Skip to main content
FortiKoala
Staff
FortiKoala
Staff
October 1, 2018

Technical Tip: What causes a host to be moved to an imported LDAP Host Group

  • October 1, 2018
  • 0 replies
  • 2870 views

Description

 

This article describes what causes a host to be moved to an imported LDAP Host Group.


Scope

 

FortiNAC.


Solution

 

Upon initial synchronization, a host group is created for each LDAP group selected in the Select Groups tab of the LDAP configuration.


Note: If an Administrator group with the same name already exists, a host group will not be created.


Hosts become members of these groups only when they are registered in FortiNAC by a user who belongs to the corresponding LDAP group:


b6155472.png


A host registered as a device with a logged-on user who is a member of the LDAP group:

  • Will not move the host to the host group that corresponds to the LDAP group.

  • Will match only policies whose criteria include LDAP group membership based on the logged-on user. 


Example:

Network Access Policy in the selected User/Host Profile 'IT Group' requires 'NetworkIT' LDAP Group membership:

 

uhpa.PNG

 

The 'NetworkIT' LDAP Group is imported and appears as a host group: 

 

group.PNG


The user 'gimi' is a member of the 'NetworkIT' LDAP group.

 

Scenarios:

Host A is registered to user 'gimi'. Upon registration, Host A becomes a member of the 'NetworkIT' host group.

 

win-gimi.PNG


Host B is registered as a device. Upon registration, Host B does not become a member of the 'NetworkIT' host group.  


When Host A connects to the network, it matches the User/Host profile 'IT Group' and the Network Access Policy, and the corresponding VLAN is assigned.


When Host B connects to the network, it does not match the 'IT Group' Network Access Policy until the user 'gimi' logs on. Upon login, Host B matches the 'IT Group' Network Access Policy, and the corresponding VLAN is assigned. However, Host B does not move to the 'NetworkIT' host group.


This is the expected behavior.

 
Starting from FortiNAC version 7.6, two groups will be created for each group synchronized with the directory:

  • <DirectoryGroupName>_host. This group functions like the standard group used previously. It will be populated with hosts registered by users who belong to the corresponding directory group.

  • <DirectoryGroupName>_user. This group contains user accounts listed under Users & Hosts -> User Accounts. These accounts can be manually created as LDAP users or automatically created when a user registers a host in FortiNAC.

 

user groups.png

 

Related articles:

    Terms & ConditionsAccessibility statement