Fortinet black logo

Administration Guide

Home FortiNAC 9.4.0 Administration Guide

Attribute Groups

9.4.0
9.4.0
9.2.0
9.1.0
8.8.0
8.7.0
8.6.0
8.5.2
8.3.0
Copy Link
Copy Doc ID 3c991e35-cb27-11ec-81de-fa163e15d75b:239599
Download PDF

Attribute Groups

Allows administrators to control the RADIUS attributes the FortiNAC Local RADIUS Service returns in Access-Accept packets.

  • Build groups from a large collection of known RADIUS attributes, both standard and vendor-specific. Custom attributes can also be created.
  • Can be configured at device level and logical network level scope for both simple and complex deployments
  • Returned attributes are a combination of device and logical network level groups. The more granular logical network attributes take precedence
  • Each of these attributes can be optionally scoped so debug output is only generated for 1 or more specified MAC addresses (comma separated).

Requirements

  • Device models using these groups must be configured for Local RADIUS Authentication mode.
  • Inbound RADIUS request must contain Calling-Station-Id. This attribute is required in order to properly process logical network information. RADIUS attributes will not be returned if Calling-Station-Id is not in the associated request.

RADIUS Attribute Groups are configured in the RADIUS Attribute Groups view. Once the Attribute Groups are defined, they can be deployed to the network via Model Configuration and SSID configuration views.

Add RADIUS Attribute Group

  1. Navigate to Network > RADIUS.
  2. Click Attribute Groups.
  3. Click Add.
  4. Use the filter to narrow down the list of attributes in the left pane, and select them by clicking the arrow icons to push them into the right pane.
  5. Set the value by clicking the value box on the right pane.
  6. Setting to %ACCESS_VALUE% will insert the Access Value into the attribute when returned.

Add RADIUS Attribute

If the attribute required does not exist in FortiNAC’s database, it can be added.

  1. Click Add

  2. Define the following:

    Name

    Type: Select the appropriate option from the drill-down list.

    Value

    Vendor

    Vendor ID

    Format

    Has Tag:

    Encryption method: Select the appropriate option from the drill-down list.

  3. Click OK to save.
  4. To modify an attribute added, click Modify. Note: Pre-loaded attributes may not be edited.
  5. To delete an attribute, select Delete.

Once the Attribute Groups are defined, they can be applied in a number of ways:

Deploy Attribute Groups in Bulk – Model Configuration

Note The values set through this method may not apply to all selected devices equally. For example, four devices are selected, but only two devices have the Logical Network “Aruba” configured. Any modifications made in this view for the “Aruba” Logical Network will only apply to those devices with “Aruba” configured.

  1. Click Network > Inventory
  2. Select the container where the devices are located.
  3. In the Devices view, use Ctrl-click or Shift-click to select the devices to modify.
  4. Right-click the devices and click Set Model Configuration.

Apply Default Attribute Group

  1. From the top drill down menu, select Detail Configuration.
  2. Click the Enable RADIUS checkbox.
  3. Click Enable Local.
  4. Click the Default RADIUS Attribute Group checkbox. The associated drill down menu will appear.
  5. From the drill down, select the desired RADIUS Attribute Group.
  6. Click OK to save changes or proceed to define additional RADIUS Attribute Groups.

Apply Additional RADIUS Attribute Groups to Logical Networks

  1. From the top drill down, select the desired Logical Network to modify.
  2. Click Additional Attribute Group checkbox. The associated drill down menu will appear.
  3. From the drill down, select the desired RADIUS Attribute Group.
  4. Repeat steps 10-12 to add and modify additional Logical Networks as needed.
  5. Click OK to save changes.
Previous
Next

Attribute Groups

Allows administrators to control the RADIUS attributes the FortiNAC Local RADIUS Service returns in Access-Accept packets.

  • Build groups from a large collection of known RADIUS attributes, both standard and vendor-specific. Custom attributes can also be created.
  • Can be configured at device level and logical network level scope for both simple and complex deployments
  • Returned attributes are a combination of device and logical network level groups. The more granular logical network attributes take precedence
  • Each of these attributes can be optionally scoped so debug output is only generated for 1 or more specified MAC addresses (comma separated).

Requirements

  • Device models using these groups must be configured for Local RADIUS Authentication mode.
  • Inbound RADIUS request must contain Calling-Station-Id. This attribute is required in order to properly process logical network information. RADIUS attributes will not be returned if Calling-Station-Id is not in the associated request.

RADIUS Attribute Groups are configured in the RADIUS Attribute Groups view. Once the Attribute Groups are defined, they can be deployed to the network via Model Configuration and SSID configuration views.

Add RADIUS Attribute Group

  1. Navigate to Network > RADIUS.
  2. Click Attribute Groups.
  3. Click Add.
  4. Use the filter to narrow down the list of attributes in the left pane, and select them by clicking the arrow icons to push them into the right pane.
  5. Set the value by clicking the value box on the right pane.
  6. Setting to %ACCESS_VALUE% will insert the Access Value into the attribute when returned.

Add RADIUS Attribute

If the attribute required does not exist in FortiNAC’s database, it can be added.

  1. Click Add

  2. Define the following:

    Name

    Type: Select the appropriate option from the drill-down list.

    Value

    Vendor

    Vendor ID

    Format

    Has Tag:

    Encryption method: Select the appropriate option from the drill-down list.

  3. Click OK to save.
  4. To modify an attribute added, click Modify. Note: Pre-loaded attributes may not be edited.
  5. To delete an attribute, select Delete.

Once the Attribute Groups are defined, they can be applied in a number of ways:

Deploy Attribute Groups in Bulk – Model Configuration

Note The values set through this method may not apply to all selected devices equally. For example, four devices are selected, but only two devices have the Logical Network “Aruba” configured. Any modifications made in this view for the “Aruba” Logical Network will only apply to those devices with “Aruba” configured.

  1. Click Network > Inventory
  2. Select the container where the devices are located.
  3. In the Devices view, use Ctrl-click or Shift-click to select the devices to modify.
  4. Right-click the devices and click Set Model Configuration.

Apply Default Attribute Group

  1. From the top drill down menu, select Detail Configuration.
  2. Click the Enable RADIUS checkbox.
  3. Click Enable Local.
  4. Click the Default RADIUS Attribute Group checkbox. The associated drill down menu will appear.
  5. From the drill down, select the desired RADIUS Attribute Group.
  6. Click OK to save changes or proceed to define additional RADIUS Attribute Groups.

Apply Additional RADIUS Attribute Groups to Logical Networks

  1. From the top drill down, select the desired Logical Network to modify.
  2. Click Additional Attribute Group checkbox. The associated drill down menu will appear.
  3. From the drill down, select the desired RADIUS Attribute Group.
  4. Repeat steps 10-12 to add and modify additional Logical Networks as needed.
  5. Click OK to save changes.
Previous
Next