Fortinet black logo

Administration Guide

Role management

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:478881
Download PDF

Role management

Roles are used in two different ways in FortiNAC. Roles assigned to hosts managed in the Host View or Users are attributes of those elements. In this case the role is another way to group users and hosts. Roles can be used in user/host profiles to filter for specific Users or Hosts when applying network access policies, endpoint compliance policies, and Supplicant EasyConnect policies.

For devices or hosts managed in the Topology roles are used to determine the network access given to those elements based on their connection location. In this case Roles are used with network device roles. The Role is simply a name or identifier that is assigned to the host or device. The Network Device Role maps the connection location with device, port or SSID groups to a specific Role. For example, when a device connects to the network with Role A on Switch 1, FortiNAC searches through the network device roles for a record with Role A that has a connection location containing Switch 1. The first matching Network Device Role is used. The configuration of this Network Device Role can place the device in a specific VLAN or can apply a CLI configuration.

Role management relies on the configuration of both Roles and network device roles. The Roles view contains the list of possible Role names and controls assigning roles to users and hosts based on group membership. Roles for hosts managed in the Host View and Users do not need a corresponding Network Device Role. Network access for those hosts and users is handled by network access policies. Roles for devices or hosts managed in Topology require a corresponding Network Device Role to control network access. See Roles view.

Note

If a role has more than one mapping for the same device or port group, the order of precedence is determined by the order of the role mappings on the network device roles View. Starting from the top of the list, the first mapping match found is used.

See Configuration for an overview of setup requirements.

Role management

Roles are used in two different ways in FortiNAC. Roles assigned to hosts managed in the Host View or Users are attributes of those elements. In this case the role is another way to group users and hosts. Roles can be used in user/host profiles to filter for specific Users or Hosts when applying network access policies, endpoint compliance policies, and Supplicant EasyConnect policies.

For devices or hosts managed in the Topology roles are used to determine the network access given to those elements based on their connection location. In this case Roles are used with network device roles. The Role is simply a name or identifier that is assigned to the host or device. The Network Device Role maps the connection location with device, port or SSID groups to a specific Role. For example, when a device connects to the network with Role A on Switch 1, FortiNAC searches through the network device roles for a record with Role A that has a connection location containing Switch 1. The first matching Network Device Role is used. The configuration of this Network Device Role can place the device in a specific VLAN or can apply a CLI configuration.

Role management relies on the configuration of both Roles and network device roles. The Roles view contains the list of possible Role names and controls assigning roles to users and hosts based on group membership. Roles for hosts managed in the Host View and Users do not need a corresponding Network Device Role. Network access for those hosts and users is handled by network access policies. Roles for devices or hosts managed in Topology require a corresponding Network Device Role to control network access. See Roles view.

Note

If a role has more than one mapping for the same device or port group, the order of precedence is determined by the order of the role mappings on the network device roles View. Starting from the top of the list, the first mapping match found is used.

See Configuration for an overview of setup requirements.