Model configuration
The model configuration window allows you to configure devices that are connected to your network so that they can be monitored. Data entered in this window is stored in the FortiNAC database and is used to allow interaction with the device. Passwords are encrypted. Data entered on the model configuration window is not sent to the device. This window can be accessed from Inventory.
When configuring the device itself, use only letters, numbers and hyphens (-) in names for items within the device configuration, in security strings and in SNMP credentials. Other characters may prevent FortiNAC from reading the device configuration. For example, in many cases the # sign is interpreted by FortiNAC as a prompt. Cisco restricts the use of @ and #.
Models Using a Virtual IP (VIP) Address
SSH communication can fail if the device controlling the VIP changes. This is due to a change in the SSH key, making the currently used key invalid. To prevent an SSH communication failure due to this scenario, the MultiKnownHostEntries
attribute can be enabled in FortiNAC versions 9.4.3 and greater.
MultiKnownHostEntries attribute: Disabled by default. FortiNAC's known_hosts cache is checked for all potential matches of the VIP and determine which entry to use. This is done on a per-device model basis.
For details and instructions, see KB article: https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-CLI-credential-validation-fails-in-device/ta-p/271544
For network devices using API credentials, the User Name is the serial number of the appliance and the Password is the REST API Key. |
Access from Topology
- Click Network > Inventory.
- Expand the Container icon.
- Right-click on the device, and then click Model Configuration.
Settings
Device configuration information is specific for each device and may include any combination of the fields in the table below:
Settings |
Description |
||
General |
|||
User Name |
The user name used to log on to the device for configuration. This is for CLI access.
For network devices using API credentials, the User Name is the serial number of the appliance. |
||
Password |
The password required to configure the device. This is for CLI access. For network devices using API credentials, the Password is the REST API Key. |
||
Enable Password |
The enable password for the device. This is for CLI access. Note: Version 8.7.2 and higher: Arista switches can be configured to require typing "enable" to enter enable mode, but no password is needed. For such configurations, populate this field with the # character. |
||
Super Password |
The super password required for access to more features on 3Com devices. |
||
HWC Connect Port |
Port for the External Captive Portal that was configured by the user on the device during the initial device setup. This port is required for FortiNAC to send commands to the device. Consult the manufacturer for assistance in locating this port number. |
||
Read Groups From Device |
Ports on a device can be placed in to network groups that control access. This option reads the preset groups from the device. |
||
Enable RADIUS authentication for this device |
When selected, FortiNAC will process RADIUS requests from the device. |
||
Clear Known Hosts |
Clear all known host keys associated with this device. Host keys for devices modeled in Inventory are written to /bsc/.ssh/known_hosts. |
||
Telnet/SSH Connection Timeout (Sec) |
Used to determine how long to wait to connect and/or establish a Telnet/SSH session for this device. When disabled (default), the global setting "Telnet/SSH Connection Timeout (Sec)" applies. See Network device |
||
CLI Command Timeout (Sec) |
Used to determine how long to wait for a CLI response (prompt, show commands, etc) for this device. When disabled (default), the global setting "Telnet/SSH Connection Timeout (Sec)" applies. See Network device. |
||
Protocol types |
|||
Telnet |
Use Telnet to log on to the device for configuration. |
||
SSH1 |
Use SSH1 to log on to the device for configuration. |
||
SSH2 |
Use SSH2 to log on to the device for configuration. |
||
VLAN ID/Network Access |
|||
VLAN Display Format |
For some devices, the list of VLANs configured on the device can be read from the device and made available in a drop-down. When this feature is available, the VLAN Display Format option is shown. Choices included:
|
||
Read VLANs |
Read VLAN configuration from the device and populate the drop-down lists of VLANs for each isolation state. |
||
Default |
The Default VLAN value is stored in the FortiNAC database and is used when the VLAN is not determined by another method, such as a network access policy. Typically, if a VLAN is specified as the Default, it is the VLAN used for "normal" or "production" network access. It will be used for all the untagged (non-uplink) ports on the device. If you do not want all ports on the device to use the same "Default" VLAN, you can leave the value blank in Model Configuration and use Network Access/VLANs to customize the default VLANs for each port. See Network access/VLANs for more information. |
||
Dead End |
The dead end VLAN for this device. Isolates disabled hosts with limited or no network connectivity from the production network. |
||
Registration |
The registration VLAN for this device. Isolates unregistered hosts from the production network during host registration. |
||
Quarantine |
The quarantine VLAN for this device. Isolates hosts from the production network who pose a security risk because they failed a policy scan. |
||
Authentication |
The authentication VLAN for this device. Isolates registered hosts from the Production network during user authentication. |
||
Voice |
The voice VLAN (s) for this device. This field accepts a list of VLANS separated by commas, such as 10, 25,30. This indicates to FortiNAC that these VLANS are excluded from all other uses. |
||
Apply Default VLAN ID To All Non-wireless ports |
If a device has both wired and wireless ports, you may choose to assign VLANs to each port individually. You may also choose to assign a single default VLAN to all of the wireless ports for this device, by putting a VLAN ID in the Default field on this window. That number then overrides the individual entries on the wireless ports. The wired ports would continue to have a separate VLAN setting for each port. If you choose to apply the Default VLAN ID to both wireless and wired ports, enabling this feature overrides the original port settings on the wired ports with the setting in the Default field on this window |
||
Manage Captive Portal |
Affects only Meru Controllers. If the Captive Portal setting on any Security Profile for any SSID is set to WebAuth indicating that the SSID is being managed by Internal Captive Portal (ICP) on the Meru Controller and this check box is enabled, all SSIDs set to WebAuth will be managed by FortiNAC. If enabled, FortiNAC uses Firewall Rules to treat authenticated and unauthenticated users differently. The treatment selected in the Access Enforcement section of model configuration is ignored for any SSIDs set to WebAuth. Hosts that are isolated are treated as unauthenticated hosts regardless of the isolation type. Hosts that are not isolated are treated as authenticated. |
||
CLI configurations |
|||
Configurations |
This section allows you to associate pre-configured scripts with selected Port states or host states. A default script can also be selected. Scripts are not required. States that can be associated with CLI configurations include: default, registration, authentication, dead end, and quarantine. See CLI configuration for information on creating scripts. |
||
RADIUS |
|||
Primary RADIUS Server |
The RADIUS server used for authenticating users connecting to the network through this device. Select the Use Default option from the drop-down list to use the server indicated in parentheses. See RADIUS for information on configuring your RADIUS servers. |
||
Secondary RADIUS Server |
If the primary RADIUS server fails to respond, this RADIUS server is used for authenticating users connecting to the network until the primary RADIUS server responds. Select the Use Default option from the drop-down list to use the server indicated in parentheses. |
||
RADIUS Secret |
The secret used for RADIUS authentication.
|
||
Enable rfc5176 support |
Appears for Aruba Controllers. Enables the use of both RADIUS Disconnect and RADIUS Change Of Authorization (CoA) requests depending on the Aruba model being used (L2 Roles with VLANs and L2 Roles only respectively). |
||
Modify Button |
Allows you to modify the RADIUS secret. |
||
Mode |
The RADIUS Authentication Mode to be used when a RADIUS request is received from the modeled device. Local: Use the Local RADIUS server. Enter the RADIUS Secret, and choose the attributes to be sent in the Accept packet. Proxy: Use the RADIUS Proxy. Optionally choose to override the RADIUS server to proxy to and enter the RADIUS secret. |
||
Default RADIUS Attribute Group (Local RADIUS Option) |
The default RADIUS Attributes to be sent for all accepted requests from this device. Hover over the group name to see what attributes and values will be sent. FortiNAC has pre-built attribute groups that can be used for most devices. |
||
Restricted access |
|||
Object Group Name |
Network List name that is used to contain IPs when the host is marked safe. |
||
Network access - wireless devices |
|||
SSO Addresses | Network Address group containing the desired scope of IP's to be managed using SSO. See Addresses. Important: Requires a resync to apply changes. See Resync Interfaces. | ||
VPN Addresses | Network Address group containing the desired scope of IP's to be managed over VPN. See Addresses. Important: Requires a resync to apply changes. See Resync Interfaces. | ||
Source IP Address | Device's IP address used for communication. Required if this address does not match the IP address in the Element tab. | ||
Read Roles From Device |
Retrieves roles that currently exist on the device being configured. |
||
Read Roles |
The drop-down next to each type, such as Registration, contains a list of possible roles read from the device. You can select a role for one or more of the types listed below.
|
||
Host State |
Host State is used to determine treatment when the host connects to the network. For each host state select an option in the Access Enforcement column and where applicable in the Access Value column.
|
||
Access Enforcement |
This set of drop-down menus works in conjunction with the Host States listed above to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include:
|
||
Access Value |
VLAN/Role where a host in this state should be placed when it connects to the network. If Enforce is selected in the Access Enforcement field you must enter a value in the Access Value field. |
||
Additional RADIUS Attribute Group (Local RADIUS option) |
For each Logical Network, you can choose to either use the default values only, or to append and overwrite with another attribute group. Hover over the group name to see what attributes and values will be sent. |
||
Wireless AP parameters |
|||
Preferred Container Name |
If this device is connected to any Wireless Access Points, they are included in the Topology. Enter the name of the Container in which these Wireless Access Points should be stored. Containers or folders are created in the Topology to group devices. |
||
Detail configuration |
|||
Check box |
Secure Ports is enabled for ports on this device. When this option is enabled, secure ports allows you to deny access to disabled hosts. See Secure port/static port overview for requirements. |