Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff & Editor
Staff & Editor

Created on ‎09-19-2024 02:28 AM Edited on ‎05-07-2025 06:24 AM By Moderator

Article Id 342393

Technical Tip: Assign Roles based on User LDAP Directory Attributes

Description This article describes how to assign Roles based on Directory attributes.
Scope FortiNAC-F, FortiNAC.
Solution

When assigning user roles, it is recommended to perform the role assignment based on the Directory attributes of the user in LDAP instead of Directory group membership.

The reason for this is due to FortiNAC looking for the directory attribute data during the registration process of the user, while group information could not be accurate since the next Directory synchronization might have not been executed yet to update the FortiNAC cache with the new group information.

 

As an example, user 'jdoe' has an attribute 'departmentNumber' = 567851

This can be verified in Active Directory Users and Computers -> Select 'jdoe' or any other user -> Select 'Attribute Editor'.

 â€ƒ

Figure 1. Use "departmentNumber" attribute for Role based access in FortiNAC.Figure 1. Use "departmentNumber" attribute for Role based access in FortiNAC.

 

In FortiNAC, add the 'departmentNumber' as an attribute to look for when applying for the user role. In this case, FortiNAC will assign as Role the value given to the attribute which is 567851.

Go to System -> Settings -> Authentication -> LDAP -> Modify -> User attributes and set the Role entry as departmentNumber.

 

Figure 2. Using a Directory attribute as Role entry in FortiNAC LDAP configuration..Figure 2. Using a Directory attribute as Role entry in FortiNAC LDAP configuration..

 

Each user will then be assigned a Role based on the Department number they are part of. Go to Policy & Objects -> Roles and create a Role matching the Department number.

 

Figure 3. Creating the Role matching the departmentNumber attributes.Figure 3. Creating the Role matching the departmentNumber attributes.

 

At this point, it is possible to test Role assignment by having the user authenticating via 802.1x.

 

Create a 'User/Host Profile' or edit an existing one and select User -> Role and then select the recently created Role from the drop-down list in 'Who/What' attributes.

 

UHP with Roles.png

 

The following debug can be enabled in FortiNAC CLI to verify role assignment:

 

naclab1 # diagnose debug plugin enable DirectoryAuthentication
naclab1 # diagnose debug plugin enable RoleManager
naclab1 # diagnose debug plugin enable HostServer
naclab1 # diagnose debug plugin enable DirectoryPerformTask
naclab1 # diagnose tail -F output.master | grep -i "jdoe\|567851\|AE:AD:48:XX:XX:XX\|role"

 

yams.DirectoryManager FINER :: 2024-09-19 10:55:35:126 :: #6015 :: DirectoryManager::getDirectoryUser jdoe
yams INFO :: 2024-09-19 10:55:35:126 :: #6015 :: DirectoryUser::getDirectoryUser() domain = null, user = jdoe
yams INFO :: 2024-09-19 10:55:35:126 :: #6015 :: DirectoryContext::searchUsersWFilter searchFilter = (&(objectclass=user)(sAMAccountName=jdoe))
yams INFO :: 2024-09-19 10:55:35:127 :: #6015 :: searchFilter = (&(objectclass=user)(sAMAccountName=jdoe))
yams INFO :: 2024-09-19 10:55:35:128 :: #6015 :: PRINTING ATTRIBUTES FOR CN=jdoe,CN=Users,DC=forti,DC=lab
yams INFO :: 2024-09-19 10:55:35:128 :: #6015 :: =>msDS-PrincipalName: FORTI\jdoe
yams INFO :: 2024-09-19 10:55:35:128 :: #6015 :: =>sAMAccountName: jdoe
yams INFO :: 2024-09-19 10:55:35:128 :: #6015 :: =>distinguishedName: CN=jdoe,CN=Users,DC=forti,DC=lab
Value = CN=jdoe,CN=Users,DC=forti,DC=lab
Value = FORTI\jdoe
Value = jdoe
.
.
.
yams.HostServer FINER :: 2024-09-19 10:55:35:303 :: #6016 :: HostServer.updateHost(jdoe AE:AD:48:XX:XX:XX) starting
yams.HostServer FINER :: 2024-09-19 10:55:35:303 :: #6016 :: HostServer.updateHost() autoCreate = true host = jdoe AE:AD:48:XX:XX:XX type = DynamicClient host type = 9
yams.HostServer FINER :: 2024-09-19 10:55:35:304 :: #6016 :: HostServer.updateHost() jdoe AE:AD:48:XX:XX:XX registering rogue to jdoe
yams.HostServer FINER :: 2024-09-19 10:55:35:304 :: #6016 :: HostServer.updateHost() updating host. host = jdoe AE:AD:48:XX:XX:XX
owner = jdoe
owner = jdoe
Identification = jdoe
{1024=8, 256=567851, 17179869184=jdoe, 8=Fortinet}
yams.DirectoryManager FINER :: 2024-09-19 10:55:35:331 :: #6016 :: DirectoryManager::addClientToGroups CN=jdoe,CN=Users,DC=forti,DC=lab
yams.DirectoryManager FINER :: 2024-09-19 10:55:35:331 :: #6016 :: DirectoryManager::getGroups dn = CN=jdoe,CN=Users,DC=forti,DC=lab
yams.HostServer FINER :: 2024-09-19 10:55:35:337 :: #6016 :: HostServer.updateHost(jdoe AE:AD:48:XX:XX:XX) finished

 

In FortiNAC GUI, it is possible to verify the new role assignment on both the User and the inheritance of the role from the Host where the user is logged in. Figure 4 and Figure 5 show both cases.

 

Figure 4. User Role assignment verification in FortiNAC User accountsFigure 4. User Role assignment verification in FortiNAC User accounts

 

Figure 5. Host Role inheritance Verification in FortiNAC Host view.Figure 5. Host Role inheritance Verification in FortiNAC Host view.

 

This method can be also used in conjunction with the assignment of the 'Security&Access' attribute for more granularity in matching host records when applying Network Access policies.

For details of this configuration, see Technical Tip: Leverage the 'Security & Access Value' attribute as additional criteria for policy ma....

 

Related documents:
1454
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.