Containers are used within FortiNAC to group devices together. As wireless devices are added using either Discovery or by entering them manually on the Network Devices View they are also added to Topology.

Groups are used to gather like items that require similar treatment. The groups created here are port groups and are used to map network access policies for the Secure and Open SSIDs.

When you configure an SSID a port group is created based on the name of the SSID. Each SSID is placed in a separate port group. For example if you add a SSID with the name MegaTech Secure, then a port group with the same name is automatically created and contains the MegaTech Secure SSID.

Directory groups are used to group users and their corresponding hosts. Group membership is used in User/Host profiles to determine which network access, endpoint compliance, or Supplicant Policies to apply.

When a device that provides network services is added to FortiNAC a model of that device's configuration is stored in the database. This model includes information such as CLI User Names, Passwords, communication protocol, RADIUS server information and Isolation and Production VLANs.

For devices configured through Wireless Security, the following settings are entered:

• RADIUS = Use Defaults
• Network Access = Deny for Dead End, Registration and Quarantine. Authentication is set to Bypass.

Individual SSIDs can be configured separately instead of inheriting settings from the device's Model Configuration, such as settings for default Isolation and Production VLANS.

Use Network Devices View to select a device and access the SSID Configuration.

For devices configured through Wireless Security, the following settings are entered for all SSIDs regardless of whether they are open or secure:

• RADIUS: primary and secondary RADIUS servers are selected if they were selected in the SSID Mappings.
• Network Access = Enforce and the Isolation VLAN are set for Dead End, Registration and Quarantine. Authentication is set to Bypass and None for Network Access.

Wireless devices are automatically added to the L2 and L3 Polling groups and polling is enabled for the device. The polling interval for L2 is every 10 minutes and L3 is set to every 30 minutes.

Use Network Devices View, L2 Polling View or L3 Polling View to modify polling information.

Roles are added as attributes to users or hosts. Role mapping is accomplished by creating a user/host profile configured with the SSID port group as the connection location and the Who/What by Attribute field set to one of these role names.

A network access policy maps this user/host profile to a network access configuration containing the User Group/VLAN where the host will be placed.

• A role is created for each guest template.
• User/host profile contains an SSID port group (Where) and a Role name matching a guest template (Who/What by Attribute).
• There is a separate user/host profile for each guest template and SSID port group combination.

User/host profiles are created when a new SSID Mapping is added on the Network Devices view.

Guest Management SSID Mappings: A User/Host profile is created for each SSID and guest template combination. Names of these User/Host profiles are based on the SSID name and the combination of data contained within the profile.

Network access configurations and network access policies are created when a new SSID Mapping is added using Wireless Security.

Guest Management SSID Mappings: A network access configuration and network access policy are created for each SSID and guest template combination. Names are based on the SSID name and the combination of data the items contain.

Endpoint compliance policies and endpoint compliance configurations are created when a device onboarding SSID Mapping with a supplicant configuration is added on the Wireless Security View.

Device Onboarding: An endpoint compliance policy and endpoint compliance configuration are created for each unique SSID, directory group, host operating system, and supplicant configuration combination.

A Supplicant EasyConnect Policy is created when a Device Onboarding SSID Mapping with a supplicant configuration is added on the Wireless Security View view.

Device Onboarding: A Supplicant EasyConnect Policy is created for each unique SSID, directory group, host operating system, and supplicant configuration combination.

A Portal Policy is created if a portal other than the default portal is selected when adding an SSID Mapping on the Wireless Security View for either Guest Management or Device Onboarding.

Portal Policy: A Portal Policy is created for each unique SSID, directory group, host operating system and Portal combination.