Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Process

As new, unknown devices connect to the network, device profiler categorizes them and places the devices within FortiNAC based on its device profiling rules. The process is as follows:

  1. A device or host connects to the network.
  2. FortiNAC learns that something has connected.
  3. The Device Identity feature checks for a MAC address. If the MAC address is available, Device Identity compares it to known MAC addresses.
  4. If the MAC address is unknown, the device is placed in the host database as a rogue with any additional information available, such as, IP address or operating system. The time interval that device profiler waits to resolve a MAC address to an IP address is 30 minutes, thus allowing time for normal IP to MAC polling to occur.
  5. If the device has an IP address, device profiler begins to compare the available device information to its device profiling rules. It starts with the rule that is ranked number one and works its way through the list of rules in order by rank until it finds a match to one of the rule's criteria or matching methods. Disabled rules are ignored.
  6. A match is determined by a combination of the device type selected on the General Tab for the rule and one or more methods selected on the Methods Tab. For example, if the device type selected is Mobile Device and the Method selected is DHCP fingerprinting, then a hand held device running Windows CE would match this rule. DHCP fingerprinting would determine that the device is using Windows CE which is an operating system that corresponds to a Mobile Device.

    However, if the device type selected is Gaming Device and the Method selected is DHCP fingerprinting, then a hand held device running Windows CE would not match this rule because Gaming Devices do not use Windows CE.

    Identification methods based on fingerprinting use the FortiNAC fingerprint database which cannot be modified by the user.

    The exception to this is the vendor OUI method. This method ignores the device type selected on the General Tab and uses the information selected within the method, such as the OUI, vendor name, vendor alias or Device Type. Multiple entries are allowed, but the device only has to match one item to match the rule.

  7. If Notify Sponsor is enabled, an email is sent by the FortiNAC server or Control server to all Device managers who have permission for devices associated with this rule. Permissions are based on the configuration of the administrator profile attached to the administrator. The email indicates that a new device has been processed.
  8. The device is assigned the device type contained within the rule. Unless it is the Catch All rule which has no type. The type assigned by device profiler takes precedence over any type associated with the device's vendor in the FortiNAC database. See Vendor OUIs.
  9. The device is assigned the role contained within the rule. If no role is selected, the device is assigned the NAC Default role. The role assigned by device profiler takes precedence over any role associated with the device's vendor OUI in the FortiNAC database. See Vendor OUIs.
  10. Devices can be registered automatically or manually. If the rule is set to register manually, you must go to the Profiled Devices window to register the device.
  11. If Register As is enabled in the matching rule, the device can be placed in the Host View, or the Topology, or both.
  12. If you choose Host View, the device can be added to a specific group as it is added to the Host View.
  13. If you choose Topology, the device is added to a user-specified container.
  14. If the Access Availability option has been set to Specify Time, network access for devices placed in the Host View is limited to the configured times. To prevent devices from accessing the network outside the configured timeframe, they are marked "At Risk" for the Guest No Access admin scan.
  15. When the device has been through the entire process and has been registered either automatically or manually, it will no longer display as a rogue. Depending on the options you chose in the rule it is displayed in the Host View, the Topology, or both.
  16. If the device does not match any rule, it is associated with the default Catch All rule. Depending on the settings configured within this rule, the device can be associated with the rule but still remain a rogue.
  17. Devices that are registered and associated with a user are placed in the Host View and removed from the Profiled Devices window. Devices that are placed in Topology only are removed from Profiled Devices. All other devices processed by device profiler remain in the Profiled Devices window and in the Host View.

Process

As new, unknown devices connect to the network, device profiler categorizes them and places the devices within FortiNAC based on its device profiling rules. The process is as follows:

  1. A device or host connects to the network.
  2. FortiNAC learns that something has connected.
  3. The Device Identity feature checks for a MAC address. If the MAC address is available, Device Identity compares it to known MAC addresses.
  4. If the MAC address is unknown, the device is placed in the host database as a rogue with any additional information available, such as, IP address or operating system. The time interval that device profiler waits to resolve a MAC address to an IP address is 30 minutes, thus allowing time for normal IP to MAC polling to occur.
  5. If the device has an IP address, device profiler begins to compare the available device information to its device profiling rules. It starts with the rule that is ranked number one and works its way through the list of rules in order by rank until it finds a match to one of the rule's criteria or matching methods. Disabled rules are ignored.
  6. A match is determined by a combination of the device type selected on the General Tab for the rule and one or more methods selected on the Methods Tab. For example, if the device type selected is Mobile Device and the Method selected is DHCP fingerprinting, then a hand held device running Windows CE would match this rule. DHCP fingerprinting would determine that the device is using Windows CE which is an operating system that corresponds to a Mobile Device.

    However, if the device type selected is Gaming Device and the Method selected is DHCP fingerprinting, then a hand held device running Windows CE would not match this rule because Gaming Devices do not use Windows CE.

    Identification methods based on fingerprinting use the FortiNAC fingerprint database which cannot be modified by the user.

    The exception to this is the vendor OUI method. This method ignores the device type selected on the General Tab and uses the information selected within the method, such as the OUI, vendor name, vendor alias or Device Type. Multiple entries are allowed, but the device only has to match one item to match the rule.

  7. If Notify Sponsor is enabled, an email is sent by the FortiNAC server or Control server to all Device managers who have permission for devices associated with this rule. Permissions are based on the configuration of the administrator profile attached to the administrator. The email indicates that a new device has been processed.
  8. The device is assigned the device type contained within the rule. Unless it is the Catch All rule which has no type. The type assigned by device profiler takes precedence over any type associated with the device's vendor in the FortiNAC database. See Vendor OUIs.
  9. The device is assigned the role contained within the rule. If no role is selected, the device is assigned the NAC Default role. The role assigned by device profiler takes precedence over any role associated with the device's vendor OUI in the FortiNAC database. See Vendor OUIs.
  10. Devices can be registered automatically or manually. If the rule is set to register manually, you must go to the Profiled Devices window to register the device.
  11. If Register As is enabled in the matching rule, the device can be placed in the Host View, or the Topology, or both.
  12. If you choose Host View, the device can be added to a specific group as it is added to the Host View.
  13. If you choose Topology, the device is added to a user-specified container.
  14. If the Access Availability option has been set to Specify Time, network access for devices placed in the Host View is limited to the configured times. To prevent devices from accessing the network outside the configured timeframe, they are marked "At Risk" for the Guest No Access admin scan.
  15. When the device has been through the entire process and has been registered either automatically or manually, it will no longer display as a rogue. Depending on the options you chose in the rule it is displayed in the Host View, the Topology, or both.
  16. If the device does not match any rule, it is associated with the default Catch All rule. Depending on the settings configured within this rule, the device can be associated with the rule but still remain a rogue.
  17. Devices that are registered and associated with a user are placed in the Host View and removed from the Profiled Devices window. Devices that are placed in Topology only are removed from Profiled Devices. All other devices processed by device profiler remain in the Profiled Devices window and in the Host View.