Containers are used within FortiNAC to group devices together. As wireless devices are added using either Discovery or by entering them manually on the Network Devices View they are also added to Topology.

Groups are used to gather like items that require similar treatment. The groups created here are port groups and are used to map Network Access Policies for the Secure and Open SSIDs.

When you configure an SSID a port group is created based on the name of the SSID. Each SSID is placed in a separate port group. For example if you add a SSID with the name MegaTech Secure, then a port group with the same name is automatically created and contains the MegaTech Secure SSID.

Directory Groups are used to group users and their corresponding hosts. Group membership is used in User/Host profiles to determine which Network Access, Endpoint Compliance or Supplicant Policies to apply.

When a device that provides network services is added to FortiNAC a model of that device's configuration is stored in the database. This model includes information such as CLI User Names, Passwords, communication protocol, RADIUS Server information and Isolation and Production VLANs.

For devices configured through Wireless Security, the following settings are entered:

• RADIUS = Use Defaults
• Network Access = Deny for Dead End, Registration and Quarantine. Authentication is set to Bypass.

Individual SSIDs can be configured separately instead of inheriting settings from the device's Model Configuration, such as settings for default Isolation and Production VLANS.

Use Network Devices View to select a device and access the SSID Configuration.

For devices configured through Wireless Security, the following settings are entered for all SSIDs regardless of whether they are open or secure:

• RADIUS: Primary and Secondary RADIUS servers are selected if they were selected in the SSID Mappings.
• Network Access = Enforce and the Isolation VLAN are set for Dead End, Registration and Quarantine. Authentication is set to Bypass and None for Network Access.

Wireless devices are automatically added to the L2 and L3 Polling groups and polling is enabled for the device. The polling interval for L2 is every 10 minutes and L3 is set to every 30 minutes.

Use Network Devices View, L2 Polling View or L3 Polling View to modify polling information.

Roles are added as attributes to users or hosts. Role mapping is accomplished by creating a User/Host Profile configured with the SSID port group as the connection location and the Who/What by Attribute field set to one of these role names.

A Network Access Policy maps this User/Host Profile to a Network Access Configuration containing the User Group/VLAN where the host will be placed.

• A role is created for each Guest Template.
• User/Host Profile contains an SSID port group (Where) and a Role name matching a guest template (Who/What by Attribute).
• There is a separate User/Host Profile for each guest template and SSID port group combination.

User/Host Profiles are created when a new SSID Mapping is added on the Network Devices view.

Guest Management SSID Mappings — A User/Host profile is created for each SSID and Guest Template combination. Names of these User/Host profiles are based on the SSID name and the combination of data contained within the profile.

Example:

Mobile Security Wizard Profile: GuestAccess Production XR4830 Open

• Mobile Security Wizard indicates that the User/Host Profile was generated by Quick Start/Wireless Security for Guest Management.
• Profile indicates that this is a User/Host profile.
• GuestAccess is the name of the guest template the user has and the Role assigned to guests and hosts when the guest registers in the captive portal.
• Production is the name of the User Group/VLAN where the connecting host will be placed.
• X-R4830 Open is the name of the SSID and the name of the port group where the SSID has been placed.

The User/Host Profile is configured as follows:

• Name of the SSID port group as its connection location in Where.
• Role Name derived from guest template name as an attribute of the user in Who/What by Attribute.

Device Onboarding SSID Mappings — A User/Host profile is created for each SSID, Directory Group and Operating System list combination. Names of these User/Host profiles are based on the SSID name and the combination of data contained within the profile.

Example:

XAM BYOD Profile: Domain Admins [Windows,macOS,iOS,Android,RIM,Windows Phone] Production XR4830 Secure

• XAM BYOD indicates that the User/Host Profile was generated by Quick Start for Device Onboarding (BYOD).
• Profile indicates that this is a User/Host profile.
• Domain Admins is the name of the Directory Group where the user must be a member. A corresponding Host group is created and hosts are placed in that group as they are registered by the user.
• [Windows,macOS,iOS,Android,RIM,Windows Phone] is the list of operating systems selected in the SSID Mapping as a match for a connecting host.
• Production is the name of the Xirrus User Group/VLAN where the connecting host will be placed.
• XR4830 Secure is the name of the SSID and the name of the port group where the SSID has been placed.

The User/Host Profile is configured as follows:

• Name of the SSID port group as its connection location in Where.
• Selected Directory Group in Who/What by Group.
• Selected operating systems as attributes of the host in Who/What by Attribute.
  

Network Access Configurations and Network Access Policies are created when a new SSID Mapping is added using Wireless Security.

Guest Management SSID Mappings — A Network Access Configuration and Network Access Policy are created for each SSID and Guest Template combination. Names are based on the SSID name and the combination of data the items contain.

Example:

Network Access Configuration = Mobile Security Wizard Configuration: GuestAccess Production XR4830 Open

Network Access Policy = Mobile Security Wizard Access Policy: GuestAccess Production XR4830 Open

• Mobile Security Wizard indicates that the data was generated by Quick Start / Wireless Security for Guest Management.
• Configuration indicates that the record is a Network Access Configuration.
• Policy indicates that the record is a Network Access Policy.
• GuestAccess is the name of the guest template the user has and the Role assigned to guests and hosts when the guest registers in the captive portal.
• Production is the name of the User Group/VLAN where the connecting host will be placed.
• X-R4830 Open is the name of the SSID and the name of the port group where the SSID has been placed.

Device Onboarding SSID Mappings — A Network Access Configuration and Network Access Policy are created for each unique SSID, Directory Group and Host Operating System combination.

Example:

Network Access Configuration = XAM BYOD Configuration: Domain Admins [Windows,macOS,iOS,Android,RIM,Windows Phone] Production XR4830 Secure

Network Access Policy = XAM BYOD Policy: Domain Admins [Windows,macOS,iOS,Android,RIM,Windows Phone] Production XR4830 Secure

• XAM BYOD indicates that the User/Host Profile was generated by Quick Start / Wireless Security for Device Onboarding (BYOD).
• Configuration indicates that the record is a Network Access Configuration.
• Policy indicates that the record is a Network Access Policy.
• Domain Admins is the name of the Directory Group where the user must be a member. A corresponding Host group is created and hosts are placed in that group as they are registered by the user.
• [Windows,macOS,iOS,Android,RIM,Windows Phone] is the list of operating systems selected in the SSID Mapping as a match for a connecting host.
• Production is the name of the User Group/VLAN where the connecting host will be placed.
• XR4830 Secure is the name of the SSID and the name of the port group where the SSID has been placed.

The Network Access Configuration is configured as follows:

• Name of the (Undefined variable: User_Guide.ProductFamily) Access Group/VLAN where hosts should be placed when connected. The Access Group is the group selected in the SSID Mapping.

The Network Access Policy is configured as follows:

• Network Access Configuration created for the SSID Mapping.
• User/Host Profile created for the SSID Mapping.

Network Access Policy maps the Network Access Configuration to a corresponding User/Host Profile also created when SSID Mappings are added. Connecting users that match the User/Host Profile are placed in the Access Group or VLAN in the Network Access Configuration.

Endpoint Compliance Policies and Endpoint Compliance Configurations are created when a Device Onboarding SSID Mapping with a Supplicant Configuration is added on the Wireless Security View.

Device Onboarding — An Endpoint Compliance Policy and Endpoint Compliance Configuration are created for each unique SSID, Directory Group, Host Operating System and Supplicant Configuration combination.

Example:

Endpoint Compliance Policy =XAM BYOD EPC Policy: AlansGroup [Windows,macOS,iOS,Android,Windows Phone] Isolation XR4830 Open

Endpoint Compliance Configuration = XAM BYOD EPC Configuration: AlansGroup [Windows,macOS,iOS,Android,Windows Phone] Isolation XR4830 Open

• XAM BYOD indicates that the User/Host Profile was generated by Quick Start / Wireless Security for Device Onboarding (BYOD).
• Policy indicates that the record is an Endpoint Compliance Policy.
• Configuration indicates that the record is an Endpoint Compliance Configuration.
• AlansGroup is the name of the Directory Group where the user must be a member. A corresponding Host group is created and hosts are placed in that group as they are registered by the user.
• [Windows,macOS,iOS,Android, Windows Phone] is the list of operating systems selected in the SSID Mapping as a match for a connecting host.
• Isolation is the name of the User Group/VLAN where the connecting host will be placed.
• XR4830 Open is the name of the SSID and the name of the port group where the SSID has been placed.

The Endpoint Compliance Configuration is configured as follows:

• Name of the Access Group/VLAN where hosts should be placed when connected. The Access Group is the group selected in the SSID Mapping.
• Scan is set to the system scan "AgentNoScan" which does not scan for anything.
• Agents are set to "Latest Dissolvable" for Windows, macOS and Linux and "Latest Mobile" for Android. All other operating systems are set to "None-Bypass".

The Endpoint Compliance Policy is configured as follows:

• Endpoint Compliance Configuration created for the SSID Mapping.
• User/Host Profile created for the SSID Mapping.

A Supplicant EasyConnect Policy is created when a Device Onboarding SSID Mapping with a Supplicant Configuration is added on the Wireless Security View view.

Device Onboarding — A Supplicant EasyConnect Policy is created for each unique SSID, Directory Group, Host Operating System and Supplicant Configuration combination.

Example:

Supplicant EasyConnect Policy =XAM BYOD Supplicant Policy:AlansGroup [Windows,macOS,iOS,Android,Windows Phone] Isolation XR4830 Open

Endpoint Compliance Configuration = XAM BYOD EPC Configuration: AlansGroup [Windows,macOS,iOS,Android,Windows Phone] Isolation XR4830 Open

• XAM BYOD indicates that the Policy was generated by Quick Start / Wireless Security for Device Onboarding (BYOD).
• Supplicant Policy indicates that the record is a Supplicant EasyConnect Policy.
• Configuration indicates that the record is a Supplicant EasyConnect Configuration.
• AlansGroup is the name of the Directory Group where the user must be a member. A corresponding Host group is created and hosts are placed in that group as they are registered by the user.
• [Windows,macOS,iOS,Android, Windows Phone] is the list of operating systems selected in the SSID Mapping as a match for a connecting host.
• Isolation is the name of the User Group/VLAN where the connecting host will be placed.
• XR4830 Open is the name of the SSID and the name of the port group where the SSID has been placed.

The Supplicant EasyConnect Policy is configured as follows:

• Supplicant Configuration added to the SSID Mapping.
• User/Host Profile created for the SSID Mapping.
  

A Portal Policy is created if a portal other than the default portal is selected when adding an SSID Mapping on the Wireless Security View for either Guest Management or Device Onboarding.

Portal Policy — A Portal Policy is created for each unique SSID, Directory Group, Host Operating System and Portal combination.

Example:

Portal Policy = XAM Portal Policy: -AlansGroup- [Windows,macOS,iOS,Android,RIM,Windows Phone] XAM-Access XirrusXMSOpen

• XAM Portal Policy indicates that the policy was generated by Quick Start / Wireless Security to control the portal presented to the user when connecting to this SSID.
• AlansGroup is the name of the Directory Group where the user must be a member. A corresponding Host group is created and hosts are placed in that group as they are registered by the user.
• [Windows,macOS,iOS,Android,RIM,Windows Phone] is the list of operating systems selected in the SSID Mappings as a match for a connecting host.
• XAM-Access is the name of the User Group/VLAN where the connecting host will be placed.
• XirrusXMSOpen is the name of the SSID and the name of the port group where the SSID has been placed.