Description

This article describes how to use the LDAP DN attribute in User/Host Profiles to select particular LDAP users of connected hosts to match with a Network Access policy.

Scope

FortiNAC.

Solution

FortiNAC offers many ways to select Network Access policies based on user information in LDAP. Groups or Roles for example offer better granularity and are usually easier to troubleshoot. Details can be found in related articles.

This method is a more straightforward type of configuration. In this example, all the users from a specific OU are required to match with a Network Access policy. A wildcard can be used to select all the users:

The results can be checked by 'right-clicking' in the host and checking the Policy Details. The user information that is used to match with the LDAP information is extracted from the host attributes 'Registered To' and 'Logged On User'.

In the 'Debug Log' it shows that the filter is satisfied and the host is matching the right policy:

HostRecord.getAbstractPolicy() HostRecord DBID: 1 Policy ID: 3 Filter Satisfied:
- {"filterType":"adapter","userDN":"CN=*,OU=Usr,DC=eb,DC=eu"}

Related articles:

Technical Tip: What causes a host to be moved to an imported LDAP Host Group

Technical Tip: How to Populate a Role from a Group

Technical Tip: Assign Roles based on User LDAP Directory Attributes