Requirements
The following steps provide a basic outline for the procedures required to setup the directory and its communication with FortiNAC.
- Enable ping on the directory server itself. This allows FortiNAC to ping the directory server and prevents the server Icon in the Network Device Summary panel on the dashboard from displaying an error as if it had lost contact when, in fact, it is in contact via LDAP.
If you plan to use the top level (root) of the directory tree as a Group search branch, make sure that you use Config Wizard to configure DNS in FortiNAC so that the IP address of the directory can be resolved to the directory's hostname. In addition, the IP address must be resolved by the primary DNS server.
- Set up the connection between the directory application and FortiNAC. This step provides login information allowing FortiNAC to connect and communicate with the directory. See Configuration.
- Map directory data fields to FortiNAC data fields. This step allows you to import user and group information into your database.
- Configure User and Group Search Branches.
- Data in your directory can change frequently. Users could be added, removed or modified. Those changes need to be incorporated into your FortiNAC database. Create a schedule to synchronize the directory with the FortiNAC database. See Schedule synchronization.
-
If choosing to use SSL or TLS security protocols for communications with the LDAP directory:
-
TLS 1.2 or TLS 1.3 must be enabled on the LDAP directory
-
Installing a security certificate isn't necessary in most cases. However, if needed, see Create a keystore for SSL or TLS.
-
- If you choose to use logon/logoff scripts to register the host when a user logs on or off a domain.
You may need to access your directory using a separate interface to acquire login, group and user information.
If you create new users in the directory, be sure not to assign a user ID that is the same as an existing user account or guest account in the FortiNAC database. Having duplicate user IDs will prevent one or both of the users from accessing the network.