SNMP
Use the SNMP Properties view to select the SNMP protocol for devices that query FortiNAC for information. If SNMP is enabled, FortiNAC responds to SNMP communication from other devices, such as a Network Management system that might include the FortiNAC server in its own database.
Go to Settings > System Communication > SNMP.
In addition, this view is also used to set the SNMP protocol to accept SNMPv3 traps that register hosts and users.
Both types of communication pass through port 161. Settings here are global. Therefore, if you choose to use SNMPv3 traps sent from other network devices to register hosts and users, then ALL other devices that query FortiNAC for information must also communicate using SNMPv3. You must modify the configuration of those external devices to use SNMPv3.
The SNMP protocols that are supported are SNMPv1/SNMPv2c and SNMPv3. SNMPv3 uses DES or AES encryption for the Privacy Password.
Privacy protocols supported are:
- DES
- Triple-DES
- AES-128
SNMP MIBs used to communicate with FortiNAC are in: /bsc/campusMgr/ui/runTime/docs/mibs/
Settings
Field |
Description |
Enable SNMP Communication |
If SNMP is enabled, FortiNAC responds to SNMP requests from other servers. |
SNMP Protocol |
Select the SNMP protocol FortiNAC will be responding to:
|
SNMPv1/SNMPv2c |
|
Security String |
Enter the security string that FortiNAC will respond to when communicating with the server. |
SNMPv3 |
|
User Name |
User Name for the SNMPv3 credentials. |
Authentication Protocol |
Specify the SNMPv3 authentication protocol. The available authentication protocols are:
|
Authentication |
Specify the authentication password required by FortiNAC when SNMPv3-AuthPriv or SNMPv3-AuthNoPriv queries are received. |
Privacy Protocols |
Specify the SNMPv3 privacy protocol. The available privacy protocols are:
|
Privacy Password |
Specify the privacy password required by FortiNAC when SNMPv3-AuthPriv queries are received. |
Management hosts |
|
IP addresses |
List of IP addresses of the devices that have communicated with FortiNAC through SNMP. |
Set up SNMP communication
- Click System > Settings.
- Expand the System Communication folder.
- Select SNMP from the tree.
- Click Enable and select an SNMP protocol.
- Enter the parameters as required for the selected protocol. See the table above for additional information.
- Click Save Settings.
Disable SNMP communication
- Click System > Settings.
- Expand the System Communication folder.
- Select SNMP from the tree.
- Click Disable.
- Click Save Settings.
Register hosts and users with SNMPv3 traps
FortiNAC can use data sent in SNMPv3 traps from external devices to register hosts and users. This speeds up the process of adding hosts and users to your FortiNAC database by taking advantage of information that is readily available from another system. In addition, based on trap parameters hosts and users can be modified or removed from the database.
FortiNAC requirements
- FortiNAC must have an integration suite license. See Licenses.
- The Trap Sender must be modeled in the Topology as a pingable device. See Add or modify a pingable device.
- You must enter SNMPv3 settings in System > Settings > System Communication > SNMP that match those of the device to which you are sending traps. Note that if you had previously entered SNMPv1/SNMPv2c settings for external devices querying FortiNAC for information, you must modify settings on those devices to use SNMPv3.
- If you are running FortiNAC in a FortiNAC Control Manager environment, the Trap Sender must be modeled on each FortiNAC Server or Control Server that should receive this information. Note that if you have enabled any of the Copy Registered Host options on the FortiNAC Control Manager it may not be necessary to receive traps on more than one managed server.
- When traps are received they can trigger the events listed below in the Event Log. These events can be mapped to Alarms. Make sure the events are enabled. See Event management. To map events to alarms see Add or modify alarm mapping.
Event |
Definition |
---|---|
Add/Modify/Remove Host |
Generated whenever a trap is received that adds, modifies or removes a host record in the database. |
Add/Modify/Remove User |
Generated when a trap is received that adds, modifies or removes a user record in the database. |
Trap sender requirements
- Use the Management IP address (eth0) of the FortiNAC Server or Control Server as the destination for the trap.
- Send traps to port 161 on the FortiNAC Server or Control Server.
- If you are running FortiNAC in a high availability environment, send traps to both the primary and the secondary FortiNAC Servers or Control Servers.
- You must have snmptrap.exe and libsnmp.dll on the device sending the traps. Download the latest binaries for the appropriate operating system from www.net-snmp.org/download.html.
- Configure the traps on the sending device. See the tables below for information on trap parameters.
Hosts
- If a trap is received for an existing host, the host's database record is updated with information from the trap.
- When a trap is received for a host that matches a rogue in FortiNAC, the rogue is converted to a registered host if the trap contains user data. It is converted to a registered device if there is no associated user.
- If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts either send an additional trap that removes the host or you must go to the Host View and delete them manually. See Delete a host.
- If the same host is added twice but with different MAC addresses for separate adapters, it is treated as two separate records in the FortiNAC database. The two adapters are not linked to each other in any way and are not considered siblings in FortiNAC.
- Variables with spaces in the names should be in quotation marks, such as, "Windows Vista".
- Separators in MAC addresses must be colons, such as, 90:21:55:EB:A3:87.
OID |
Description |
Definition |
---|---|---|
1.1.1.1 |
Host Name |
Name of the host. |
1.1.1.2 |
IP address |
IP address of the host. |
1.1.1.3 |
MAC address |
Physical Address of the host. Required. |
1.1.1.4 |
Host operating system |
Name of the operating system on the host. |
1.1.5 |
Role |
Role assigned to the host. Roles are attributes of hosts used as filters in user/host profiles. |
1.1.6 |
Action |
Indicates whether this trap is adding or removing a host from the database. Adding an existing host will modify that host's record in the database. 1=Add 2=Remove |
1.2.8 |
Element |
Indicates that this trap is registering either a host or a host and its corresponding user. |
Example traps
To add a host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest:
snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1
To remove host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest. Note that only MAC address is required to remove a host.
snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook .1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117 .1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2
Users
- If an LDAP directory is modeled in the Topology, FortiNAC checks the directory for information about the user included in the trap. If the user exists in the directory, additional fields are populated for that user in the FortiNAC database. If the user does not exist in the directory, a user record is created in FortiNAC with only the data received in the trap.
- If a trap is received for an existing user, the user's database record is updated with information from the trap.
- If a trap is received for an existing user and the trap contains host information, the host is registered to the user. If the host already has a rogue record, the rogue is converted to a registered host and associated with the user.
- If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete these hosts you must go to the Host View and delete them manually. See Delete a host.
- When FortiNAC resynchronizes with the directory, user data may be overwritten by data from the directory depending on the directory attribute mappings.
- Variables with spaces in the names should be in quotation marks, such as, "Mary Ann".
Trap parameters
OID |
Description |
Definition |
---|---|---|
1.1.2.1 |
User Name |
User Name stored in the directory. If the user is not in the directory, this record will still be added, modified or removed. Required. |
1.1.2.2 |
User First Name |
|
1.1.2.3 |
User Last Name |
|
1.1.2.4 |
User Title |
|
1.1.2.5 |
|
User's e-mail address. |
1.1.5 |
Role |
Role assigned to the User. If this trap is adding both a user and a host, both are set to the same role. |
1.1.6 |
Action |
Indicates whether this trap is adding or removing a user from the database. Adding an existing user will modify that user's record in the database. 1=Add 2=Remove |
1.2.9 |
Element |
Indicates that this trap is only registering a user. |
Example traps
To add testuser
to the database:
snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1
To delete user record for testuser
from the database. Note that only User Name is required to remove a user.
snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 '' 1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser .1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe .1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com .1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2