Fortinet black logo

Administration Guide

Control access

Copy Link
Copy Doc ID 868f1267-7299-11e9-81a4-00505692583a:674889
Download PDF

Control access

The purpose of the Control Access feature on containers, devices, and ports is to place devices and ports into system groups that control network access for hosts connected to those ports.

The top level Control Access window shows containers and devices. Within this view, you can globally select all containers or manually select individual containers. Uplink ports are exempt from being placed in system access groups.

When the Control Access feature is used, selected ports and devices are placed first into their own groups. Then, those groups are placed into one of the system access groups. For example, if you have a container named Building A that contains devices Cisco Switch 1 and Cisco Switch 2, when the devices are placed under access control FortiNAC creates a device group that contains both switches and a port group that contains all of their corresponding ports. The port and device groups are named using access group, container name and device or port.

In this example the device group would be Registration-Building A-Devices. The port group would be Registration-Building A-Ports.The device group and the port group are then moved into the access group selected in the Type field. If the Type field is set to Registration, the ports go into the Forced Registration group.

You may select and move all the ports or devices to access groups including: Forced Registration, Forced Authentication, Forced Remediation, Dead End and Role-Based Access. Adding devices and ports to a Forced Remediation group enables Quarantine VLAN switching, a (Undefined variable: User_Guide.ProductFamily) feature. Any devices that have been unselected are removed from the access group shown in the Type field.

Each of these groups refers to an underlying port group, with the exception of Dead End. The underlying group for Dead End is a device group (rather than a port group) named Physical Address Filtering.

Devices and ports contained within any of these groups can also be modified from the Groups View. Device and port groups created by this process are treated as system groups and cannot be deleted from the Groups View. They can be deleted from the Container Control Access window.

Note

Removing a device, its ports, or both from all of the access control groups mentioned above ensures that no network access control will occur on those ports. The presence of a device, its ports, or both in any of those groups enables access control for that device, its ports, or both, meaning that FortiNAC will dynamically attempt to change the network access configuration based on the state of the host appropriate to the group. Ports will also be moved into the default network configuration should a connected host not satisfy the related isolation criteria. If an affected port is a member of the Role-Based access group, a network access policy may override the default network configuration.

Control Access can be modified from the Topology View by right-clicking on any of the following:

  • Customer Icon—Set up access control for multiple containers and devices.
  • Container Icon—Set up access control for all devices within the container.
  • Device—Set up access control for all ports on a device.

Control access

The purpose of the Control Access feature on containers, devices, and ports is to place devices and ports into system groups that control network access for hosts connected to those ports.

The top level Control Access window shows containers and devices. Within this view, you can globally select all containers or manually select individual containers. Uplink ports are exempt from being placed in system access groups.

When the Control Access feature is used, selected ports and devices are placed first into their own groups. Then, those groups are placed into one of the system access groups. For example, if you have a container named Building A that contains devices Cisco Switch 1 and Cisco Switch 2, when the devices are placed under access control FortiNAC creates a device group that contains both switches and a port group that contains all of their corresponding ports. The port and device groups are named using access group, container name and device or port.

In this example the device group would be Registration-Building A-Devices. The port group would be Registration-Building A-Ports.The device group and the port group are then moved into the access group selected in the Type field. If the Type field is set to Registration, the ports go into the Forced Registration group.

You may select and move all the ports or devices to access groups including: Forced Registration, Forced Authentication, Forced Remediation, Dead End and Role-Based Access. Adding devices and ports to a Forced Remediation group enables Quarantine VLAN switching, a (Undefined variable: User_Guide.ProductFamily) feature. Any devices that have been unselected are removed from the access group shown in the Type field.

Each of these groups refers to an underlying port group, with the exception of Dead End. The underlying group for Dead End is a device group (rather than a port group) named Physical Address Filtering.

Devices and ports contained within any of these groups can also be modified from the Groups View. Device and port groups created by this process are treated as system groups and cannot be deleted from the Groups View. They can be deleted from the Container Control Access window.

Note

Removing a device, its ports, or both from all of the access control groups mentioned above ensures that no network access control will occur on those ports. The presence of a device, its ports, or both in any of those groups enables access control for that device, its ports, or both, meaning that FortiNAC will dynamically attempt to change the network access configuration based on the state of the host appropriate to the group. Ports will also be moved into the default network configuration should a connected host not satisfy the related isolation criteria. If an affected port is a member of the Role-Based access group, a network access policy may override the default network configuration.

Control Access can be modified from the Topology View by right-clicking on any of the following:

  • Customer Icon—Set up access control for multiple containers and devices.
  • Container Icon—Set up access control for all devices within the container.
  • Device—Set up access control for all ports on a device.