Fortinet white logo
Fortinet white logo

Administration Guide

Model configuration

Model configuration

The model configuration window allows you to configure devices that are connected to your network so that they can be monitored. Data entered in this window is stored in the FortiNAC database and is used to allow interaction with the device. Passwords are encrypted. Data entered on the model configuration window is not sent to the device. This window can be accessed from Inventory.

When configuring the device itself, use only letters, numbers and hyphens (-) in names for items within the device configuration, in security strings and in SNMP credentials. Other characters may prevent FortiNAC from reading the device configuration. For example, in many cases the # sign is interpreted by FortiNAC as a prompt. Cisco restricts the use of @ and #.

Models Using a Virtual IP (VIP) Address

SSH communication can fail if the device controlling the VIP changes. This is due to a change in the SSH key, making the currently used key invalid. To prevent an SSH communication failure due to this scenario, the MultiKnownHostEntries attribute can be enabled in FortiNAC versions 9.4.3 and greater.

MultiKnownHostEntries attribute: Disabled by default. FortiNAC's known_hosts cache is checked for all potential matches of the VIP and determine which entry to use. This is done on a per-device model basis.

For details and instructions, see KB article: https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-CLI-credential-validation-fails-in-device/ta-p/271544

Note

For network devices using API credentials, the User Name is the serial number of the

appliance and the Password is the REST API Key.

Access from Topology
  1. Click Network > Inventory.
  2. Expand the Container icon.
  3. Right-click on the device, and then click Model Configuration.
Settings

Device configuration information is specific for each device and may include any combination of the fields in the table below:

Settings

Description

General

User Name

The user name used to log on to the device for configuration. This is for CLI access.

Note

The user account must have the appropriate permissions configured on the device.

For network devices using API credentials, the User Name is the serial number of the appliance.

Password

The password required to configure the device. This is for CLI access.

For network devices using API credentials, the Password is the REST API Key.

Enable Password

The enable password for the device. This is for CLI access.

Note: Version 8.7.2 and higher: Arista switches can be configured to require typing "enable" to enter enable mode, but no password is needed. For such configurations, populate this field with the # character.

Super Password

The super password required for access to more features on 3Com devices.

HWC Connect Port

Port for the External Captive Portal that was configured by the user on the device during the initial device setup. This port is required for FortiNAC to send commands to the device. Consult the manufacturer for assistance in locating this port number.

Read Groups From Device

Ports on a device can be placed in to network groups that control access. This option reads the preset groups from the device.

Enable RADIUS authentication for this device

When selected, FortiNAC will process RADIUS requests from the device.

Clear Known Hosts

Clear all known host keys associated with this device. Host keys for devices modeled in Inventory are written to /bsc/.ssh/known_hosts.

Telnet/SSH Connection Timeout (Sec)

Used to determine how long to wait to connect and/or establish a Telnet/SSH session for this device. When disabled (default), the global setting "Telnet/SSH Connection Timeout (Sec)" applies. See Network device

CLI Command Timeout (Sec)

Used to determine how long to wait for a CLI response (prompt, show commands, etc) for this device. When disabled (default), the global setting "Telnet/SSH Connection Timeout (Sec)" applies. See Network device.

Protocol types

Telnet

Use Telnet to log on to the device for configuration.

SSH1

Use SSH1 to log on to the device for configuration.

SSH2

Use SSH2 to log on to the device for configuration.

VLAN ID/Network Access

VLAN Display Format

For some devices, the list of VLANs configured on the device can be read from the device and made available in a drop-down. When this feature is available, the VLAN Display Format option is shown. Choices included:

  • VLAN Name: Displays a drop-down list of VLANs configured on the device by VLAN name for each isolation state.
  • VLAN ID: Displays a drop-down list of possible VLANs configured on the device by VLAN ID or number for each isolation state.
  • Manual: Provides an empty text field to enter the VLAN name or ID. This is used in the event that the VLANS on the device have not been pre-configured

Read VLANs

Read VLAN configuration from the device and populate the drop-down lists of VLANs for each isolation state.

Default

The Default VLAN value is stored in the FortiNAC database and is used when the VLAN is not determined by another method, such as a network access policy.

Typically, if a VLAN is specified as the Default, it is the VLAN used for "normal" or "production" network access. It will be used for all the untagged (non-uplink) ports on the device.

If you do not want all ports on the device to use the same "Default" VLAN, you can leave the value blank in Model Configuration and use Network Access/VLANs to customize the default VLANs for each port. See Network access/VLANs for more information.

Dead End

The dead end VLAN for this device. Isolates disabled hosts with limited or no network connectivity from the production network.

Registration

The registration VLAN for this device. Isolates unregistered hosts from the production network during host registration.

Quarantine

The quarantine VLAN for this device. Isolates hosts from the production network who pose a security risk because they failed a policy scan.

Authentication

The authentication VLAN for this device. Isolates registered hosts from the Production network during user authentication.

Voice

The voice VLAN (s) for this device. This field accepts a list of VLANS separated by commas, such as 10, 25,30. This indicates to FortiNAC that these VLANS are excluded from all other uses.

Apply Default VLAN ID To All Non-wireless ports

If a device has both wired and wireless ports, you may choose to assign VLANs to each port individually.

You may also choose to assign a single default VLAN to all of the wireless ports for this device, by putting a VLAN ID in the Default field on this window. That number then overrides the individual entries on the wireless ports. The wired ports would continue to have a separate VLAN setting for each port.

If you choose to apply the Default VLAN ID to both wireless and wired ports, enabling this feature overrides the original port settings on the wired ports with the setting in the Default field on this window

Manage Captive Portal

Affects only Meru Controllers.

If the Captive Portal setting on any Security Profile for any SSID is set to WebAuth indicating that the SSID is being managed by Internal Captive Portal (ICP) on the Meru Controller and this check box is enabled, all SSIDs set to WebAuth will be managed by FortiNAC.

If enabled, FortiNAC uses Firewall Rules to treat authenticated and unauthenticated users differently.

The treatment selected in the Access Enforcement section of model configuration is ignored for any SSIDs set to WebAuth. Hosts that are isolated are treated as unauthenticated hosts regardless of the isolation type. Hosts that are not isolated are treated as authenticated.

CLI configurations

Configurations

This section allows you to associate pre-configured scripts with selected Port states or host states. A default script can also be selected. Scripts are not required. States that can be associated with CLI configurations include: default, registration, authentication, dead end, and quarantine.

See CLI configuration for information on creating scripts.

RADIUS

Primary RADIUS Server

The RADIUS server used for authenticating users connecting to the network through this device.

Select the Use Default option from the drop-down list to use the server indicated in parentheses.

See RADIUS for information on configuring your RADIUS servers.

Secondary RADIUS Server

If the primary RADIUS server fails to respond, this RADIUS server is used for authenticating users connecting to the network until the primary RADIUS server responds.

Select the Use Default option from the drop-down list to use the server indicated in parentheses.

RADIUS Secret

The secret used for RADIUS authentication.

Note

The RADIUS secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration.

Enable rfc5176 support

Appears for Aruba Controllers. Enables the use of both RADIUS Disconnect and RADIUS Change Of Authorization (CoA) requests depending on the Aruba model being used (L2 Roles with VLANs and L2 Roles only respectively).

Modify Button

Allows you to modify the RADIUS secret.

Mode

The RADIUS Authentication Mode to be used when a RADIUS request is received from the modeled device.

Local: Use the Local RADIUS server. Enter the RADIUS Secret, and choose the attributes to be sent in the Accept packet.

Proxy: Use the RADIUS Proxy. Optionally choose to override the RADIUS server to proxy to and enter the RADIUS secret.

Default RADIUS Attribute Group (Local RADIUS Option)

The default RADIUS Attributes to be sent for all accepted requests from this device. Hover over the group name to see what attributes and values will be sent. FortiNAC has pre-built attribute groups that can be used for most devices.

Restricted access

Object Group Name

Network List name that is used to contain IPs when the host is marked safe.

Network access - wireless devices

SSO Addresses Network Address group containing the desired scope of IP's to be managed using SSO. See Addresses. Important: Requires a resync to apply changes. See Resync Interfaces.
VPN Addresses Network Address group containing the desired scope of IP's to be managed over VPN. See Addresses. Important: Requires a resync to apply changes. See Resync Interfaces.
Source IP Address Device's IP address used for communication. Required if this address does not match the IP address in the Element tab.

Read Roles From Device

Retrieves roles that currently exist on the device being configured.

Read Roles

The drop-down next to each type, such as Registration, contains a list of possible roles read from the device. You can select a role for one or more of the types listed below.

  • Default
  • Dead End
  • Registration
  • Quarantine
  • Authentication

Host State

Host State is used to determine treatment when the host connects to the network. For each host state select an option in the Access Enforcement column and where applicable in the Access Value column.

  • Default
  • Dead End
  • Registration
  • Quarantine
  • Authentication
  • Roaming Guest
Note

Roaming Guest is a special host state detected when a user authenticates using a domain name that is not listed in the local domains list. Users are authenticated via a remote RADIUS server and are placed on the network immediately unless Deny is selected under Access Enforcement. Roaming guests bypass the captive portal and device profiler. See Roaming guests.

Access Enforcement

This set of drop-down menus works in conjunction with the Host States listed above to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include:

  • Deny: Host will be denied access to the network when it is in this state. For example, if the host is not registered and Registration is set to Deny, the host connection will be rejected.

    Note

    Endpoints that have been denied access may continuously request access which can unnecessarily consume system resources.

  • Bypass: Host will be allowed access to the network when it is in this state. The host will be placed on the default VLAN/Role configured on the device for this port or SSID. For example, if Quarantine is set to Bypass, hosts that fail a scan and would normally be placed in Quarantine are placed in the default VLAN/Role on the device.
  • Enforce: Indicates that the host will be placed in the VLAN/Role specified in the Access Value column for this state.

Access Value

VLAN/Role where a host in this state should be placed when it connects to the network. If Enforce is selected in the Access Enforcement field you must enter a value in the Access Value field.

Additional RADIUS Attribute Group (Local RADIUS option)

For each Logical Network, you can choose to either use the default values only, or to append and overwrite with another attribute group. Hover over the group name to see what attributes and values will be sent.

Wireless AP parameters

Preferred Container Name

If this device is connected to any Wireless Access Points, they are included in the Topology. Enter the name of the Container in which these Wireless Access Points should be stored. Containers or folders are created in the Topology to group devices.

Detail configuration

Check box

Secure Ports is enabled for ports on this device. When this option is enabled, secure ports allows you to deny access to disabled hosts. See Secure port/static port overview for requirements.

Model configuration

Model configuration

The model configuration window allows you to configure devices that are connected to your network so that they can be monitored. Data entered in this window is stored in the FortiNAC database and is used to allow interaction with the device. Passwords are encrypted. Data entered on the model configuration window is not sent to the device. This window can be accessed from Inventory.

When configuring the device itself, use only letters, numbers and hyphens (-) in names for items within the device configuration, in security strings and in SNMP credentials. Other characters may prevent FortiNAC from reading the device configuration. For example, in many cases the # sign is interpreted by FortiNAC as a prompt. Cisco restricts the use of @ and #.

Models Using a Virtual IP (VIP) Address

SSH communication can fail if the device controlling the VIP changes. This is due to a change in the SSH key, making the currently used key invalid. To prevent an SSH communication failure due to this scenario, the MultiKnownHostEntries attribute can be enabled in FortiNAC versions 9.4.3 and greater.

MultiKnownHostEntries attribute: Disabled by default. FortiNAC's known_hosts cache is checked for all potential matches of the VIP and determine which entry to use. This is done on a per-device model basis.

For details and instructions, see KB article: https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-CLI-credential-validation-fails-in-device/ta-p/271544

Note

For network devices using API credentials, the User Name is the serial number of the

appliance and the Password is the REST API Key.

Access from Topology
  1. Click Network > Inventory.
  2. Expand the Container icon.
  3. Right-click on the device, and then click Model Configuration.
Settings

Device configuration information is specific for each device and may include any combination of the fields in the table below:

Settings

Description

General

User Name

The user name used to log on to the device for configuration. This is for CLI access.

Note

The user account must have the appropriate permissions configured on the device.

For network devices using API credentials, the User Name is the serial number of the appliance.

Password

The password required to configure the device. This is for CLI access.

For network devices using API credentials, the Password is the REST API Key.

Enable Password

The enable password for the device. This is for CLI access.

Note: Version 8.7.2 and higher: Arista switches can be configured to require typing "enable" to enter enable mode, but no password is needed. For such configurations, populate this field with the # character.

Super Password

The super password required for access to more features on 3Com devices.

HWC Connect Port

Port for the External Captive Portal that was configured by the user on the device during the initial device setup. This port is required for FortiNAC to send commands to the device. Consult the manufacturer for assistance in locating this port number.

Read Groups From Device

Ports on a device can be placed in to network groups that control access. This option reads the preset groups from the device.

Enable RADIUS authentication for this device

When selected, FortiNAC will process RADIUS requests from the device.

Clear Known Hosts

Clear all known host keys associated with this device. Host keys for devices modeled in Inventory are written to /bsc/.ssh/known_hosts.

Telnet/SSH Connection Timeout (Sec)

Used to determine how long to wait to connect and/or establish a Telnet/SSH session for this device. When disabled (default), the global setting "Telnet/SSH Connection Timeout (Sec)" applies. See Network device

CLI Command Timeout (Sec)

Used to determine how long to wait for a CLI response (prompt, show commands, etc) for this device. When disabled (default), the global setting "Telnet/SSH Connection Timeout (Sec)" applies. See Network device.

Protocol types

Telnet

Use Telnet to log on to the device for configuration.

SSH1

Use SSH1 to log on to the device for configuration.

SSH2

Use SSH2 to log on to the device for configuration.

VLAN ID/Network Access

VLAN Display Format

For some devices, the list of VLANs configured on the device can be read from the device and made available in a drop-down. When this feature is available, the VLAN Display Format option is shown. Choices included:

  • VLAN Name: Displays a drop-down list of VLANs configured on the device by VLAN name for each isolation state.
  • VLAN ID: Displays a drop-down list of possible VLANs configured on the device by VLAN ID or number for each isolation state.
  • Manual: Provides an empty text field to enter the VLAN name or ID. This is used in the event that the VLANS on the device have not been pre-configured

Read VLANs

Read VLAN configuration from the device and populate the drop-down lists of VLANs for each isolation state.

Default

The Default VLAN value is stored in the FortiNAC database and is used when the VLAN is not determined by another method, such as a network access policy.

Typically, if a VLAN is specified as the Default, it is the VLAN used for "normal" or "production" network access. It will be used for all the untagged (non-uplink) ports on the device.

If you do not want all ports on the device to use the same "Default" VLAN, you can leave the value blank in Model Configuration and use Network Access/VLANs to customize the default VLANs for each port. See Network access/VLANs for more information.

Dead End

The dead end VLAN for this device. Isolates disabled hosts with limited or no network connectivity from the production network.

Registration

The registration VLAN for this device. Isolates unregistered hosts from the production network during host registration.

Quarantine

The quarantine VLAN for this device. Isolates hosts from the production network who pose a security risk because they failed a policy scan.

Authentication

The authentication VLAN for this device. Isolates registered hosts from the Production network during user authentication.

Voice

The voice VLAN (s) for this device. This field accepts a list of VLANS separated by commas, such as 10, 25,30. This indicates to FortiNAC that these VLANS are excluded from all other uses.

Apply Default VLAN ID To All Non-wireless ports

If a device has both wired and wireless ports, you may choose to assign VLANs to each port individually.

You may also choose to assign a single default VLAN to all of the wireless ports for this device, by putting a VLAN ID in the Default field on this window. That number then overrides the individual entries on the wireless ports. The wired ports would continue to have a separate VLAN setting for each port.

If you choose to apply the Default VLAN ID to both wireless and wired ports, enabling this feature overrides the original port settings on the wired ports with the setting in the Default field on this window

Manage Captive Portal

Affects only Meru Controllers.

If the Captive Portal setting on any Security Profile for any SSID is set to WebAuth indicating that the SSID is being managed by Internal Captive Portal (ICP) on the Meru Controller and this check box is enabled, all SSIDs set to WebAuth will be managed by FortiNAC.

If enabled, FortiNAC uses Firewall Rules to treat authenticated and unauthenticated users differently.

The treatment selected in the Access Enforcement section of model configuration is ignored for any SSIDs set to WebAuth. Hosts that are isolated are treated as unauthenticated hosts regardless of the isolation type. Hosts that are not isolated are treated as authenticated.

CLI configurations

Configurations

This section allows you to associate pre-configured scripts with selected Port states or host states. A default script can also be selected. Scripts are not required. States that can be associated with CLI configurations include: default, registration, authentication, dead end, and quarantine.

See CLI configuration for information on creating scripts.

RADIUS

Primary RADIUS Server

The RADIUS server used for authenticating users connecting to the network through this device.

Select the Use Default option from the drop-down list to use the server indicated in parentheses.

See RADIUS for information on configuring your RADIUS servers.

Secondary RADIUS Server

If the primary RADIUS server fails to respond, this RADIUS server is used for authenticating users connecting to the network until the primary RADIUS server responds.

Select the Use Default option from the drop-down list to use the server indicated in parentheses.

RADIUS Secret

The secret used for RADIUS authentication.

Note

The RADIUS secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration.

Enable rfc5176 support

Appears for Aruba Controllers. Enables the use of both RADIUS Disconnect and RADIUS Change Of Authorization (CoA) requests depending on the Aruba model being used (L2 Roles with VLANs and L2 Roles only respectively).

Modify Button

Allows you to modify the RADIUS secret.

Mode

The RADIUS Authentication Mode to be used when a RADIUS request is received from the modeled device.

Local: Use the Local RADIUS server. Enter the RADIUS Secret, and choose the attributes to be sent in the Accept packet.

Proxy: Use the RADIUS Proxy. Optionally choose to override the RADIUS server to proxy to and enter the RADIUS secret.

Default RADIUS Attribute Group (Local RADIUS Option)

The default RADIUS Attributes to be sent for all accepted requests from this device. Hover over the group name to see what attributes and values will be sent. FortiNAC has pre-built attribute groups that can be used for most devices.

Restricted access

Object Group Name

Network List name that is used to contain IPs when the host is marked safe.

Network access - wireless devices

SSO Addresses Network Address group containing the desired scope of IP's to be managed using SSO. See Addresses. Important: Requires a resync to apply changes. See Resync Interfaces.
VPN Addresses Network Address group containing the desired scope of IP's to be managed over VPN. See Addresses. Important: Requires a resync to apply changes. See Resync Interfaces.
Source IP Address Device's IP address used for communication. Required if this address does not match the IP address in the Element tab.

Read Roles From Device

Retrieves roles that currently exist on the device being configured.

Read Roles

The drop-down next to each type, such as Registration, contains a list of possible roles read from the device. You can select a role for one or more of the types listed below.

  • Default
  • Dead End
  • Registration
  • Quarantine
  • Authentication

Host State

Host State is used to determine treatment when the host connects to the network. For each host state select an option in the Access Enforcement column and where applicable in the Access Value column.

  • Default
  • Dead End
  • Registration
  • Quarantine
  • Authentication
  • Roaming Guest
Note

Roaming Guest is a special host state detected when a user authenticates using a domain name that is not listed in the local domains list. Users are authenticated via a remote RADIUS server and are placed on the network immediately unless Deny is selected under Access Enforcement. Roaming guests bypass the captive portal and device profiler. See Roaming guests.

Access Enforcement

This set of drop-down menus works in conjunction with the Host States listed above to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include:

  • Deny: Host will be denied access to the network when it is in this state. For example, if the host is not registered and Registration is set to Deny, the host connection will be rejected.

    Note

    Endpoints that have been denied access may continuously request access which can unnecessarily consume system resources.

  • Bypass: Host will be allowed access to the network when it is in this state. The host will be placed on the default VLAN/Role configured on the device for this port or SSID. For example, if Quarantine is set to Bypass, hosts that fail a scan and would normally be placed in Quarantine are placed in the default VLAN/Role on the device.
  • Enforce: Indicates that the host will be placed in the VLAN/Role specified in the Access Value column for this state.

Access Value

VLAN/Role where a host in this state should be placed when it connects to the network. If Enforce is selected in the Access Enforcement field you must enter a value in the Access Value field.

Additional RADIUS Attribute Group (Local RADIUS option)

For each Logical Network, you can choose to either use the default values only, or to append and overwrite with another attribute group. Hover over the group name to see what attributes and values will be sent.

Wireless AP parameters

Preferred Container Name

If this device is connected to any Wireless Access Points, they are included in the Topology. Enter the name of the Container in which these Wireless Access Points should be stored. Containers or folders are created in the Topology to group devices.

Detail configuration

Check box

Secure Ports is enabled for ports on this device. When this option is enabled, secure ports allows you to deny access to disabled hosts. See Secure port/static port overview for requirements.