Fortinet black logo

Administration Guide

Configuration

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:724520
Download PDF

Configuration

Directory configuration allows you to configure the connection to the directory, user attributes that you would like to import, user search branches and Group Search Branches. Each configuration section has specific information that must be entered to allow FortiNAC to connect with the directory and import users and groups.

Use Schedule to configure the intervals for synchronizing the database with the selected directory. Use Preview to review data in the selected directory. Use Copy to copy the directory configuration fields from an existing configuration.

Directory configuration can be accessed from System > Settings > Authentication > LDAP.

Connection tab

The Connection tab contains the parameters required for communication with the directory. Not all fields are required. Be sure to enter information only in those fields that apply to your directory.

Settings

Field

Description

Name

Name of the server where the directory is hosted.

Primary IP

IP address of the primary directory server. The server will be added as a pingable device.

Security Protocol

The security protocol used when communicating with the server containing your directory. Options are SSL, STARTTLS, and none.

If SSL or STARTTLS are chosen you must have a security certificate from a CA. The certificate should be stored in the following directory on your appliance /bsc/campusMgr/

See Create a keystore for SSL or TLS for instructions on importing and storing certificates.

MAC address

Physical address of the primary directory server. This field is required.

LDAP Login

User login name FortiNAC uses to access the LDAP server.

LDAP Password

Password for the user login.

Validate Credentials

Click to verify that directory credentials are correct.

Credential Status

Displays the results of clicking Validate Credentials. Messages such as credentials verified or failed to validate can be displayed.

Additional Configuration

Displays the fields listed below in this table.

Domain Name

If this field contains a domain name, users must include the domain name in their login to be authenticated against this directory.

Example:

Valid formats for login are: user, user@domain.com and domain\user.

Setting a value here requires all users to supply a domain name during login.

When no domain is specified in the Directory Configuration view and the login includes a domain, authentication first uses the user name and the domain name. If this authentication fails, a second authentication is attempted using only the user name.

Secondary Server

FQDN or IP address of the secondary directory server. This server would be accessed in the event that the Primary server was unavailable. This server is added as a pingable device.

Version

Directory version. Default = 3

Port

Communication port used by the directory. The default port is based on the security protocol. To use a port other than the default, type the desired port number into this field.

Common port values/protocols are:

  • None = 389
  • SSL = 636
  • STARTTLS = 389

Time Limit

Time in seconds that FortiNAC waits for a response from the directory. Default = 5.

The number of seconds may need to be increased in the directory or in FortiNAC if the exception “Time Limit Exceeded” begins to be noted more often.

Enable Synchronization of Users/Groups At Scheduled Time

Check this box to synchronize the FortiNAC database with either the primary or the secondary directory servers based on a schedule in the Scheduler View.

on sync, delete Users no longer found in this directory

When checked, users that have been removed from the directory will be removed from the FortiNAC database when the scheduled resynchronization takes place.

Perform Lookup On Referral

Referrals allow administrators to set up search paths for collecting results from multiple servers. If you have configured your directory for referrals and you want to do authentication on the referred directory servers, enable this option. Enabling referrals is required in order to search sub domains.

Connect by Name

Automatically checked when StartTLS is selected as the Security Protocol.

FortiNAC connects to LDAP using the the Name field of the directory configuration with a URL such as ldap://dc.example.com to connect to the primary server.

When not selected, FortiNAC will connect to LDAP using the Primary IP address field of the directory configuration with a URL such as ldap://10.0.0.2.

The Administrator must enter the specific connection information for the directory server used for user authentication. The Security information required varies depending on the type of directory you are using. Be sure to enter only the data required for your directory type.

The Directories View can be accessed either from System > Settings > Authentication > LDAP.

  1. Click System > Settings.
  2. Click the Authentication folder in the tree control.
  3. Click LDAP to display the Directories window.
  4. To Modify a directory, select a directory in the list and click Modify.
  5. To Add a directory, click Add.
  6. A list of directories found on your network is displayed. Click on the name of the directory to be added. If the directory is not listed, click Enter Manually. Directories are found based on SRV records on your corporate DNS.
  7. Use the information in the Settings table above to enter connection information.
  8. Click the Connection tab and enter connection information.
  9. Click Validate Credentials to verify the connection.
  10. If FortiNAC is able to successfully connect to the directory a Credentials Verified message is displayed in the Credential Status field.
  11. To ensure that the user data is available to FortiNAC, you must also complete the User Attributes, Group Attributes, Search Branches and Select Groups tabs.
  12. Click Next to continue.

User attributes tab

To add users from an LDAP compliant directory, the customer user database schema must be mapped to the FortiNAC user data. Attributes can be mapped for users and groups by selecting the tabs on the left side of the window.

If a user in the directory has multiple attributes with the same attribute ID, FortiNAC uses the first one it finds. For example, if a record looked like the one shown below, FortiNAC would use staff.

eduPersonalAffiliation=staff

eduPersonalAffiliation=employee

eduPersonalAffiliation=alum

eduPersonalAffiliation=student

The attribute mappings for the user are entered on the User Attributes Tab. The AD attributes are mapped on this form for User Description, Contact, Hardware, and Security and Access. This allows FortiNAC to retrieve the user information based on the User Search Branches configured on the Search Branches tab.

Configure user attributes

When adding a directory FortiNAC attempts to determine the directory type and populates the attribute fields based on the directory type. Do not modify the directory yype unless it is incorrect. Do not modify the attributes unless they are incorrect.

The value of an attribute being mapped cannot exceed 255 characters in order for the attribute to be retrieved by FortiNAC.

  1. To access user attributes for an existing directory, select System > Settings.
  2. Click the Authentication folder in the tree control.
  3. Click LDAP to display the directories window.
  4. If you are adding a new directory, the User Attributes tab is displayed when you click Next after completing the connection tab.
  5. The Directory Type drop-down indicates the type of directory being configured. This will scan the directory based on the type selected and pre-populate some of the fields. The directory type should already be listed for you. If the directory type is not listed or you know the field names for your directory, this step is not required.
  6. Enter the user attribute mappings.
  7. The Identifier (ID) field is a required entry. User records in the directory must have data entered in the selected ID field.

    Note: As of version 8.7.0, the Last Name is no longer a required field.

  8. To ensure that the user data is available to FortiNAC, you must also complete the Group Attributes, Search Branches, and Select Groups tabs.
  9. Click Next to continue.
Directory attributes

If you are using Active Directory, keep in mind that Active Directory only allows access via LDAP to users whose primary group is the Domain Users group.

User attributes

Active Directory

Novell

Object Class

user

person

Description

First Name

givenName

givenName

Last Name *

sn

sn

Identifier *

sAMAccountName

cn

Title

title

E-mail

userPrincipalName

Contact

Address

streetAddress

mailstop

City

l

city

State

st

S

Zip/Postal Code

postalCode

Phone

telephoneNumber

Telephone Number

Mobile Phone

mobile

Mobile Provider

otherMobile

Note

The provider contained in the Mobile Provider field in the directory must match a provider in the FortiNAC database or SMS messages cannot be sent to that user's Mobile phone. Depending on the configuration of your directory, otherMobile may not be the location of the Mobile Provider field.

Security and access

Security Attribute

The Directory Attribute that can be used in a filter. Data contained in this field is copied to the Security and Access value field on the User Properties and the Host Properties record for each user and associated host when the directory synchronizes with the database.

Allowed Hosts

The number of host records each individual user may have in FortiNAC.

Role

Name of the Directory Attribute used to associate a user with a role.

Note

Matching roles must be created in FortiNAC with the exact same spelling and case as the roles that exist in the directory based on the selected attribute. See Roles view.

When assigning roles to users, the use of directory attributes over directory groups is recommended. Under no circumstances should you use both methods to assign roles.

Disabled Attribute

Setting this attribute allows the AD Administrator to disable users in Active Directory and have all instances of the user automatically disabled in FortiNAC when the next scheduled resync occurs.

Attribute = userAccountControl

Note

Disabled users are able to access the network until FortiNAC resynchronizes with the Active Directory. To immediately disable all instances of the user in FortiNAC, go the Scheduler View and run the Synchronize Users with Directory task. See Scheduler for more information.

Disabled Value

When the value for the Disabled Attribute for the user equals the Disabled Value, FortiNAC disables all instances of a user when the next scheduled resync with AD occurs. The user must have previously been disabled in AD.

The Disabled Value may vary from directory to directory. Check a user that is currently disabled in the directory to see what the disabled value should be. Enter that value in the Disabled Value field.

If "Disabled Value" starts with a "0x", a bitwise comparison is done between the value in the directory and this field.

Otherwise, without the "0x" prefix, it will only do an exact match numeric comparison.

Note

If you are using Active Directory, it is possible for the Disabled Value to vary from user to user. The value is affected by other account settings selected within the directory, such as, Password Never Expires or User Must Change Password At Next Login. You may only be able to set the Disabled Value for users that have identical account settings. See https://support.microsoft.com/en-us/kb/305144 for more information on these values.

Time To Live

The name of the directory attribute that contains the numerical value for the user age time. If the attribute does not have a value the user age time is not set by the directory.

Age time can also be set using the Properties window or on the User Properties window for an individual user.

All of these options simply modify the Expiration Date in the User Properties window. See User properties.

Note

The value of the attribute in the Time To Live field must be set to the name of the custom attribute that is configured in the directory as the numerical value of hours or days for which the user is valid.

Time to Live Unit

The time unit set in the User Properties age time if the Time to Live attribute contains a value.

Options: Hours or Days

Group attributes tab

The attribute mappings for groups are entered on the Group Tab. The AD attributes are mapped on this form for Object Class, Group Name and Members. This allows FortiNAC to retrieve the group information based on the Group Search Branch configured on the Search Branches Tab. Groups created in the directory are imported into FortiNAC each time the Directory Synchronization task is run either manually or by the Scheduler.

Note

Active Directory size limitations for the number of users per group may cause issues with group based operations. Only the users up to the limitation are affected by group based operations. Size limitations vary depending on the version of Active Directory used and the settings in the MaxValRange and MaxPageSize directory fields.

Note

The value of an attribute being mapped cannot exceed 255 characters in order for the attribute to be retrieved by FortiNAC.

Configure group attributes

  1. To access group attributes for an existing directory, select System > Settings.
  2. Click the Authentication folder in the tree control.
  3. Click LDAP to display the directories.
  4. If you are adding a new directory, the Group Attributes tab is displayed when you click Next after completing the User Attributes tab.
  5. Enter the group attribute mappings:

    Group Attributes

    Active Directory

    Novell

    Object Class

    group

    groupOfMembers

    Group Name

    name

    cn

    Group Members

    member

    member

    Distinguished Name (DN)

    Note

    The DN is not to be used in conjunction with groups identified by Object Class.

  6. To ensure that the user data is available to FortiNAC, you must also complete the Search Branches and Select Groups tabs.
  7. Click Next to continue.

Search branches tab

The Search Branches tab is where the Administrator enters the specific User and Group Search Branches information for the Directory server. This tells FortiNAC where the user and group information is located in the Directory.

Note

Active Directory size limitations for the number of users per group may cause issues with group based operations. Only the users up to the limitation are affected by group based operations. Size limitations vary depending on the version of Active Directory used and the settings in the MaxValRange and MaxPageSize directory fields.

The example shown in the figure below is for Active Directory. In this example the segments represent the following:

cn=Users: The abbreviation cn stands for Common Name. In this case, it is the name of the branch or folder in Active Directory that should be searched for users. The name of that branch could be anything, such as, Employees or Students.

dc=example: The abbreviation dc stands for Domain Component. In this case it is the second level domain name, such as, yahoo in yahoo.com.

dc=com: The abbreviation dc stands for Domain Component. In this case it is the first level domain name, such as, com in google.com or edu in marshalluniversity.edu or org in npr.org.

Configure search branches
  1. To access search branches for an existing Directory, select System > Settings.
  2. Click the Authentication folder in the tree control.
  3. Click LDAP to display the directories.
  4. To modify an entry, select the entry and click Modify.
  5. To remove an entry, select the entry to be removed and click Delete.
  6. If you are adding a new directory, the Search Branches tab is displayed when you click Next after completing the Group Attributes tab.
  7. Click Add to add new search branch information. Available search branches are listed, however you can enter your own information. If the list of available search branches is too long to display, type the first few letters of the branch needed to narrow the list.
  8. In the Add dialog, enter or select the Search Branch and then click OK.
  9. To ensure that the user data is available to FortiNAC, you must also complete the Select Groups tab.
  10. Click Next to save search branch information.

Select groups tab

Use the Select Groups tab to choose groups of users to be included when the directory and the FortiNAC database are synchronized. Upon initial synchronization, a host group is created for each LDAP group selected. Hosts become members of these groups when they are registered to a user that is a member of that LDAP group. Note: If an Administrator group with the same name already exists, a host group will not be created.

Users that do not already exist in FortiNAC are not imported. However, user data for users already in the database is updated each time the Synchronization task is run. Only the user records for users in the selected groups are updated. Users in the directory that are not in a selected group are ignored during synchronization.

Configure group selections
  1. To access group selections for an existing directory, select System > Settings.
  2. Click the Authentication folder in the tree control.
  3. Click LDAP to display the directories.
  4. If you are adding a new directory, the Select Groups tab is displayed when you click Next after completing the Search Branches tab.
  5. Mark the groups of users that should be included when the directory and the database are synchronized by checking the box in the Active column. If you do not check any boxes, all groups will be included.
  6. Click OK to save the directory configuration.
  7. An initial Synchronization is done immediately when you save the Directory. It is recommended that you set up a schedule for synchronizing the Directory See Schedule synchronization.

Configuration

Directory configuration allows you to configure the connection to the directory, user attributes that you would like to import, user search branches and Group Search Branches. Each configuration section has specific information that must be entered to allow FortiNAC to connect with the directory and import users and groups.

Use Schedule to configure the intervals for synchronizing the database with the selected directory. Use Preview to review data in the selected directory. Use Copy to copy the directory configuration fields from an existing configuration.

Directory configuration can be accessed from System > Settings > Authentication > LDAP.

Connection tab

The Connection tab contains the parameters required for communication with the directory. Not all fields are required. Be sure to enter information only in those fields that apply to your directory.

Settings

Field

Description

Name

Name of the server where the directory is hosted.

Primary IP

IP address of the primary directory server. The server will be added as a pingable device.

Security Protocol

The security protocol used when communicating with the server containing your directory. Options are SSL, STARTTLS, and none.

If SSL or STARTTLS are chosen you must have a security certificate from a CA. The certificate should be stored in the following directory on your appliance /bsc/campusMgr/

See Create a keystore for SSL or TLS for instructions on importing and storing certificates.

MAC address

Physical address of the primary directory server. This field is required.

LDAP Login

User login name FortiNAC uses to access the LDAP server.

LDAP Password

Password for the user login.

Validate Credentials

Click to verify that directory credentials are correct.

Credential Status

Displays the results of clicking Validate Credentials. Messages such as credentials verified or failed to validate can be displayed.

Additional Configuration

Displays the fields listed below in this table.

Domain Name

If this field contains a domain name, users must include the domain name in their login to be authenticated against this directory.

Example:

Valid formats for login are: user, user@domain.com and domain\user.

Setting a value here requires all users to supply a domain name during login.

When no domain is specified in the Directory Configuration view and the login includes a domain, authentication first uses the user name and the domain name. If this authentication fails, a second authentication is attempted using only the user name.

Secondary Server

FQDN or IP address of the secondary directory server. This server would be accessed in the event that the Primary server was unavailable. This server is added as a pingable device.

Version

Directory version. Default = 3

Port

Communication port used by the directory. The default port is based on the security protocol. To use a port other than the default, type the desired port number into this field.

Common port values/protocols are:

  • None = 389
  • SSL = 636
  • STARTTLS = 389

Time Limit

Time in seconds that FortiNAC waits for a response from the directory. Default = 5.

The number of seconds may need to be increased in the directory or in FortiNAC if the exception “Time Limit Exceeded” begins to be noted more often.

Enable Synchronization of Users/Groups At Scheduled Time

Check this box to synchronize the FortiNAC database with either the primary or the secondary directory servers based on a schedule in the Scheduler View.

on sync, delete Users no longer found in this directory

When checked, users that have been removed from the directory will be removed from the FortiNAC database when the scheduled resynchronization takes place.

Perform Lookup On Referral

Referrals allow administrators to set up search paths for collecting results from multiple servers. If you have configured your directory for referrals and you want to do authentication on the referred directory servers, enable this option. Enabling referrals is required in order to search sub domains.

Connect by Name

Automatically checked when StartTLS is selected as the Security Protocol.

FortiNAC connects to LDAP using the the Name field of the directory configuration with a URL such as ldap://dc.example.com to connect to the primary server.

When not selected, FortiNAC will connect to LDAP using the Primary IP address field of the directory configuration with a URL such as ldap://10.0.0.2.

The Administrator must enter the specific connection information for the directory server used for user authentication. The Security information required varies depending on the type of directory you are using. Be sure to enter only the data required for your directory type.

The Directories View can be accessed either from System > Settings > Authentication > LDAP.

  1. Click System > Settings.
  2. Click the Authentication folder in the tree control.
  3. Click LDAP to display the Directories window.
  4. To Modify a directory, select a directory in the list and click Modify.
  5. To Add a directory, click Add.
  6. A list of directories found on your network is displayed. Click on the name of the directory to be added. If the directory is not listed, click Enter Manually. Directories are found based on SRV records on your corporate DNS.
  7. Use the information in the Settings table above to enter connection information.
  8. Click the Connection tab and enter connection information.
  9. Click Validate Credentials to verify the connection.
  10. If FortiNAC is able to successfully connect to the directory a Credentials Verified message is displayed in the Credential Status field.
  11. To ensure that the user data is available to FortiNAC, you must also complete the User Attributes, Group Attributes, Search Branches and Select Groups tabs.
  12. Click Next to continue.

User attributes tab

To add users from an LDAP compliant directory, the customer user database schema must be mapped to the FortiNAC user data. Attributes can be mapped for users and groups by selecting the tabs on the left side of the window.

If a user in the directory has multiple attributes with the same attribute ID, FortiNAC uses the first one it finds. For example, if a record looked like the one shown below, FortiNAC would use staff.

eduPersonalAffiliation=staff

eduPersonalAffiliation=employee

eduPersonalAffiliation=alum

eduPersonalAffiliation=student

The attribute mappings for the user are entered on the User Attributes Tab. The AD attributes are mapped on this form for User Description, Contact, Hardware, and Security and Access. This allows FortiNAC to retrieve the user information based on the User Search Branches configured on the Search Branches tab.

Configure user attributes

When adding a directory FortiNAC attempts to determine the directory type and populates the attribute fields based on the directory type. Do not modify the directory yype unless it is incorrect. Do not modify the attributes unless they are incorrect.

The value of an attribute being mapped cannot exceed 255 characters in order for the attribute to be retrieved by FortiNAC.

  1. To access user attributes for an existing directory, select System > Settings.
  2. Click the Authentication folder in the tree control.
  3. Click LDAP to display the directories window.
  4. If you are adding a new directory, the User Attributes tab is displayed when you click Next after completing the connection tab.
  5. The Directory Type drop-down indicates the type of directory being configured. This will scan the directory based on the type selected and pre-populate some of the fields. The directory type should already be listed for you. If the directory type is not listed or you know the field names for your directory, this step is not required.
  6. Enter the user attribute mappings.
  7. The Identifier (ID) field is a required entry. User records in the directory must have data entered in the selected ID field.

    Note: As of version 8.7.0, the Last Name is no longer a required field.

  8. To ensure that the user data is available to FortiNAC, you must also complete the Group Attributes, Search Branches, and Select Groups tabs.
  9. Click Next to continue.
Directory attributes

If you are using Active Directory, keep in mind that Active Directory only allows access via LDAP to users whose primary group is the Domain Users group.

User attributes

Active Directory

Novell

Object Class

user

person

Description

First Name

givenName

givenName

Last Name *

sn

sn

Identifier *

sAMAccountName

cn

Title

title

E-mail

userPrincipalName

Contact

Address

streetAddress

mailstop

City

l

city

State

st

S

Zip/Postal Code

postalCode

Phone

telephoneNumber

Telephone Number

Mobile Phone

mobile

Mobile Provider

otherMobile

Note

The provider contained in the Mobile Provider field in the directory must match a provider in the FortiNAC database or SMS messages cannot be sent to that user's Mobile phone. Depending on the configuration of your directory, otherMobile may not be the location of the Mobile Provider field.

Security and access

Security Attribute

The Directory Attribute that can be used in a filter. Data contained in this field is copied to the Security and Access value field on the User Properties and the Host Properties record for each user and associated host when the directory synchronizes with the database.

Allowed Hosts

The number of host records each individual user may have in FortiNAC.

Role

Name of the Directory Attribute used to associate a user with a role.

Note

Matching roles must be created in FortiNAC with the exact same spelling and case as the roles that exist in the directory based on the selected attribute. See Roles view.

When assigning roles to users, the use of directory attributes over directory groups is recommended. Under no circumstances should you use both methods to assign roles.

Disabled Attribute

Setting this attribute allows the AD Administrator to disable users in Active Directory and have all instances of the user automatically disabled in FortiNAC when the next scheduled resync occurs.

Attribute = userAccountControl

Note

Disabled users are able to access the network until FortiNAC resynchronizes with the Active Directory. To immediately disable all instances of the user in FortiNAC, go the Scheduler View and run the Synchronize Users with Directory task. See Scheduler for more information.

Disabled Value

When the value for the Disabled Attribute for the user equals the Disabled Value, FortiNAC disables all instances of a user when the next scheduled resync with AD occurs. The user must have previously been disabled in AD.

The Disabled Value may vary from directory to directory. Check a user that is currently disabled in the directory to see what the disabled value should be. Enter that value in the Disabled Value field.

If "Disabled Value" starts with a "0x", a bitwise comparison is done between the value in the directory and this field.

Otherwise, without the "0x" prefix, it will only do an exact match numeric comparison.

Note

If you are using Active Directory, it is possible for the Disabled Value to vary from user to user. The value is affected by other account settings selected within the directory, such as, Password Never Expires or User Must Change Password At Next Login. You may only be able to set the Disabled Value for users that have identical account settings. See https://support.microsoft.com/en-us/kb/305144 for more information on these values.

Time To Live

The name of the directory attribute that contains the numerical value for the user age time. If the attribute does not have a value the user age time is not set by the directory.

Age time can also be set using the Properties window or on the User Properties window for an individual user.

All of these options simply modify the Expiration Date in the User Properties window. See User properties.

Note

The value of the attribute in the Time To Live field must be set to the name of the custom attribute that is configured in the directory as the numerical value of hours or days for which the user is valid.

Time to Live Unit

The time unit set in the User Properties age time if the Time to Live attribute contains a value.

Options: Hours or Days

Group attributes tab

The attribute mappings for groups are entered on the Group Tab. The AD attributes are mapped on this form for Object Class, Group Name and Members. This allows FortiNAC to retrieve the group information based on the Group Search Branch configured on the Search Branches Tab. Groups created in the directory are imported into FortiNAC each time the Directory Synchronization task is run either manually or by the Scheduler.

Note

Active Directory size limitations for the number of users per group may cause issues with group based operations. Only the users up to the limitation are affected by group based operations. Size limitations vary depending on the version of Active Directory used and the settings in the MaxValRange and MaxPageSize directory fields.

Note

The value of an attribute being mapped cannot exceed 255 characters in order for the attribute to be retrieved by FortiNAC.

Configure group attributes

  1. To access group attributes for an existing directory, select System > Settings.
  2. Click the Authentication folder in the tree control.
  3. Click LDAP to display the directories.
  4. If you are adding a new directory, the Group Attributes tab is displayed when you click Next after completing the User Attributes tab.
  5. Enter the group attribute mappings:

    Group Attributes

    Active Directory

    Novell

    Object Class

    group

    groupOfMembers

    Group Name

    name

    cn

    Group Members

    member

    member

    Distinguished Name (DN)

    Note

    The DN is not to be used in conjunction with groups identified by Object Class.

  6. To ensure that the user data is available to FortiNAC, you must also complete the Search Branches and Select Groups tabs.
  7. Click Next to continue.

Search branches tab

The Search Branches tab is where the Administrator enters the specific User and Group Search Branches information for the Directory server. This tells FortiNAC where the user and group information is located in the Directory.

Note

Active Directory size limitations for the number of users per group may cause issues with group based operations. Only the users up to the limitation are affected by group based operations. Size limitations vary depending on the version of Active Directory used and the settings in the MaxValRange and MaxPageSize directory fields.

The example shown in the figure below is for Active Directory. In this example the segments represent the following:

cn=Users: The abbreviation cn stands for Common Name. In this case, it is the name of the branch or folder in Active Directory that should be searched for users. The name of that branch could be anything, such as, Employees or Students.

dc=example: The abbreviation dc stands for Domain Component. In this case it is the second level domain name, such as, yahoo in yahoo.com.

dc=com: The abbreviation dc stands for Domain Component. In this case it is the first level domain name, such as, com in google.com or edu in marshalluniversity.edu or org in npr.org.

Configure search branches
  1. To access search branches for an existing Directory, select System > Settings.
  2. Click the Authentication folder in the tree control.
  3. Click LDAP to display the directories.
  4. To modify an entry, select the entry and click Modify.
  5. To remove an entry, select the entry to be removed and click Delete.
  6. If you are adding a new directory, the Search Branches tab is displayed when you click Next after completing the Group Attributes tab.
  7. Click Add to add new search branch information. Available search branches are listed, however you can enter your own information. If the list of available search branches is too long to display, type the first few letters of the branch needed to narrow the list.
  8. In the Add dialog, enter or select the Search Branch and then click OK.
  9. To ensure that the user data is available to FortiNAC, you must also complete the Select Groups tab.
  10. Click Next to save search branch information.

Select groups tab

Use the Select Groups tab to choose groups of users to be included when the directory and the FortiNAC database are synchronized. Upon initial synchronization, a host group is created for each LDAP group selected. Hosts become members of these groups when they are registered to a user that is a member of that LDAP group. Note: If an Administrator group with the same name already exists, a host group will not be created.

Users that do not already exist in FortiNAC are not imported. However, user data for users already in the database is updated each time the Synchronization task is run. Only the user records for users in the selected groups are updated. Users in the directory that are not in a selected group are ignored during synchronization.

Configure group selections
  1. To access group selections for an existing directory, select System > Settings.
  2. Click the Authentication folder in the tree control.
  3. Click LDAP to display the directories.
  4. If you are adding a new directory, the Select Groups tab is displayed when you click Next after completing the Search Branches tab.
  5. Mark the groups of users that should be included when the directory and the database are synchronized by checking the box in the Active column. If you do not check any boxes, all groups will be included.
  6. Click OK to save the directory configuration.
  7. An initial Synchronization is done immediately when you save the Directory. It is recommended that you set up a schedule for synchronizing the Directory See Schedule synchronization.