Manage policies
Create authentication policies to assign an authentication configuration when a host requires network access. Policies are selected for a connecting host by matching host and user data to the criteria defined in the associated user/host profile. The first policy that matches the host and user data is assigned.
|
If the host does not match any policy, it is assigned the default authentication method configured in the Portal, guest template, or Persistent Agent Credential Configuration. |
If you create a user/host profile with fields Where set to Any, Who/What by Group set to Any, Who/What by Attribute set to Any and When set to Always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.
The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.
Authentication policies can be accessed from Policy & Objects > Authentication Policy.
Settings
An empty field in a column indicates that the option has not been set.
|
Field |
Definition |
||
|---|---|---|---|
|
Rank |
Policy's rank in the list of policies. Rank controls the order in which host connections are compared to Policies.
|
||
|
Configuration |
Contains the configuration for the authentication policy that will be assigned if this authentication policy matches the connecting host. |
||
|
Who/What |
Attributes User or Host attributes specified in the selected user/host profile. The connecting host or user must have the attributes to be a match. See Filter example. Do not select user attributes in user/host profiles used to assign a portal. FortiNAC does not have access to any user attributes when an unregistered host connects to the network. Only the following host attributes are known at the time of connection: connection location, IP address, MAC address, and operating system. RADIUS Attributes Indicates whether or not attribute filters have been created for this Profile. RADIUS attribute filters are used to match against endpoints pre- and post-authentication. Groups User or Host group or groups specified in the user/host profile. These groups must contain the connecting user or host for the connection to be a match for this policy. When set to Any, this field is a match for all hosts or users. It is not recommended that you use groups in user/host profiles for Portal assignment because an unregistered host will not be contained in any host groups and user data is unknown until after the portal is assigned. |
||
|
Where |
The connection location specified in the user/host profile. The host must connect to the network on a device, port or SSID contained within one of the groups shown here to be a match. When set to Any, this field is a match for all hosts or users. |
||
|
When |
The time frame specified in the selected user/host profile. The host must be on the network within this time frame to be a match. When set to Always this field is a match for all hosts or users. |
||
|
Show Audit Log |
Opens the admin auditing log showing all changes made to the selected item. For information about the admin auditing log, see Audit Logs.
|