Fortinet black logo

Administration Guide

Supplicant EasyConnect policies

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:592635
Download PDF

Supplicant EasyConnect policies

Supplicant EasyConnect policies are used to help your network users connect to the network quickly in a wireless environment. Supplicant policies contain a supplicant configuration and a user/host profile. When a host needs a supplicant, FortiNAC compares the user and host data to the user/host profile in each Supplicant Policy starting with the first policy in the list. When a match is found, the Supplicant Policy is applied to the connecting host and the supplicant configuration is used to setup the supplicant on the host.

Note

There may be more than one Supplicant Policy that is a match for this host/user, however, the first match found is the one that is used.

If you create a user/host profile with fields Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank and When set to always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.

Supplicant Policies are applied to the host using an agent, except in the case of iOS devices where the user is prompted to download the configuration from the Captive Portal. The Dissolvable Agent or the Persistent Agent is used for Windows and macOS hosts and the Mobile Agent is used for Android devices.

The host connection location does not determine the supplicant configuration applied unless the location is part of the user/host profile. Therefore, a host could connect on an SSID, and actually be configured for a different SSID because the user/host profile matched a Supplicant Policy with a higher rank that contained the configuration for a different SSID.

Host configuration process

The host supplicant configuration setup process is as follows:

  1. Host connects to the network.
  2. Host connects to an open SSID based on the operating system of the host. If authenticating through LDAP, the user must be in the selected directory group configured in the SSID mapping. You configure SSID mapping with a supplicant configuration.
  3. If the user is on a Windows or macOS device, the user downloads either the Persistent Agent or the Dissolvable Agent. The agent applies the Supplicant Configuration after scanning and registering the host.
  4. If the user is on an Android device, the user downloads and runs the Mobile Agent. The agent applies the Supplicant Configuration after scanning and registering the host. See Mobile Agent for download requirements.
  5. FortiNAC compares user and host data to supplicant policies and finds the first match starting from the top of the list of policies.
  6. The user registers or authenticates.
  7. The supplicant configuration is applied.
  8. The Agent attempts to move the host to the SSID that was just configured.

FortiNAC supports the configuration of encrypted networks as follows:

  • Open
  • WEP (PSK)
  • WPA (PSK)
  • WPA2 (PSK)
  • WEP Enterprise
  • WPA Enterprise(PEAP)
  • WPA2 Enterprise(PEAP)

WPA Enterprise and WPA2 Enterprise are limited to PEAP-MSCHAPv2.

Supplicant EasyConnect policies

Supplicant EasyConnect policies are used to help your network users connect to the network quickly in a wireless environment. Supplicant policies contain a supplicant configuration and a user/host profile. When a host needs a supplicant, FortiNAC compares the user and host data to the user/host profile in each Supplicant Policy starting with the first policy in the list. When a match is found, the Supplicant Policy is applied to the connecting host and the supplicant configuration is used to setup the supplicant on the host.

Note

There may be more than one Supplicant Policy that is a match for this host/user, however, the first match found is the one that is used.

If you create a user/host profile with fields Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank and When set to always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.

Supplicant Policies are applied to the host using an agent, except in the case of iOS devices where the user is prompted to download the configuration from the Captive Portal. The Dissolvable Agent or the Persistent Agent is used for Windows and macOS hosts and the Mobile Agent is used for Android devices.

The host connection location does not determine the supplicant configuration applied unless the location is part of the user/host profile. Therefore, a host could connect on an SSID, and actually be configured for a different SSID because the user/host profile matched a Supplicant Policy with a higher rank that contained the configuration for a different SSID.

Host configuration process

The host supplicant configuration setup process is as follows:

  1. Host connects to the network.
  2. Host connects to an open SSID based on the operating system of the host. If authenticating through LDAP, the user must be in the selected directory group configured in the SSID mapping. You configure SSID mapping with a supplicant configuration.
  3. If the user is on a Windows or macOS device, the user downloads either the Persistent Agent or the Dissolvable Agent. The agent applies the Supplicant Configuration after scanning and registering the host.
  4. If the user is on an Android device, the user downloads and runs the Mobile Agent. The agent applies the Supplicant Configuration after scanning and registering the host. See Mobile Agent for download requirements.
  5. FortiNAC compares user and host data to supplicant policies and finds the first match starting from the top of the list of policies.
  6. The user registers or authenticates.
  7. The supplicant configuration is applied.
  8. The Agent attempts to move the host to the SSID that was just configured.

FortiNAC supports the configuration of encrypted networks as follows:

  • Open
  • WEP (PSK)
  • WPA (PSK)
  • WPA2 (PSK)
  • WEP Enterprise
  • WPA Enterprise(PEAP)
  • WPA2 Enterprise(PEAP)

WPA Enterprise and WPA2 Enterprise are limited to PEAP-MSCHAPv2.