General

The user name used to log on to the device for configuration. This is for CLI access.

The user account must have the appropriate permissions configured on the device.

For network devices using API credentials, the User Name is the serial number of the appliance.

The password required to configure the device. This is for CLI access.

For network devices using API credentials, the Password is the REST API Key.

The enable password for the device. This is for CLI access.

Note: Version 8.7.2 and higher: Arista switches can be configured to require typing "enable" to enter enable mode, but no password is needed. For such configurations, populate this field with the # character.

The super password required for access to more features on 3Com devices.

Port for the External Captive Portal that was configured by the user on the device during the initial device setup. This port is required for FortiNAC to send commands to the device. Consult the manufacturer for assistance in locating this port number.

Ports on a device can be placed in to network groups that control access. This option reads the preset groups from the device.

When selected, FortiNAC will process RADIUS requests from the device.

Clear all known host keys associated with this device. Host keys for devices modeled in Inventory are written to /bsc/.ssh/known_hosts.

Used to determine how long to wait to connect and/or establish a Telnet/SSH session for this device. When disabled (default), the global setting "Telnet/SSH Connection Timeout (Sec)" applies. See Network device

Used to determine how long to wait for a CLI response (prompt, show commands, etc) for this device. When disabled (default), the global setting "Telnet/SSH Connection Timeout (Sec)" applies. See Network device.

Protocol types

Use Telnet to log on to the device for configuration.

Use SSH1 to log on to the device for configuration.

Use SSH2 to log on to the device for configuration.

VLAN ID/Network Access

For some devices, the list of VLANs configured on the device can be read from the device and made available in a drop-down. When this feature is available, the VLAN Display Format option is shown. Choices included:

• VLAN Name: Displays a drop-down list of VLANs configured on the device by VLAN name for each isolation state.
• VLAN ID: Displays a drop-down list of possible VLANs configured on the device by VLAN ID or number for each isolation state.
• Manual: Provides an empty text field to enter the VLAN name or ID. This is used in the event that the VLANS on the device have not been pre-configured

Read VLAN configuration from the device and populate the drop-down lists of VLANs for each isolation state.

The Default VLAN value is stored in the FortiNAC database and is used when the VLAN is not determined by another method, such as a network access policy.

Typically, if a VLAN is specified as the Default, it is the VLAN used for "normal" or "production" network access. It will be used for all the untagged (non-uplink) ports on the device.

If you do not want all ports on the device to use the same "Default" VLAN, you can leave the value blank in Model Configuration and use Network Access/VLANs to customize the default VLANs for each port. See Network access/VLANs for more information.

The dead end VLAN for this device. Isolates disabled hosts with limited or no network connectivity from the production network.

The registration VLAN for this device. Isolates unregistered hosts from the production network during host registration.

The quarantine VLAN for this device. Isolates hosts from the production network who pose a security risk because they failed a policy scan.

The authentication VLAN for this device. Isolates registered hosts from the Production network during user authentication.

The voice VLAN (s) for this device. This field accepts a list of VLANS separated by commas, such as 10, 25,30. This indicates to FortiNAC that these VLANS are excluded from all other uses.

If a device has both wired and wireless ports, you may choose to assign VLANs to each port individually.

You may also choose to assign a single default VLAN to all of the wireless ports for this device, by putting a VLAN ID in the Default field on this window. That number then overrides the individual entries on the wireless ports. The wired ports would continue to have a separate VLAN setting for each port.

If you choose to apply the Default VLAN ID to both wireless and wired ports, enabling this feature overrides the original port settings on the wired ports with the setting in the Default field on this window

Affects only Meru Controllers.

If the Captive Portal setting on any Security Profile for any SSID is set to WebAuth indicating that the SSID is being managed by Internal Captive Portal (ICP) on the Meru Controller and this check box is enabled, all SSIDs set to WebAuth will be managed by FortiNAC.

If enabled, FortiNAC uses Firewall Rules to treat authenticated and unauthenticated users differently.

The treatment selected in the Access Enforcement section of model configuration is ignored for any SSIDs set to WebAuth. Hosts that are isolated are treated as unauthenticated hosts regardless of the isolation type. Hosts that are not isolated are treated as authenticated.

CLI configurations

This section allows you to associate pre-configured scripts with selected Port states or host states. A default script can also be selected. Scripts are not required. States that can be associated with CLI configurations include: default, registration, authentication, dead end, and quarantine.

See CLI configuration for information on creating scripts.

RADIUS

The RADIUS server used for authenticating users connecting to the network through this device.

Select the Use Default option from the drop-down list to use the server indicated in parentheses.

See RADIUS for information on configuring your RADIUS servers.

If the primary RADIUS server fails to respond, this RADIUS server is used for authenticating users connecting to the network until the primary RADIUS server responds.

Select the Use Default option from the drop-down list to use the server indicated in parentheses.

The secret used for RADIUS authentication.

The RADIUS secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration.

Appears for Aruba Controllers. Enables the use of both RADIUS Disconnect and RADIUS Change Of Authorization (CoA) requests depending on the Aruba model being used (L2 Roles with VLANs and L2 Roles only respectively).

Allows you to modify the RADIUS secret.

The RADIUS Authentication Mode to be used when a RADIUS request is received from the modeled device.

Local: Use the Local RADIUS server. Enter the RADIUS Secret, and choose the attributes to be sent in the Accept packet.

Proxy: Use the RADIUS Proxy. Optionally choose to override the RADIUS server to proxy to and enter the RADIUS secret.

The default RADIUS Attributes to be sent for all accepted requests from this device. Hover over the group name to see what attributes and values will be sent. FortiNAC has pre-built attribute groups that can be used for most devices.

Restricted access

Network List name that is used to contain IPs when the host is marked safe.

Network access - wireless devices

Retrieves roles that currently exist on the device being configured.

The drop-down next to each type, such as Registration, contains a list of possible roles read from the device. You can select a role for one or more of the types listed below.

• Default
• Dead End
• Registration
• Quarantine
• Authentication

Host State is used to determine treatment when the host connects to the network. For each host state select an option in the Access Enforcement column and where applicable in the Access Value column.

• Default
• Dead End
• Registration
• Quarantine
• Authentication
• Roaming Guest

Roaming Guest is a special host state detected when a user authenticates using a domain name that is not listed in the local domains list. Users are authenticated via a remote RADIUS server and are placed on the network immediately unless Deny is selected under Access Enforcement. Roaming guests bypass the captive portal and device profiler. See Roaming guests.

This set of drop-down menus works in conjunction with the Host States listed above to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include:

• Deny: Host will be denied access to the network when it is in this state. For example, if the host is not registered and Registration is set to Deny, the host connection will be rejected.

  Endpoints that have been denied access may continuously request access which can unnecessarily consume system resources.

• Bypass: Host will be allowed access to the network when it is in this state. The host will be placed on the default VLAN/Role configured on the device for this port or SSID. For example, if Quarantine is set to Bypass, hosts that fail a scan and would normally be placed in Quarantine are placed in the default VLAN/Role on the device.
• Enforce: Indicates that the host will be placed in the VLAN/Role specified in the Access Value column for this state.

VLAN/Role where a host in this state should be placed when it connects to the network. If Enforce is selected in the Access Enforcement field you must enter a value in the Access Value field.

For each Logical Network, you can choose to either use the default values only, or to append and overwrite with another attribute group. Hover over the group name to see what attributes and values will be sent.

Wireless AP parameters

If this device is connected to any Wireless Access Points, they are included in the Topology. Enter the name of the Container in which these Wireless Access Points should be stored. Containers or folders are created in the Topology to group devices.

Detail configuration