Fortinet black logo

Administration Guide

Auto-configured data

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:790379
Download PDF

Auto-configured data

To simplify the configuration process for the Wireless Security feature some required pieces of data are generated automatically. For example, if you configure an SSID for guest access, the underlying user/host profile and network access policy are created for you.

Data Type

Data

Notes

Containers

Container Names:

Wireless Controllers

Wireless APs

Containers are used within FortiNAC to group devices together. As wireless devices are added using either Discovery or by entering them manually on the Network Devices View they are also added to Topology.

Port Groups

Group Names:

Name of the Open or Secure SSID

Groups are used to gather like items that require similar treatment. The groups created here are port groups and are used to map network access policies for the Secure and Open SSIDs.

When you configure an SSID a port group is created based on the name of the SSID. Each SSID is placed in a separate port group. For example if you add a SSID with the name MegaTech Secure, then a port group with the same name is automatically created and contains the MegaTech Secure SSID.

Host Groups

Group Names:

Name of the group from the directory

Directory groups are used to group users and their corresponding hosts. Group membership is used in User/Host profiles to determine which network access, endpoint compliance, or Supplicant Policies to apply.

Model
Configuration

Model Configuration:

Name of the device

When a device that provides network services is added to FortiNAC a model of that device's configuration is stored in the database. This model includes information such as CLI User Names, Passwords, communication protocol, RADIUS server information and Isolation and Production VLANs.

For devices configured through Wireless Security, the following settings are entered:

  • RADIUS = Use Defaults
  • Network Access = Deny for Dead End, Registration and Quarantine. Authentication is set to Bypass.

SSID
Configuration

SSID Configuration:

Name of the SSID

Individual SSIDs can be configured separately instead of inheriting settings from the device's Model Configuration, such as settings for default Isolation and Production VLANS.

Use Network Devices View to select a device and access the SSID Configuration.

For devices configured through Wireless Security, the following settings are entered for all SSIDs regardless of whether they are open or secure:

  • RADIUS: primary and secondary RADIUS servers are selected if they were selected in the SSID Mappings.
  • Network Access = Enforce and the Isolation VLAN are set for Dead End, Registration and Quarantine. Authentication is set to Bypass and None for Network Access.

Polling

L2 and L3 Polling settings

Wireless devices are automatically added to the L2 and L3 Polling groups and polling is enabled for the device. The polling interval for L2 is every 10 minutes and L3 is set to every 30 minutes.

Use Network Devices View, L2 Polling View or L3 Polling View to modify polling information.

Roles

Role Names:

Name of guest template associated with guest.

Roles are added as attributes to users or hosts. Role mapping is accomplished by creating a user/host profile configured with the SSID port group as the connection location and the Who/What by Attribute field set to one of these role names.

A network access policy maps this user/host profile to a network access configuration containing the User Group/VLAN where the host will be placed.

  • A role is created for each guest template.
  • User/host profile contains an SSID port group (Where) and a Role name matching a guest template (Who/What by Attribute).
  • There is a separate user/host profile for each guest template and SSID port group combination.

User/Host Profile

User/host profiles are created when a new SSID Mapping is added on the Network Devices view.

Guest Management SSID Mappings: A User/Host profile is created for each SSID and guest template combination. Names of these User/Host profiles are based on the SSID name and the combination of data contained within the profile.

Network Access Configuration

Network Access Policy

Network access configurations and network access policies are created when a new SSID Mapping is added using Wireless Security.

Guest Management SSID Mappings: A network access configuration and network access policy are created for each SSID and guest template combination. Names are based on the SSID name and the combination of data the items contain.

Endpoint
Compliance
Configuration

Endpoint
Compliance
Policy

Endpoint compliance policies and endpoint compliance configurations are created when a device onboarding SSID Mapping with a supplicant configuration is added on the Wireless Security View.

Device Onboarding: An endpoint compliance policy and endpoint compliance configuration are created for each unique SSID, directory group, host operating system, and supplicant configuration combination.

Supplicant EasyConnect Policy

A Supplicant EasyConnect Policy is created when a Device Onboarding SSID Mapping with a supplicant configuration is added on the Wireless Security View view.

Device Onboarding: A Supplicant EasyConnect Policy is created for each unique SSID, directory group, host operating system, and supplicant configuration combination.

Portal Policy

A Portal Policy is created if a portal other than the default portal is selected when adding an SSID Mapping on the Wireless Security View for either Guest Management or Device Onboarding.

Portal Policy: A Portal Policy is created for each unique SSID, directory group, host operating system and Portal combination.

Quarantine VLAN Switching

Enable

If a guest template or administrator profile limits network access by time, quarantine VLAN switching must be enabled. This allows FortiNAC to mark Guests and administrators as "At Risk" for the GuestNoAccess admin scan during the times they are not allowed to access the network. If Login Availability is set to Always for Guests and Administrators, the quarantine VLAN switching option is not enabled.

Access this setting under System > Settings > Control.

Auto-configured data

To simplify the configuration process for the Wireless Security feature some required pieces of data are generated automatically. For example, if you configure an SSID for guest access, the underlying user/host profile and network access policy are created for you.

Data Type

Data

Notes

Containers

Container Names:

Wireless Controllers

Wireless APs

Containers are used within FortiNAC to group devices together. As wireless devices are added using either Discovery or by entering them manually on the Network Devices View they are also added to Topology.

Port Groups

Group Names:

Name of the Open or Secure SSID

Groups are used to gather like items that require similar treatment. The groups created here are port groups and are used to map network access policies for the Secure and Open SSIDs.

When you configure an SSID a port group is created based on the name of the SSID. Each SSID is placed in a separate port group. For example if you add a SSID with the name MegaTech Secure, then a port group with the same name is automatically created and contains the MegaTech Secure SSID.

Host Groups

Group Names:

Name of the group from the directory

Directory groups are used to group users and their corresponding hosts. Group membership is used in User/Host profiles to determine which network access, endpoint compliance, or Supplicant Policies to apply.

Model
Configuration

Model Configuration:

Name of the device

When a device that provides network services is added to FortiNAC a model of that device's configuration is stored in the database. This model includes information such as CLI User Names, Passwords, communication protocol, RADIUS server information and Isolation and Production VLANs.

For devices configured through Wireless Security, the following settings are entered:

  • RADIUS = Use Defaults
  • Network Access = Deny for Dead End, Registration and Quarantine. Authentication is set to Bypass.

SSID
Configuration

SSID Configuration:

Name of the SSID

Individual SSIDs can be configured separately instead of inheriting settings from the device's Model Configuration, such as settings for default Isolation and Production VLANS.

Use Network Devices View to select a device and access the SSID Configuration.

For devices configured through Wireless Security, the following settings are entered for all SSIDs regardless of whether they are open or secure:

  • RADIUS: primary and secondary RADIUS servers are selected if they were selected in the SSID Mappings.
  • Network Access = Enforce and the Isolation VLAN are set for Dead End, Registration and Quarantine. Authentication is set to Bypass and None for Network Access.

Polling

L2 and L3 Polling settings

Wireless devices are automatically added to the L2 and L3 Polling groups and polling is enabled for the device. The polling interval for L2 is every 10 minutes and L3 is set to every 30 minutes.

Use Network Devices View, L2 Polling View or L3 Polling View to modify polling information.

Roles

Role Names:

Name of guest template associated with guest.

Roles are added as attributes to users or hosts. Role mapping is accomplished by creating a user/host profile configured with the SSID port group as the connection location and the Who/What by Attribute field set to one of these role names.

A network access policy maps this user/host profile to a network access configuration containing the User Group/VLAN where the host will be placed.

  • A role is created for each guest template.
  • User/host profile contains an SSID port group (Where) and a Role name matching a guest template (Who/What by Attribute).
  • There is a separate user/host profile for each guest template and SSID port group combination.

User/Host Profile

User/host profiles are created when a new SSID Mapping is added on the Network Devices view.

Guest Management SSID Mappings: A User/Host profile is created for each SSID and guest template combination. Names of these User/Host profiles are based on the SSID name and the combination of data contained within the profile.

Network Access Configuration

Network Access Policy

Network access configurations and network access policies are created when a new SSID Mapping is added using Wireless Security.

Guest Management SSID Mappings: A network access configuration and network access policy are created for each SSID and guest template combination. Names are based on the SSID name and the combination of data the items contain.

Endpoint
Compliance
Configuration

Endpoint
Compliance
Policy

Endpoint compliance policies and endpoint compliance configurations are created when a device onboarding SSID Mapping with a supplicant configuration is added on the Wireless Security View.

Device Onboarding: An endpoint compliance policy and endpoint compliance configuration are created for each unique SSID, directory group, host operating system, and supplicant configuration combination.

Supplicant EasyConnect Policy

A Supplicant EasyConnect Policy is created when a Device Onboarding SSID Mapping with a supplicant configuration is added on the Wireless Security View view.

Device Onboarding: A Supplicant EasyConnect Policy is created for each unique SSID, directory group, host operating system, and supplicant configuration combination.

Portal Policy

A Portal Policy is created if a portal other than the default portal is selected when adding an SSID Mapping on the Wireless Security View for either Guest Management or Device Onboarding.

Portal Policy: A Portal Policy is created for each unique SSID, directory group, host operating system and Portal combination.

Quarantine VLAN Switching

Enable

If a guest template or administrator profile limits network access by time, quarantine VLAN switching must be enabled. This allows FortiNAC to mark Guests and administrators as "At Risk" for the GuestNoAccess admin scan during the times they are not allowed to access the network. If Login Availability is set to Always for Guests and Administrators, the quarantine VLAN switching option is not enabled.

Access this setting under System > Settings > Control.