Fortinet black logo

Administration Guide

Home FortiNAC-F 7.2.0 Administration Guide
7.2.0
7.4.0
7.2.0

User/host profiles

User/host profiles

User/host profiles are used to map sets of hosts and users to Network Access policies, Endpoint Compliance policies, Authentication policies, Supplicant EasyConnect policies, Portal policies, or Security Rules (Security Incidents must be enabled). User/host profiles can be reused across many different policies.

For example, network access policies are used to assign the VLAN in which a host is placed. Each network access policy has a specific user/host profile and a network access configuration containing a VLAN, CLI configuration or VPN Group. When a host requires network access, FortiNAC looks at the network access policies starting with the first policy in the list and checks that the user/host profile is a match. If it is not, the next network access policy is checked until a match is found.

User/host profiles are combinations of user/host data. A host's or user's profile is not fixed but can change based on the user/host being moved to a different group, having a new attribute applied, connecting to the network in a different place or the current time of day. Users/hosts are only classified at the time that they need a service, such as a network access policy. When FortiNAC evaluates a host connection, the data for the user and host are prioritized as follows:

  • Logged in user and host
  • Registered user and host
  • Registered host

If you create a user/host profile with Where set to Any, Who/What by Group set to Any, Who/What by Attribute set to Any, and When set to Always, it matches all users and hosts. This is essentially a catch all profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.
The best way to use a catch all profile is to create a general policy with that profile and place it last in the list of policies.

Settings

Field

Definition

Name

Each profile must have a unique name.

Who/What

Attributes

A host or user must meet all parameters within a single filter, but is only required to match one filter in the list. The attribute must be known at the time of connection. See Filter example.

RADIUS Attributes

Used to match against endpoints pre- and post-authentication.

Groups

  • Any — Matches any group.

  • Any Of — Matches any of the listed groups. Does not have to match everything, but has to match at least one group that has been selected.

  • All Of — Has to match every group that's been selected.

  • None Of — Has to match no group that's been selected.

Note

Who/What by RADIUS Request Attribute in User/Host Profiles only works with Local RADIUS Mode.

In 7.4+, Legacy Proxy will support Who/What by RADIUS Request Attribute in User/Host Profiles.

Where

Location on the network where the host is connected. This field lists groups of ports, SSIDs or devices. Hosts are checked to determine whether they have connected to the network via one of the selected devices, ports or SSIDs. Host must connect on one of the items contained within one of the selected groups to match this profile. When set to Any, this field is a match for all hosts or users.

Note: FortiSwitch in Link Mode: Port groups must be used. Device groups will not match.

When

If the host is on the network during the specified time frame, it matches this profile. Time options include Always or a specific set of days of the week and times of the day.

Notes

User specified note field. This field may contain notes regarding the data conversion from a previous version of FortiNAC.

Last Modified By

User name of the last user to modify the profile.

Last Modified Date

Date and time of the last modification to this profile.

Right click options

Edit

Opens the Create view pre-populated with the settings from the selected Profile.

Copy

Copy the selected Profile to create a new record.

Delete

Deletes the selected Profile. Profiles that are currently in use cannot be deleted.

Used By

Indicates whether or not the selected Profile is currently being used by any other FortiNAC element. See Profiles in use.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Audit Logs.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Add or modify a profile

You are not required to complete all of the fields when creating a user/host profile. If you leave a field blank, it is set to Any or is left blank. When set to Any or blank, the field is a match for all hosts or users. You can create a profile with only location, only a group, only an attribute filter, only a time range or any combination of those options.

  1. Select Policy & Objects.
  2. Select User/Host Profiles.
  3. Click Create New or select an existing Profile and click Edit.
  4. Click in the Name field and enter a name for this Profile.

  5. Specify the details according to the User/Host profiles settings listed above.

    Caution

    If the user wishes to configure multiple attributes in a single line in an AND relationship, the user should use the + at the far right. However, if the user wishes to configure the attributes in an OR relationship, the user should use the + at the bottom.
  6. Click OK to save your data.
Previous
Next

User/host profiles

User/host profiles are used to map sets of hosts and users to Network Access policies, Endpoint Compliance policies, Authentication policies, Supplicant EasyConnect policies, Portal policies, or Security Rules (Security Incidents must be enabled). User/host profiles can be reused across many different policies.

For example, network access policies are used to assign the VLAN in which a host is placed. Each network access policy has a specific user/host profile and a network access configuration containing a VLAN, CLI configuration or VPN Group. When a host requires network access, FortiNAC looks at the network access policies starting with the first policy in the list and checks that the user/host profile is a match. If it is not, the next network access policy is checked until a match is found.

User/host profiles are combinations of user/host data. A host's or user's profile is not fixed but can change based on the user/host being moved to a different group, having a new attribute applied, connecting to the network in a different place or the current time of day. Users/hosts are only classified at the time that they need a service, such as a network access policy. When FortiNAC evaluates a host connection, the data for the user and host are prioritized as follows:

  • Logged in user and host
  • Registered user and host
  • Registered host

If you create a user/host profile with Where set to Any, Who/What by Group set to Any, Who/What by Attribute set to Any, and When set to Always, it matches all users and hosts. This is essentially a catch all profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.
The best way to use a catch all profile is to create a general policy with that profile and place it last in the list of policies.

Settings

Field

Definition

Name

Each profile must have a unique name.

Who/What

Attributes

A host or user must meet all parameters within a single filter, but is only required to match one filter in the list. The attribute must be known at the time of connection. See Filter example.

RADIUS Attributes

Used to match against endpoints pre- and post-authentication.

Groups

  • Any — Matches any group.

  • Any Of — Matches any of the listed groups. Does not have to match everything, but has to match at least one group that has been selected.

  • All Of — Has to match every group that's been selected.

  • None Of — Has to match no group that's been selected.

Note

Who/What by RADIUS Request Attribute in User/Host Profiles only works with Local RADIUS Mode.

In 7.4+, Legacy Proxy will support Who/What by RADIUS Request Attribute in User/Host Profiles.

Where

Location on the network where the host is connected. This field lists groups of ports, SSIDs or devices. Hosts are checked to determine whether they have connected to the network via one of the selected devices, ports or SSIDs. Host must connect on one of the items contained within one of the selected groups to match this profile. When set to Any, this field is a match for all hosts or users.

Note: FortiSwitch in Link Mode: Port groups must be used. Device groups will not match.

When

If the host is on the network during the specified time frame, it matches this profile. Time options include Always or a specific set of days of the week and times of the day.

Notes

User specified note field. This field may contain notes regarding the data conversion from a previous version of FortiNAC.

Last Modified By

User name of the last user to modify the profile.

Last Modified Date

Date and time of the last modification to this profile.

Right click options

Edit

Opens the Create view pre-populated with the settings from the selected Profile.

Copy

Copy the selected Profile to create a new record.

Delete

Deletes the selected Profile. Profiles that are currently in use cannot be deleted.

Used By

Indicates whether or not the selected Profile is currently being used by any other FortiNAC element. See Profiles in use.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Audit Logs.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Add or modify a profile

You are not required to complete all of the fields when creating a user/host profile. If you leave a field blank, it is set to Any or is left blank. When set to Any or blank, the field is a match for all hosts or users. You can create a profile with only location, only a group, only an attribute filter, only a time range or any combination of those options.

  1. Select Policy & Objects.
  2. Select User/Host Profiles.
  3. Click Create New or select an existing Profile and click Edit.
  4. Click in the Name field and enter a name for this Profile.

  5. Specify the details according to the User/Host profiles settings listed above.

    Caution

    If the user wishes to configure multiple attributes in a single line in an AND relationship, the user should use the + at the far right. However, if the user wishes to configure the attributes in an OR relationship, the user should use the + at the bottom.
  6. Click OK to save your data.
Previous
Next