Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Configuration

  1. Determine which device(s) will be used to support a specific role.
  2. Configure the device(s) with the VLAN or Interface ID information for the role.
  3. Create a device group and add the device(s) for each set of devices that will be used for roles. For example, you might have a group of devices that provide network access in Building A. That group of devices will provide different types of access than the devices in Building B, therefore you would create two separate device groups. See Groups view for information on groups.
  4. If only some ports on a device or devices will be used for role management, you can place just the required ports in a Port group specifically for roles. First, determine which ports will participate in role management and place those ports in the Role Based Access Group. Ports that are not in this group cannot apply roles. Once ports are in the Role Based Access group, place them in groups that will be associated with roles. See Groups view for information on groups.

    Note

    Ports that are assigned roles are typically included in the Role Based Access Group. If a port is assigned a role but is not included in the Role Based Access Group, devices connecting to that port are placed in the default VLAN entered on model configuration for that device. They are not placed on the VLAN defined for the role. However, if the role is used as a filter for any policy, that policy is still used.

  5. Create a list of Roles. See Roles view.
  6. Determine which hosts or users will be identified by the role.
  7. Associate the hosts or users with the role. See Assigning roles.

    Note

    Use only one method to associate a host or a user with a role. If more than one method is used, the role is assigned based on the ranking of roles and the first piece of data that matches.

    Note

    Roles are only applied to hosts that are registered.

  8. Once roles have been created, configure network device roles. Network device roles indicate the actions to be taken when a device in that role connects to a group of devices or ports. There can be multiple mappings for a single role. For example, Role A can have a mapping for Port/Device Group A and a different mapping for Port/Device Group B. Select the Device or Port group and enter the network access IDs. See Network device roles.

Configuration

  1. Determine which device(s) will be used to support a specific role.
  2. Configure the device(s) with the VLAN or Interface ID information for the role.
  3. Create a device group and add the device(s) for each set of devices that will be used for roles. For example, you might have a group of devices that provide network access in Building A. That group of devices will provide different types of access than the devices in Building B, therefore you would create two separate device groups. See Groups view for information on groups.
  4. If only some ports on a device or devices will be used for role management, you can place just the required ports in a Port group specifically for roles. First, determine which ports will participate in role management and place those ports in the Role Based Access Group. Ports that are not in this group cannot apply roles. Once ports are in the Role Based Access group, place them in groups that will be associated with roles. See Groups view for information on groups.

    Note

    Ports that are assigned roles are typically included in the Role Based Access Group. If a port is assigned a role but is not included in the Role Based Access Group, devices connecting to that port are placed in the default VLAN entered on model configuration for that device. They are not placed on the VLAN defined for the role. However, if the role is used as a filter for any policy, that policy is still used.

  5. Create a list of Roles. See Roles view.
  6. Determine which hosts or users will be identified by the role.
  7. Associate the hosts or users with the role. See Assigning roles.

    Note

    Use only one method to associate a host or a user with a role. If more than one method is used, the role is assigned based on the ranking of roles and the first piece of data that matches.

    Note

    Roles are only applied to hosts that are registered.

  8. Once roles have been created, configure network device roles. Network device roles indicate the actions to be taken when a device in that role connects to a group of devices or ports. There can be multiple mappings for a single role. For example, Role A can have a mapping for Port/Device Group A and a different mapping for Port/Device Group B. Select the Device or Port group and enter the network access IDs. See Network device roles.