Fortinet black logo

Administration Guide

Directories

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:982839
Download PDF

Directories

Use the authentication directories view to configure the connection with one or more LDAP directories. If you plan to use local authentication via the FortiNAC database or RADIUS authentication then this step is not necessary.

A directory is a database that contains the records of an organization’s members. You can organize the members into groups within the directory. If configured in FortiNAC the directory can be used to authenticate network users. If you have chosen LDAP authentication in the portal configuration window, you must configure a directory in FortiNAC. See Portal configuration or Configure authentication credentials.

The directory configuration validates the user and populates the user record in the FortiNAC databases with user-specific information before they are allowed access to the network. FortiNAC uses the LDAP protocol to communicate to an organization’s directory.

A user's record is made up of fields that contain information about the user such as first name, last name, and email address. The name of a field in a directory is defined by a schema. For example, the schema specifies that a user's first name is stored in a field with an attribute name of "givenName". This attribute name is used when retrieving a user's first name from the record. Attribute names can vary from directory to directory, so FortiNAC allows you to define your own fields. Users in an “ou” in the directory are populated into a group in FortiNAC if the distinguished name (DN) attribute is entered in the directory group attribute mappings view.

When an administrator group is created in FortiNAC with the same name as a group being synchronized from a directory, the administrator group members will remain the same as the directory group members. Therefore, if you add a non-directory user to the administrator group and then synchronize the directory, the non-directory user is removed from the administrator group because the user is not a member of the directory group.

Authenticate using a domain name

If you chose to authenticate using a domain name, you must consider the following:

  • When a domain name is specified and the login includes the matching domain, authentication first uses both the user name and the domain name. If this authentication fails, no further authentications are attempted.
  • When a domain name is specified and the login includes a domain that does not match, the authentication immediately fails.
  • When no domain is specified and the login includes a domain, authentication first uses the user name and the domain name. If this authentication fails, a second authentication is attempted using only the user name.
  • Domain names must be an exact match. For example, if you define the domain as example.com, a login of john.smith@it.example.com is not authenticated because the domain specified is not an exact match.
  • The table below provides a summary of the various formats which FortiNAC uses to interpret the fully qualified usermame and to identify the user portion (which can sometimes be a host), the domain portion and the separator.

Fully qualified username

User

Domain

user

user

no domain specified

user@domain.com

user

domain.com

user@domain

user

domain

domain\user

user

domain

domain.com\user

user

domain.com

Authenticate using domain names and multiple directories

If you are using multiple directories to authenticate users, you must consider the following:

  • When one directory is configured and no domain is specified, authentication is attempted using the one directory.
  • When multiple directories are configured and no domain is specified, authentication is attempted to all directories that are in the database. The order in which the directories are processed cannot be controlled, and the first directory that yields a successful authentication is used. Therefore, if settings such as Security & Access Attribute Value, Role, etc., are not identical between all configured directories, a user's network access can vary based on which directory settings are in effect. These settings will depend on the most recent directory sync.
  • When multiple directories are configured, authentication is attempted against all directories without Domain configurations, or with Domain configurations matching the domain, if one is supplied. If a Domain is configured for the directory, the user must supply a matching value for their domain in order for authentication to be attempted to that directory.
  • If duplicate user Id's are present within the directories then the Identifier attribute mappings must contain unique values. Use userPrincipalName or mail attributes. Using sAMAccountName only recommended for the default directory without a Domain Name configured all others must provide a unique user ID value.

Note: Domain Name can be a semi-colon separated list in the following format. EXAMPLE;example.com

Directories

Use the authentication directories view to configure the connection with one or more LDAP directories. If you plan to use local authentication via the FortiNAC database or RADIUS authentication then this step is not necessary.

A directory is a database that contains the records of an organization’s members. You can organize the members into groups within the directory. If configured in FortiNAC the directory can be used to authenticate network users. If you have chosen LDAP authentication in the portal configuration window, you must configure a directory in FortiNAC. See Portal configuration or Configure authentication credentials.

The directory configuration validates the user and populates the user record in the FortiNAC databases with user-specific information before they are allowed access to the network. FortiNAC uses the LDAP protocol to communicate to an organization’s directory.

A user's record is made up of fields that contain information about the user such as first name, last name, and email address. The name of a field in a directory is defined by a schema. For example, the schema specifies that a user's first name is stored in a field with an attribute name of "givenName". This attribute name is used when retrieving a user's first name from the record. Attribute names can vary from directory to directory, so FortiNAC allows you to define your own fields. Users in an “ou” in the directory are populated into a group in FortiNAC if the distinguished name (DN) attribute is entered in the directory group attribute mappings view.

When an administrator group is created in FortiNAC with the same name as a group being synchronized from a directory, the administrator group members will remain the same as the directory group members. Therefore, if you add a non-directory user to the administrator group and then synchronize the directory, the non-directory user is removed from the administrator group because the user is not a member of the directory group.

Authenticate using a domain name

If you chose to authenticate using a domain name, you must consider the following:

  • When a domain name is specified and the login includes the matching domain, authentication first uses both the user name and the domain name. If this authentication fails, no further authentications are attempted.
  • When a domain name is specified and the login includes a domain that does not match, the authentication immediately fails.
  • When no domain is specified and the login includes a domain, authentication first uses the user name and the domain name. If this authentication fails, a second authentication is attempted using only the user name.
  • Domain names must be an exact match. For example, if you define the domain as example.com, a login of john.smith@it.example.com is not authenticated because the domain specified is not an exact match.
  • The table below provides a summary of the various formats which FortiNAC uses to interpret the fully qualified usermame and to identify the user portion (which can sometimes be a host), the domain portion and the separator.

Fully qualified username

User

Domain

user

user

no domain specified

user@domain.com

user

domain.com

user@domain

user

domain

domain\user

user

domain

domain.com\user

user

domain.com

Authenticate using domain names and multiple directories

If you are using multiple directories to authenticate users, you must consider the following:

  • When one directory is configured and no domain is specified, authentication is attempted using the one directory.
  • When multiple directories are configured and no domain is specified, authentication is attempted to all directories that are in the database. The order in which the directories are processed cannot be controlled, and the first directory that yields a successful authentication is used. Therefore, if settings such as Security & Access Attribute Value, Role, etc., are not identical between all configured directories, a user's network access can vary based on which directory settings are in effect. These settings will depend on the most recent directory sync.
  • When multiple directories are configured, authentication is attempted against all directories without Domain configurations, or with Domain configurations matching the domain, if one is supplied. If a Domain is configured for the directory, the user must supply a matching value for their domain in order for authentication to be attempted to that directory.
  • If duplicate user Id's are present within the directories then the Identifier attribute mappings must contain unique values. Use userPrincipalName or mail attributes. Using sAMAccountName only recommended for the default directory without a Domain Name configured all others must provide a unique user ID value.

Note: Domain Name can be a semi-colon separated list in the following format. EXAMPLE;example.com