Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Assigning roles

Roles can be assigned to users, hosts, network devices and ports. Each one of these entities has a role field on its corresponding Properties window. Assignment of roles is accomplished by setting the role field for the user, host, device or port either manually or using one of the options listed in the table.

When a user and a host have different roles, the user role is applied if the user logs into the host. In the case of a gaming device that the user does not log into, it has its own role that may or may not be the same as the user's.

In the event that multiple methods are used to set a role, the order of precedence is determined by the order of the roles on the Roles view. Starting from the top of the list, the first role match found is used. For example, assume you have assigned roles to hosts based on groups. Later you add the host to a new group, if that group is associated with a role that is ranked above the host's original role, the host's role will be changed.

Roles created on the FortiNAC server will be ranked above global roles created on the NCM. The rank of a local role can be adjusted above or below another local role, but cannot be ranked below a global role. The rank for a global role cannot be modified from the FortiNAC server.

In the event that multiple methods are used to assign a role to a host, a hierarchy determines which role to assign. Roles assigned through Portal pages (typically for gaming), have the lowest precedence and will be overwritten by a role determined by any other method. Roles assigned by directory attributes have the highest precedence and will overwrite a role that is assigned by any other method. Roles assigned by group membership have the middle level of precedence, overwriting roles assigned through Portal Pages, but being overwritten by roles assigned via directory attributes. Roles assigned via group membership will change when the host's group membership changes. When this occurs, the roles are ranked, with low-numbered ranks having the highest precedence.

Settings

Setting

Definition

User roles

User Roles Based On Groups

Users can be assigned roles by placing them in a group and then associating that group with a role on the Role View. See Add a role for additional information on adding roles. Once the group of users has been created and you have assigned them a role, you must associate that role with a device group or a port group and a corresponding VLAN or CLI configuration.

User groups can also be created based on groups in the directory. These groups are treated the same as groups created manually within FortiNAC. If a user is a member of more than one group the group that is found first when matching users to roles determines the role assigned to the user.

Note

When assigning Roles to users, the use of directory attributes over directory groups is recommended. Attribute data is retrieved directly from the directory as the user registers, while group information is retrieved from data cached on the FortiNAC server and could be out-dated.

User Roles Based On A Directory Field

Network users can be assigned a role based on a field in LDAP or Active Directory. For example, you might choose to have roles based on a field in the directory called Department. The data within the Department field would be the name of the role, such as, Accounting or Customer Service. In a university environment a user might have a role based on whether he is a Student or Faculty.

To assign roles based on a field in a directory you must indicate which field in the directory is to be used as a role. See to map the role field.

Users in the directory with matching data in this field constitute a group, even though the group is not shown anywhere. For example, users with Accounting in their department field are treated as an Accounting group for the purpose of assigning roles.

Next, you must create a Role with the exact same name as the data contained in the directory field. For example, if the user's role in the directory is Accounting, you must create a Role on the Role View that is named Accounting.

When a user registers, the role field in User Properties is set to match the data in that user's role field in the directory.

User Roles Based On Fields In Captive Portal

When registering a host through the Captive Portal, if the user fields on the portal page have a role set, that role is assigned to the user, such as during registration or authentication.

Individual User Roles

In some situations you may want to assign a role to a single user. First create the role on the Roles view. Then, navigate to the User Properties window and modify the Role field.

Host roles

Host Roles Inherited From Users

When registering a rogue to a user on the Host View, you have the option to use the user's role or to select a different role for the device. See Add or modify a host.

When registering a host through the Captive Portal, if the portal does not have a role set, the host inherits the role of the user.

If the users role changes, regardless of how it is changed, any host registered to that user that has the same role will be changed also.

Example:

John Doe is a student and has two registered hosts.

  • John Doe’s Role: Student
  • John Doe’s Host 1 Role: Student
  • John Doe’s Host 2 Role: Gaming

John Doe graduates and becomes faculty, so the University makes the change in AD and runs a directory sync. John's role is changed to Faculty.

  • John Doe’s Role: Faculty
  • John Doe’s Host 1 Role: Faculty
  • John Doe’s Host 2 Role: Gaming

Host 2 did not match John's original role of Student, so it is not changed.

Host Roles Assigned Through Captive Portal

When registering a host through the Captive Portal, if the portal page has a role set, that role is assigned to the host during registration. If the role field is blank, the host inherits the role of the user.

Host Roles Based On Groups

Hosts can be assigned roles by placing them in a group and then associating that group with a role on the Roles view. See Add a role for additional information on adding roles.

Host Roles Assigned Manually

This would typically be used to assign a role to hosts, such as a medical device that connects to the network.

To register rogues and set their role: Select one or more rogues on the Host View. Right-click on the selected records and choose Register as Device from the menu. On the registration pop-up you can select device type and role. See Register a host as a device.

To set roles for registered devices: Select one or more devices on the Host View. Right-click on the selected records and choose Set Host Role. Select the new role from the drop-down list in the pop-up window.

Host Roles Assigned By Device Profiler

This would typically be used to assign a role to hosts, such as a medical device that connects to the network. Devices that are hosts, such as, medical devices, gaming devices, or printers can be assigned a role and a device type based on device profiling rules.

If you are using the device profiler feature, you can create or use default rules that allow FortiNAC to determine the device type and assign the device to a role. When a new host device connects to the network it becomes a rogue because it is unknown. FortiNAC compares information received from the device with the device profiling rules in its database until it comes up with a match. Based on the parameters defined in the rule, the device is assigned a type and a role. See Device profiler and Rules.

The role assigned by device profiler takes precedence over any role associated with the vendor OUI.

Assigning roles

Roles can be assigned to users, hosts, network devices and ports. Each one of these entities has a role field on its corresponding Properties window. Assignment of roles is accomplished by setting the role field for the user, host, device or port either manually or using one of the options listed in the table.

When a user and a host have different roles, the user role is applied if the user logs into the host. In the case of a gaming device that the user does not log into, it has its own role that may or may not be the same as the user's.

In the event that multiple methods are used to set a role, the order of precedence is determined by the order of the roles on the Roles view. Starting from the top of the list, the first role match found is used. For example, assume you have assigned roles to hosts based on groups. Later you add the host to a new group, if that group is associated with a role that is ranked above the host's original role, the host's role will be changed.

Roles created on the FortiNAC server will be ranked above global roles created on the NCM. The rank of a local role can be adjusted above or below another local role, but cannot be ranked below a global role. The rank for a global role cannot be modified from the FortiNAC server.

In the event that multiple methods are used to assign a role to a host, a hierarchy determines which role to assign. Roles assigned through Portal pages (typically for gaming), have the lowest precedence and will be overwritten by a role determined by any other method. Roles assigned by directory attributes have the highest precedence and will overwrite a role that is assigned by any other method. Roles assigned by group membership have the middle level of precedence, overwriting roles assigned through Portal Pages, but being overwritten by roles assigned via directory attributes. Roles assigned via group membership will change when the host's group membership changes. When this occurs, the roles are ranked, with low-numbered ranks having the highest precedence.

Settings

Setting

Definition

User roles

User Roles Based On Groups

Users can be assigned roles by placing them in a group and then associating that group with a role on the Role View. See Add a role for additional information on adding roles. Once the group of users has been created and you have assigned them a role, you must associate that role with a device group or a port group and a corresponding VLAN or CLI configuration.

User groups can also be created based on groups in the directory. These groups are treated the same as groups created manually within FortiNAC. If a user is a member of more than one group the group that is found first when matching users to roles determines the role assigned to the user.

Note

When assigning Roles to users, the use of directory attributes over directory groups is recommended. Attribute data is retrieved directly from the directory as the user registers, while group information is retrieved from data cached on the FortiNAC server and could be out-dated.

User Roles Based On A Directory Field

Network users can be assigned a role based on a field in LDAP or Active Directory. For example, you might choose to have roles based on a field in the directory called Department. The data within the Department field would be the name of the role, such as, Accounting or Customer Service. In a university environment a user might have a role based on whether he is a Student or Faculty.

To assign roles based on a field in a directory you must indicate which field in the directory is to be used as a role. See to map the role field.

Users in the directory with matching data in this field constitute a group, even though the group is not shown anywhere. For example, users with Accounting in their department field are treated as an Accounting group for the purpose of assigning roles.

Next, you must create a Role with the exact same name as the data contained in the directory field. For example, if the user's role in the directory is Accounting, you must create a Role on the Role View that is named Accounting.

When a user registers, the role field in User Properties is set to match the data in that user's role field in the directory.

User Roles Based On Fields In Captive Portal

When registering a host through the Captive Portal, if the user fields on the portal page have a role set, that role is assigned to the user, such as during registration or authentication.

Individual User Roles

In some situations you may want to assign a role to a single user. First create the role on the Roles view. Then, navigate to the User Properties window and modify the Role field.

Host roles

Host Roles Inherited From Users

When registering a rogue to a user on the Host View, you have the option to use the user's role or to select a different role for the device. See Add or modify a host.

When registering a host through the Captive Portal, if the portal does not have a role set, the host inherits the role of the user.

If the users role changes, regardless of how it is changed, any host registered to that user that has the same role will be changed also.

Example:

John Doe is a student and has two registered hosts.

  • John Doe’s Role: Student
  • John Doe’s Host 1 Role: Student
  • John Doe’s Host 2 Role: Gaming

John Doe graduates and becomes faculty, so the University makes the change in AD and runs a directory sync. John's role is changed to Faculty.

  • John Doe’s Role: Faculty
  • John Doe’s Host 1 Role: Faculty
  • John Doe’s Host 2 Role: Gaming

Host 2 did not match John's original role of Student, so it is not changed.

Host Roles Assigned Through Captive Portal

When registering a host through the Captive Portal, if the portal page has a role set, that role is assigned to the host during registration. If the role field is blank, the host inherits the role of the user.

Host Roles Based On Groups

Hosts can be assigned roles by placing them in a group and then associating that group with a role on the Roles view. See Add a role for additional information on adding roles.

Host Roles Assigned Manually

This would typically be used to assign a role to hosts, such as a medical device that connects to the network.

To register rogues and set their role: Select one or more rogues on the Host View. Right-click on the selected records and choose Register as Device from the menu. On the registration pop-up you can select device type and role. See Register a host as a device.

To set roles for registered devices: Select one or more devices on the Host View. Right-click on the selected records and choose Set Host Role. Select the new role from the drop-down list in the pop-up window.

Host Roles Assigned By Device Profiler

This would typically be used to assign a role to hosts, such as a medical device that connects to the network. Devices that are hosts, such as, medical devices, gaming devices, or printers can be assigned a role and a device type based on device profiling rules.

If you are using the device profiler feature, you can create or use default rules that allow FortiNAC to determine the device type and assign the device to a role. When a new host device connects to the network it becomes a rogue because it is unknown. FortiNAC compares information received from the device with the device profiling rules in its database until it comes up with a match. Based on the parameters defined in the rule, the device is assigned a type and a role. See Device profiler and Rules.

The role assigned by device profiler takes precedence over any role associated with the vendor OUI.