Control access based on device types
Depending on the demands of your organization you may need to limit device access to the network by time of day or by the type of Device. You may need to alter device parameters, such as baud rate or setting up traps, based on the type of device and where it is connecting.
Disable devices with scheduled tasks
To disable ports or adapters based on time of day use the Scheduler to create Scheduled Tasks that act on groups of ports or devices. The Scheduler associates tasks with groups. Therefore, either the affected ports must be placed in a port group or the affected devices must be placed in a host group. Only those devices that have been registered and configured to display in the Host View can be included in a host group. Since disabling ports blocks all network access, it is recommended that you disable the adapters of the devices that should be denied access to the network. For additional information, see Add groups and Add a task.
Modify device settings
FortiNAC has the ability to store and use sets of CLI commands called CLI configurations. These command sets can be very powerful when managing devices and have several implementation options. CLI configurations can be implemented:
- By using the Scheduler to complete a task, such as setting up Link up/ Link down traps on a series of switches.
- By the role assigned to the device and the port on which it connects. For example, you could alter the baud rate of a medical device when it connects to the network.
- Through the model configuration of the switch to control VLANS or to implement ACLs that control connecting devices.
See CLI configuration for additional information.
Role based access
Every device in FortiNAC is assigned a role of NAC Default as it registers. Additional roles can be created and assigned to devices that require network services, such as printers. Only those devices that have been registered and configured to be managed in Topology can use role-based access. Ports or switches must be placed in Port or Device groups. For example, if you have a role called Accounting, you can map that role to devices in with role X. Then indicate that when a device in with role X connects to the network through a switch or port in group Y, that device can only access VLAN 10. See Role management for detailed instructions.