at the Network Access Policies starting with the first policy in the list and checks that the User/Host profile is a match. If it is not, the next Network Access Policy is checked until a match is found.
User/Host Profiles are combinations of User/Host data. A host's or user's profile is not fixed but can change based on the user/host being moved to a different group, having a new attribute applied, connecting to the network in a different place or the current time of day. Users/hosts are only classified at the time that they need a service, such as a Network Access Policy. When FortiNAC evaluates a host connection, the data for the user and host are prioritized as follows:
- Logged in User and Host
- Registered User and Host
- Registered Host
If you create a User/Host Profile with fields Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank and When set to always, it matches ALL users and hosts. This is essentially a Catch All profile. If this User/Host Profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data. |
User/Host Profiles can be accessed from Policy > Policy Configuration > User/Host Profiles or from System > Quick Start > Policy Configuration, however configuration steps point you to Policy > Policy Configuration > User/Host Profiles. See Navigation and Filters for information on common navigation tools and data filters.
Settings
Field |
Definition |
||
---|---|---|---|
Name |
Each profile must have a unique name. |
||
Where (Location) |
Location on the network where the host is connected. This field lists groups of ports, SSIDs or devices. Hosts are checked to determine whether they have connected to the network via one of the selected devices, ports or SSIDs. Host must connect on one of the items contained within one of the selected groups to match this profile. When set to Any, this field is a match for all hosts or users. |
||
Who/What By Group |
Host or User groups where the host or user must be a member to match this profile. Host or user must be in at least one of the groups listed. When set to Any, this field is a match for all hosts or users. |
||
Who/What By Attribute |
Indicates whether or not attribute filters have been created for this Profile. Filters are based on Adapter, Host and User data. A host or user must meet all parameters within a single filter, but is only required to match one filter in the list. See Filter example. |
||
When |
If the host is on the network during the specified time frame, it matches this profile. Time options include Always or a specific set of days of the week and times of the day. |
||
Note |
User specified note field. This field may contain notes regarding the data conversion from a previous version of FortiNAC. |
||
Last Modified By |
User name of the last user to modify the profile. |
||
Last Modified Date |
Date and time of the last modification to this profile. |
||
Right click options |
|||
Copy |
Copy the selected Profile to create a new record. |
||
Delete |
Deletes the selected Profile. Profiles that are currently in use cannot be deleted. |
||
In Use |
Indicates whether or not the selected Profile is currently being used by any other FortiNAC element. See Profiles in use. |
||
Modify |
Opens the Modify Profile window for the selected Profile. |
||
Show Audit Log |
Opens the Admin Auditing Log showing all changes made to the selected item. For information about the Admin Auditing Log, see Admin auditing.
|
||
Buttons |
|||
Export |
Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF or RTF. See Export data. |
Add or modify a profile
You are not required to complete all of the fields when creating a User/Host Profile. If you leave a field blank, it is set to Any or is left blank. When set to Any or blank, the field is a match for all hosts or users. You can create a profile with only location, only a group, only an attribute filter, only a time range or any combination of those options.
- Select Policy > Policy Configuration.
- In the menu on the left, User/Host Profiles should be selected.
- Click the Add button or select an existing Profile and click Modify.
- Click in the Name field and enter a name for this Profile.
-
Click the Select button next to the Where (Location) field. This opens the Select Location window.
Choose one or more device, port or SSID groups by clicking on the names in the All Groups column and clicking the right arrow to move them to the Selected Groups column.
In the Select Location window, you can click Add Group to create a group, or click Modify Group to modify the selected group.
Click OK to continue.
-
Click the Select button next to the Who/What by Group field. This opens the Select Groups window.
Choose one or more Host, User, or Administrator groups by clicking on the names in the All Groups column and clicking the right arrow to move them to the Selected Groups column.
In the Select Groups window, you can click Add Group to create a group, or click Modify Group to modify the selected group.
Click OK to continue.
-
To add a filter, click the Add button next to the Who/What by Attribute field. These filters narrow the number of hosts to which this Profile applies.
The Adapter, Host, User, Application Filter window displays allowing you to select one or more pieces of data to use as a filter. See Settings, View and search settings, Search settings, and Application view for detailed descriptions of the fields on the Filter window.
- Click in the drop-down menu next to the When field. Select either Always or select Specify Time. Always indicates that there is no time criteria to match this Profile. Specify Time allows you to choose days and times to be used as criteria for connecting hosts. Hosts must connect to the network during the selected times to match this profile.
-
To specify a time, select Specify Time in the drop-down to display the Specify Time dialog.
In the Time Range section enter the From and To times for the time of day that devices should be able to access the network.
In the Days of the Week section select the days during which these devices should be allowed to access the network.
Click OK.
- Click OK to save your data.