User/host profiles
User/Host Profiles are used to map sets of hosts and users to Network Access Policies, Endpoint Compliance Policies, Supplicant EasyConnect Policies, Portal Polices, or Security Rules (RTR must be enabled. User/Host Profiles can be reused across many different policies.
For example, Network Access Policies are used to assign the VLAN in which a host is placed. Each Network Access Policy has a specific User/Host profile and a Network Access Configuration containing a VLAN, CLI Configuration or VPN Group. When a host requires network access, FortiNAC looks at the Network Access Policies starting with the first policy in the list and checks that the User/Host profile is a match. If it is not, the next Network Access Policy is checked until a match is found.
User/Host Profiles are combinations of User/Host data. A host's or user's profile is not fixed but can change based on the user/host being moved to a different group, having a new attribute applied, connecting to the network in a different place or the current time of day. Users/hosts are only classified at the time that they need a service, such as a Network Access Policy. When FortiNAC evaluates a host connection, the data for the user and host are prioritized as follows:
- Logged in User and Host
- Registered User and Host
- Registered Host
If you create a User/Host Profile with fields Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank and When set to always, it matches ALL users and hosts. This is essentially a Catch All profile. If this User/Host Profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.
The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.
User/Host Profiles can be accessed from Policy > Policy Configuration > User/Host Profiles or from System > Quick Start > Policy Configuration, however configuration steps point you to Policy > Policy Configuration > User/Host Profiles. See Navigation and Filters for information on common navigation tools and data filters.
|
Field |
Definition |
|---|---|
|
Global |
The Global column always displays "Yes" on the FortiNAC Control Manager, and indicates which information will be synchronized with a FortiNAC Server upon manual or automatic synchronization. This information is read-only on the FortiNAC Server. Upon synchronization, the information is overwritten on the FortiNAC Server. See Server synchronization for more information. Global information with a rank will always be ranked first on a FortiNAC Server. The rank of any item on a FortiNAC Server cannot be modified if it would result in changing the rank of a global item. You can only modify or delete global information from the FortiNAC Control Manager. |
|
Name |
Each profile must have a unique name. |
|
Where (Location) |
Location on the network where the host is connected. This field lists groups of ports, SSIDs or devices. Hosts are checked to determine whether they have connected to the network via one of the selected devices, ports or SSIDs. Host must connect on one of the items contained within one of the selected groups to match this profile. When set to Any, this field is a match for all hosts or users. |
|
Who/What By Group |
Host or User groups where the host or user must be a member to match this profile. Host or user must be in at least one of the groups listed. When set to Any, this field is a match for all hosts or users. |
|
Who/What By Attribute |
Indicates whether or not attribute filters have been created for this Profile. Filters are based on Adapter, Host and User data. A host or user must meet all parameters within a single filter, but is only required to match one filter in the list. See User/host profile filter example. |
|
When |
If the host is on the network during the specified time frame, it matches this profile. Time options include Always or a specific set of days of the week and times of the day. |
|
Note |
User specified note field. This field may contain notes regarding the data conversion from a previous version of FortiNAC. |
|
Last Modified By |
User name of the last user to modify the profile. |
|
Last Modified Date |
Date and time of the last modification to this profile. |
|
Copy |
Copy the selected Profile to create a new record. |
|
Delete |
Deletes the selected Profile. Profiles that are currently in use cannot be deleted. |
|
In Use |
Indicates whether or not the selected Profile is currently being used by any other FortiNAC element. See User/host profiles in use. |
|
Modify |
Opens the Modify Profile window for the selected Profile. |
|
Show Audit Log |
Opens the Admin Auditing Log showing all changes made to the selected item. For information about the Admin Auditing Log, see Admin auditing You must have permission to view the Admin Auditing Log. See Add an admin profile |
|
Import |
Allows you to import information from the FortiNAC Server(s) to the FortiNAC Control Manager. This eliminates the need to manually enter the information on the FortiNAC Control Manager. When it is imported to the FortiNAC Control Manager, the information is global. |
|
Export |
Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF or RTF. See Export data. |