Configuration
Directory configuration allows you to configure the connection to the directory, user attributes that you would like to import, user search branches and Group Search Branches. Each configuration section has specific information that must be entered to allow FortiNAC Manager to connect with the directory and import users and groups.
Use Schedule to configure the intervals for synchronizing the database with the selected directory. Use Preview to review data in the selected directory. Use Copy to copy the directory configuration fields from an existing configuration.
Directory configuration can be accessed from System > Settings > Authentication > LDAP.
Connection tab
The Connection tab contains the parameters required for communication with the directory. Not all fields are required. Be sure to enter information only in those fields that apply to your directory.
Settings
Field |
Description |
Name |
Name of the server where the directory is hosted. |
Primary IP |
IP address of the primary directory server. The server will be added as a pingable device. |
Security Protocol |
The security protocol used when communicating with the server containing your directory. Options are SSL, STARTTLS, and none. If SSL or STARTTLS are chosen you must have a security certificate from a CA. The certificate should be stored in the following directory on your appliance See Create a keystore for SSL or TLS for instructions on importing and storing certificates. |
MAC address |
Physical address of the primary directory server. This field is required. |
LDAP Login |
User login name of the service account FortiNAC uses to access the LDAP server. Service account must have read access to all requested search branches. |
LDAP Password |
Password for the user login. |
Validate Credentials |
Click to verify that directory credentials are correct. |
Credential Status |
Displays the results of clicking Validate Credentials. Messages such as credentials verified or failed to validate can be displayed. |
Additional Configuration |
Displays the fields listed below in this table. |
Domain Name |
If this field contains a domain name, users must include the domain name in their login to be authenticated against this directory. Example:Valid formats for login are: user, user@domain.com and domain\user. Setting a value here requires all users to supply a domain name during login. When no domain is specified in the Directory Configuration view and the login includes a domain, authentication first uses the user name and the domain name. If this authentication fails, a second authentication is attempted using only the user name. |
Secondary Server |
FQDN or IP address of the secondary directory server. This server would be accessed in the event that the Primary server was unavailable. This server is added as a pingable device. Important: Value must be FQDN if Security Protocol = SSL or STARTTLS. Note: FortiNAC uses the same LDAP Login and Password to contact both directories. |
Version |
Directory version. Default = 3 |
Port |
Communication port used by the directory. The default port is based on the security protocol. To use a port other than the default, type the desired port number into this field. Common port values/protocols are:
|
Time Limit |
Time in seconds that FortiNAC Manager waits for a response from the directory. Default = 5. The number of seconds may need to be increased in the directory or in FortiNAC Manager if the exception “Time Limit Exceeded” begins to be noted more often. |
Enable Synchronization of Users/Groups At Scheduled Time |
Check this box to synchronize the FortiNAC Manager database with either the primary or the secondary directory servers based on a schedule in the Scheduler View. |
on sync, delete Users no longer found in this directory |
When checked, users that have been removed from the directory will be removed from the FortiNAC Manager database when the scheduled resynchronization takes place. |
Perform Lookup On Referral |
Referrals allow administrators to set up search paths for collecting results from multiple servers. If you have configured your directory for referrals and you want to do authentication on the referred directory servers, enable this option. Enabling referrals is required in order to search sub domains. |
Connect by Name |
Automatically checked when StartTLS is selected as the Security Protocol. FortiNAC Manager connects to LDAP using the the Name field of the directory configuration with a URL such as ldap://dc.example.com to connect to the primary server. When not selected, FortiNAC Manager will connect to LDAP using the Primary IP address field of the directory configuration with a URL such as ldap://10.0.0.2. |
NetBIOS name |
When specified, authentication will be via Kerberos. This represents the domain NetBIOS name of the active directory server. This must match a domain NetBIOS name from one of the configured Winbind instances in Network > RADIUS > Winbind. |
The Administrator must enter the specific connection information for the directory server used for user authentication. The Security information required varies depending on the type of directory you are using. Be sure to enter only the data required for your directory type.
The Directories View can be accessed either from System > Settings > Authentication > LDAP.
- Click System > Settings.
- Click the Authentication folder in the tree control.
- Click LDAP to display the Directories window.
- To Modify a directory, select a directory in the list and click Modify.
- To Add a directory, click Add.
- A list of directories found on your network is displayed. Click on the name of the directory to be added. If the directory is not listed, click Enter Manually. Directories are found based on SRV records on your corporate DNS.
- Use the information in the Settings table above to enter connection information.
- Click the Connection tab and enter connection information.
- Click Validate Credentials to verify the connection.
- If FortiNAC Manager is able to successfully connect to the directory a Credentials Verified message is displayed in the Credential Status field.
- To ensure that the user data is available to FortiNAC Manager, you must also complete the User Attributes, Group Attributes, Search Branches and Select Groups tabs.
- Click Next to continue.
User attributes tab
To add users from an LDAP compliant directory, the customer user database schema must be mapped to the FortiNAC Manager user data. Attributes can be mapped for users and groups by selecting the tabs on the left side of the window.
If a user in the directory has multiple attributes with the same attribute ID, FortiNAC Manager uses the first one it finds. For example, if a record looked like the one shown below, FortiNAC Manager would use staff.
eduPersonalAffiliation=staff
eduPersonalAffiliation=employee
eduPersonalAffiliation=alum
eduPersonalAffiliation=student
The attribute mappings for the user are entered on the User Attributes Tab. The AD attributes are mapped on this form for User Description, Contact, Hardware, and Security and Access. This allows FortiNAC Manager to retrieve the user information based on the User Search Branches configured on the Search Branches tab.
Configure user attributes
When adding a directory FortiNAC Manager attempts to determine the directory type and populates the attribute fields based on the directory type. Do not modify the directory yype unless it is incorrect. Do not modify the attributes unless they are incorrect.
The value of an attribute being mapped cannot exceed 255 characters in order for the attribute to be retrieved by FortiNAC Manager.
- To access user attributes for an existing directory, select System > Settings.
- Click the Authentication folder in the tree control.
- Click LDAP to display the directories window.
- If you are adding a new directory, the User Attributes tab is displayed when you click Next after completing the connection tab.
- The Directory Type drop-down indicates the type of directory being configured. This will scan the directory based on the type selected and pre-populate some of the fields. The directory type should already be listed for you. If the directory type is not listed or you know the field names for your directory, this step is not required.
- Enter the user attribute mappings.
- The Identifier (ID) field is a required entry. User records in the directory must have data entered in the selected ID field.
Note: As of version 8.7.0, the Last Name is no longer a required field.
- To ensure that the user data is available to FortiNAC Manager, you must also complete the Group Attributes, Search Branches, and Select Groups tabs.
- Click Next to continue.
Directory attributes
If you are using Active Directory, keep in mind that Active Directory only allows access via LDAP to users whose primary group is the Domain Users group.
User attributes |
Active Directory |
Novell |
||
Object Class |
user |
person |
||
Description |
||||
First Name |
givenName |
givenName |
||
Last Name * |
sn |
sn |
||
Identifier * |
sAMAccountName |
cn |
||
Title |
title |
|
||
|
userPrincipalName |
|
||
Contact |
||||
Address |
streetAddress |
mailstop |
||
City |
l |
city |
||
State |
st |
S |
||
Zip/Postal Code |
postalCode |
|
||
Phone |
telephoneNumber |
Telephone Number |
||
Mobile Phone |
mobile |
|
||
Mobile Provider |
otherMobile
|
|
||
Security and access |
||||
Security Attribute |
The Directory Attribute that can be used in a filter. Data contained in this field is copied to the Security and Access value field on the User Properties and the Host Properties record for each user and associated host when the directory synchronizes with the database. |
|
||
Allowed Hosts |
The number of host records each individual user may have in FortiNAC Manager. |
|
||
Role |
Name of the Directory Attribute used to associate a user with a role.
|
|
||
Disabled Attribute |
Setting this attribute allows the AD Administrator to disable users in Active Directory and have all instances of the user automatically disabled in FortiNAC Manager when the next scheduled resync occurs. Attribute =
|
|
||
Disabled Value |
When the value for the Disabled Attribute for the user equals the Disabled Value, FortiNAC Manager disables all instances of a user when the next scheduled resync with AD occurs. The user must have previously been disabled in AD. The Disabled Value may vary from directory to directory. Check a user that is currently disabled in the directory to see what the disabled value should be. Enter that value in the Disabled Value field. If "Disabled Value" starts with a "0x", a bitwise comparison is done between the value in the directory and this field. Otherwise, without the "0x" prefix, it will only do an exact match numeric comparison.
|
|
||
Time To Live |
The name of the directory attribute that contains the numerical value for the user age time. If the attribute does not have a value the user age time is not set by the directory. Age time can also be set using the Properties window or on the User Properties window for an individual user. All of these options simply modify the Expiration Date in the User Properties window. See User properties.
|
|
||
Time to Live Unit |
The time unit set in the User Properties age time if the Time to Live attribute contains a value. Options: Hours or Days |
|
Group attributes tab
The attribute mappings for groups are entered on the Group Tab. The AD attributes are mapped on this form for Object Class, Group Name and Members. This allows FortiNAC Manager to retrieve the group information based on the Group Search Branch configured on the Search Branches Tab. Groups created in the directory are imported into FortiNAC Manager each time the Directory Synchronization task is run either manually or by the Scheduler.
Active Directory size limitations for the number of users per group may cause issues with group based operations. Only the users up to the limitation are affected by group based operations. Size limitations vary depending on the version of Active Directory used and the settings in the MaxValRange and MaxPageSize directory fields. |
The value of an attribute being mapped cannot exceed 255 characters in order for the attribute to be retrieved by FortiNAC Manager. |
Configure group attributes
- To access group attributes for an existing directory, select System > Settings.
- Click the Authentication folder in the tree control.
- Click LDAP to display the directories.
- If you are adding a new directory, the Group Attributes tab is displayed when you click Next after completing the User Attributes tab.
-
Enter the group attribute mappings:
Group Attributes
Active Directory
Novell
Object Class
group
groupOfMembers
Group Name
name
cn
Group Members
member
member
Distinguished Name (DN)
The DN is not to be used in conjunction with groups identified by Object Class.
- To ensure that the user data is available to FortiNAC Manager, you must also complete the Search Branches and Select Groups tabs.
- Click Next to continue.
Search branches tab
The Search Branches tab is where the Administrator enters the specific User and Group Search Branches information for the Directory server. This tells FortiNAC Manager where the user and group information is located in the Directory.
Active Directory size limitations for the number of users per group may cause issues with group based operations. Only the users up to the limitation are affected by group based operations. Size limitations vary depending on the version of Active Directory used and the settings in the MaxValRange and MaxPageSize directory fields. |
The example shown in the figure below is for Active Directory. In this example the segments represent the following:
cn=Users: The abbreviation cn stands for Common Name. In this case, it is the name of the branch or folder in Active Directory that should be searched for users. The name of that branch could be anything, such as Employees or Students.
dc=example: The abbreviation dc stands for Domain Component. In this case it is the second level domain name, such as yahoo in yahoo.com.
dc=com: The abbreviation dc stands for Domain Component. In this case it is the first level domain name, such as com in google.com or edu in marshalluniversity.edu or org in npr.org.
Configure search branches
- To access search branches for an existing Directory, select System > Settings.
- Click the Authentication folder in the tree control.
- Click LDAP to display the directories.
- To modify an entry, select the entry and click Modify.
- To remove an entry, select the entry to be removed and click Delete.
- If you are adding a new directory, the Search Branches tab is displayed when you click Next after completing the Group Attributes tab.
- Click Add to add new search branch information. Available search branches are listed; however you can enter your own information. If the list of available search branches is too long to display, type the first few letters of the branch needed to narrow the list.
- In the Add dialog, enter or select the Search Branch and then click OK.
- To ensure that the user data is available to FortiNAC Manager, you must also complete the Select Groups tab.
- Click Next to save search branch information.
Select groups tab
Use the Select Groups tab to choose groups of users to be included when the directory and the FortiNAC database are synchronized. Upon initial synchronization, a host group is created for each LDAP group selected. Hosts become members of these groups when they are registered to a user that is a member of that LDAP group. Note: If an Administrator group with the same name already exists, a host group will not be created.
Users that do not already exist in FortiNAC are not imported. However, user data for users already in the database is updated each time the Synchronization task is run. Only the members of selected groups will be synced (put in the groups) and not ignored for syncing the attributes.
Configure group selections
- To access group selections for an existing directory, select System > Settings.
- Click the Authentication folder in the tree control.
- Click LDAP to display the directories.
- If you are adding a new directory, the Select Groups tab is displayed when you click Next after completing the Search Branches tab.
- Mark the groups of users that should be included when the directory and the database are synchronized by checking the box in the Active column. If you do not check any boxes, all groups will be included.
- Click OK to save the directory configuration.
- An initial Synchronization is done immediately when you save the Directory. It is recommended that you set up a schedule for synchronizing the Directory See Schedule synchronization.