Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Apply a CLI configuration using a role

CLI configurations applied based on a role are typically port based not host based. It is not recommended that you use host based CLI configurations with roles.

Network device roles allow you to control network access based on combinations of devices and connection locations. Each role that is created can be applied to individual devices.

Devices that require network services can only have one role. Switches or ports to which devices connect for network access can be mapped to more than one role. The role mapping provides the switches and ports with rules when something with a matching role connects.

To provide more flexible control using roles you can apply a CLI configuration instead of just switching VLANs.

Refer to Assigning roles to set roles for hosts, network devices and ports. Then refer to for step-by-step instructions.

Role assignments

Roles can be assigned to users, hosts, network devices and ports. Each one of these entities has a role field on its corresponding Properties window. Assignment of roles is accomplished by setting the role field for the user, host, device or port either manually or using one of the options listed in the table.

Note

When a user and a host have different roles, the user role is applied if the user logs into the host. In the case of a gaming device that the user does not log into, it has its own role that may or may not be the same as the user's.

In the event that multiple methods are used to set a role, the order of precedence is determined by the order of the roles on the Roles view. Starting from the top of the list, the first role match found is used. For example, assume you have assigned roles to hosts based on groups. Later you add the host to a new group, if that group is associated with a role that is ranked above the host's original role, the host's role will be changed.

In the event that multiple methods are used to assign a role to a host, a hierarchy determines which role to assign. Roles assigned through Portal pages (typically for gaming), have the lowest precedence and will be overwritten by a role determined by any other method. Roles assigned by directory attributes have the highest precedence and will overwrite a role that is assigned by any other method. Roles assigned by group membership have the middle level of precedence, overwriting roles assigned through Portal Pages, but being overwritten by roles assigned via directory attributes. Roles assigned via group membership will change when the host's group membership changes. When this occurs, the roles are ranked, with low-numbered ranks having the highest precedence.

Roles

Definition

User roles

User Roles Based On Groups

Users can be assigned roles by placing them in a group and then associating that group with a role on the Role View. See Add a role for additional information on adding roles. Once the group of users has been created and you have assigned them a role, you must associate that role with a device group or a port group and a corresponding VLAN or CLI configuration.

User groups can also be created based on groups in the directory. These groups are treated the same as groups created manually within FortiNAC. If a user is a member of more than one group the group that is found first when matching users to roles determines the role assigned to the user.

Note

When assigning Roles to users, the use of directory attributes over directory groups is recommended. Attribute data is retrieved directly from the directory as the user registers, while group information is retrieved from data cached on the FortiNAC server and could be out-dated.

User Roles Based On A Directory Field

Network users can be assigned a role based on a field in LDAP or Active Directory. For example, you might choose to have roles based on a field in the directory called Department. The data within the Department field would be the name of the role, such as, Accounting or Customer Service. In a university environment a user might have a role based on whether he is a Student or Faculty.

To assign roles based on a field in a directory you must indicate which field in the directory is to be used as a role. See to map the role field.

Users in the directory with matching data in this field constitute a group, even though the group is not shown anywhere. For example, users with Accounting in their department field are treated as an Accounting group for the purpose of assigning roles.

Next, you must create a Role with the exact same name as the data contained in the directory field. For example, if the user's role in the directory is Accounting, you must create a Role on the Role View that is named Accounting.

When a user registers, the role field in User Properties is set to match the data in that user's role field in the directory.

User Roles Based On Fields In Captive Portal

When registering a host through the Captive Portal, if the user fields on the portal page have a role set, that role is assigned to the user, such as during registration or authentication.

Individual User Roles

In some situations you may want to assign a role to a single user. First create the role on the Roles view. Then, navigate to the User Properties window and modify the Role field.

Host roles

Host Roles Inherited From Users

When registering a rogue to a user on the Host View, you have the option to use the user's role or to select a different role for the device. See Add or modify a host.

When registering a host through the Captive Portal, if the portal does not have a role set, the host inherits the role of the user.

If the users role changes, regardless of how it is changed, any host registered to that user that has the same role will be changed also.

Example:

John Doe is a student and has two registered hosts.

John Doe’s Role: Student

John Doe’s Host 1 Role: Student

John Doe’s Host 2 Role: Gaming

John Doe graduates and becomes faculty, so the University makes the change in AD and runs a directory sync. John's role is changed to Faculty.

John Doe’s Role: Faculty

John Doe’s Host 1 Role: Faculty

John Doe’s Host 2 Role: Gaming

Host 2 did not match John's original role of Student, so it is not changed.

Host Roles Assigned Through Captive Portal

When registering a host through the Captive Portal, if the portal page has a role set, that role is assigned to the host during registration. If the role field is blank, the host inherits the role of the user.

Host Roles Based On Groups

Hosts can be assigned roles by placing them in a group and then associating that group with a role on the Roles view. See Add a role for additional information on adding roles.

Host Roles Assigned Manually

This would typically be used to assign a role to hosts, such as a medical device that connects to the network.

To register rogues and set their role:

  1. Select one or more rogues on the Host View.
  2. Right-click on the selected records and choose Register as Device from the menu.
  3. On the registration pop-up, select device type and role. See Register a host as a device.

To set roles for registered devices:

  1. Select one or more devices on the Host View.
  2. Right-click on the selected records and choose Set Host Role.
  3. Select the new role from the drop-down list in the pop-up window.

Host Roles Assigned By Device Profiler

This would typically be used to assign a role to hosts, such as a medical device that connects to the network. Devices that are hosts, such as, medical devices, gaming devices, or printers can be assigned a role and a device type based on device profiling rules.

If you are using the device profiler feature, you can create or use default rules that allow FortiNAC to determine the device type and assign the device to a role. When a new host device connects to the network it becomes a rogue because it is unknown. FortiNAC compares information received from the device with the device profiling rules in its database until it comes up with a match. Based on the parameters defined in the rule, the device is assigned a type and a role. See Device profiler and Rules.

The role assigned by device profiler takes precedence over any role associated with the vendor OUI.

Configure a role with CLI

  1. Select Policy > Roles.
  2. Click Add.
  3. In the Name field, enter a name for the new role.
  4. Click Select next to the Groups field. Choose one or more groups by clicking on the names in the All Groups column and clicking the right arrow to move them to the Selected Groups column. Click OK to continue.
  5. Click in the Note field to add any user defined information needed for this role.
  6. Click OK to save the role.
  7. Click on Network Device Roles in the menu on the left to create a mapping for this role.
  8. Click Add at the bottom of the screen.
  9. Click the Role check box to enable the role drop-down. If this is not enabled, this mapping can apply to any device that matches the other criteria in the mapping, such as Location. The word Any displays in the Role column on the network device roles view if this box is unchecked.
  10. Select the role you created earlier from the drop-down list.
  11. To apply a CLI configuration, click the CLI check box to enable it and select the CLI configuration from the drop-down list.
  12. If applicable, in the Access Value field type the network access identifier for this mapping, such as a VLAN ID, VLAN Name, Aruba Role or for a VPN concentrator enter a group policy name.
  13. Click Select next to the Location field. Choose one or more device or port groups by clicking on the names in the All Groups column and clicking the right arrow to move them to the Selected Groups column. Click OK to continue.
  14. Click in the Note field to add any user defined information needed for this mapping.
  15. Click OK to save the mapping.

Apply a CLI configuration using a role

CLI configurations applied based on a role are typically port based not host based. It is not recommended that you use host based CLI configurations with roles.

Network device roles allow you to control network access based on combinations of devices and connection locations. Each role that is created can be applied to individual devices.

Devices that require network services can only have one role. Switches or ports to which devices connect for network access can be mapped to more than one role. The role mapping provides the switches and ports with rules when something with a matching role connects.

To provide more flexible control using roles you can apply a CLI configuration instead of just switching VLANs.

Refer to Assigning roles to set roles for hosts, network devices and ports. Then refer to for step-by-step instructions.

Role assignments

Roles can be assigned to users, hosts, network devices and ports. Each one of these entities has a role field on its corresponding Properties window. Assignment of roles is accomplished by setting the role field for the user, host, device or port either manually or using one of the options listed in the table.

Note

When a user and a host have different roles, the user role is applied if the user logs into the host. In the case of a gaming device that the user does not log into, it has its own role that may or may not be the same as the user's.

In the event that multiple methods are used to set a role, the order of precedence is determined by the order of the roles on the Roles view. Starting from the top of the list, the first role match found is used. For example, assume you have assigned roles to hosts based on groups. Later you add the host to a new group, if that group is associated with a role that is ranked above the host's original role, the host's role will be changed.

In the event that multiple methods are used to assign a role to a host, a hierarchy determines which role to assign. Roles assigned through Portal pages (typically for gaming), have the lowest precedence and will be overwritten by a role determined by any other method. Roles assigned by directory attributes have the highest precedence and will overwrite a role that is assigned by any other method. Roles assigned by group membership have the middle level of precedence, overwriting roles assigned through Portal Pages, but being overwritten by roles assigned via directory attributes. Roles assigned via group membership will change when the host's group membership changes. When this occurs, the roles are ranked, with low-numbered ranks having the highest precedence.

Roles

Definition

User roles

User Roles Based On Groups

Users can be assigned roles by placing them in a group and then associating that group with a role on the Role View. See Add a role for additional information on adding roles. Once the group of users has been created and you have assigned them a role, you must associate that role with a device group or a port group and a corresponding VLAN or CLI configuration.

User groups can also be created based on groups in the directory. These groups are treated the same as groups created manually within FortiNAC. If a user is a member of more than one group the group that is found first when matching users to roles determines the role assigned to the user.

Note

When assigning Roles to users, the use of directory attributes over directory groups is recommended. Attribute data is retrieved directly from the directory as the user registers, while group information is retrieved from data cached on the FortiNAC server and could be out-dated.

User Roles Based On A Directory Field

Network users can be assigned a role based on a field in LDAP or Active Directory. For example, you might choose to have roles based on a field in the directory called Department. The data within the Department field would be the name of the role, such as, Accounting or Customer Service. In a university environment a user might have a role based on whether he is a Student or Faculty.

To assign roles based on a field in a directory you must indicate which field in the directory is to be used as a role. See to map the role field.

Users in the directory with matching data in this field constitute a group, even though the group is not shown anywhere. For example, users with Accounting in their department field are treated as an Accounting group for the purpose of assigning roles.

Next, you must create a Role with the exact same name as the data contained in the directory field. For example, if the user's role in the directory is Accounting, you must create a Role on the Role View that is named Accounting.

When a user registers, the role field in User Properties is set to match the data in that user's role field in the directory.

User Roles Based On Fields In Captive Portal

When registering a host through the Captive Portal, if the user fields on the portal page have a role set, that role is assigned to the user, such as during registration or authentication.

Individual User Roles

In some situations you may want to assign a role to a single user. First create the role on the Roles view. Then, navigate to the User Properties window and modify the Role field.

Host roles

Host Roles Inherited From Users

When registering a rogue to a user on the Host View, you have the option to use the user's role or to select a different role for the device. See Add or modify a host.

When registering a host through the Captive Portal, if the portal does not have a role set, the host inherits the role of the user.

If the users role changes, regardless of how it is changed, any host registered to that user that has the same role will be changed also.

Example:

John Doe is a student and has two registered hosts.

John Doe’s Role: Student

John Doe’s Host 1 Role: Student

John Doe’s Host 2 Role: Gaming

John Doe graduates and becomes faculty, so the University makes the change in AD and runs a directory sync. John's role is changed to Faculty.

John Doe’s Role: Faculty

John Doe’s Host 1 Role: Faculty

John Doe’s Host 2 Role: Gaming

Host 2 did not match John's original role of Student, so it is not changed.

Host Roles Assigned Through Captive Portal

When registering a host through the Captive Portal, if the portal page has a role set, that role is assigned to the host during registration. If the role field is blank, the host inherits the role of the user.

Host Roles Based On Groups

Hosts can be assigned roles by placing them in a group and then associating that group with a role on the Roles view. See Add a role for additional information on adding roles.

Host Roles Assigned Manually

This would typically be used to assign a role to hosts, such as a medical device that connects to the network.

To register rogues and set their role:

  1. Select one or more rogues on the Host View.
  2. Right-click on the selected records and choose Register as Device from the menu.
  3. On the registration pop-up, select device type and role. See Register a host as a device.

To set roles for registered devices:

  1. Select one or more devices on the Host View.
  2. Right-click on the selected records and choose Set Host Role.
  3. Select the new role from the drop-down list in the pop-up window.

Host Roles Assigned By Device Profiler

This would typically be used to assign a role to hosts, such as a medical device that connects to the network. Devices that are hosts, such as, medical devices, gaming devices, or printers can be assigned a role and a device type based on device profiling rules.

If you are using the device profiler feature, you can create or use default rules that allow FortiNAC to determine the device type and assign the device to a role. When a new host device connects to the network it becomes a rogue because it is unknown. FortiNAC compares information received from the device with the device profiling rules in its database until it comes up with a match. Based on the parameters defined in the rule, the device is assigned a type and a role. See Device profiler and Rules.

The role assigned by device profiler takes precedence over any role associated with the vendor OUI.

Configure a role with CLI

  1. Select Policy > Roles.
  2. Click Add.
  3. In the Name field, enter a name for the new role.
  4. Click Select next to the Groups field. Choose one or more groups by clicking on the names in the All Groups column and clicking the right arrow to move them to the Selected Groups column. Click OK to continue.
  5. Click in the Note field to add any user defined information needed for this role.
  6. Click OK to save the role.
  7. Click on Network Device Roles in the menu on the left to create a mapping for this role.
  8. Click Add at the bottom of the screen.
  9. Click the Role check box to enable the role drop-down. If this is not enabled, this mapping can apply to any device that matches the other criteria in the mapping, such as Location. The word Any displays in the Role column on the network device roles view if this box is unchecked.
  10. Select the role you created earlier from the drop-down list.
  11. To apply a CLI configuration, click the CLI check box to enable it and select the CLI configuration from the drop-down list.
  12. If applicable, in the Access Value field type the network access identifier for this mapping, such as a VLAN ID, VLAN Name, Aruba Role or for a VPN concentrator enter a group policy name.
  13. Click Select next to the Location field. Choose one or more device or port groups by clicking on the names in the All Groups column and clicking the right arrow to move them to the Selected Groups column. Click OK to continue.
  14. Click in the Note field to add any user defined information needed for this mapping.
  15. Click OK to save the mapping.