Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎10-09-2018 10:33 AM Edited on ‎06-06-2025 01:38 AM By Community Manager

Article Id 193252

Technical Tip: How to import admin users using an LDAP group and assigning an admin profile

Description


This article provides steps to import administrative users from an Active Directory Group.

Scope


FortiNAC, FortiNAC-F.

Solution

 

Under System -> Settings -> Authentication -> LDAP.

 

  • 'Double-click' on the directory.
  • Select Search Branches.
  • Configure a group search branch mapping.

 

Figure 1. Create Group search branches to find relevant Admin groups.Figure 1. Create Group search branches to find relevant Admin groups.


Under the Selected Groups tab, place a checkmark in the group desired to give administrative privileges to (in this case: Domain Admins).

Figure 2. Select the needed groups for Administrator account synchronization in FortiNAC.Figure 2. Select the needed groups for Administrator account synchronization in FortiNAC.


Under System -> Scheduler.

  • Select Synchronize Users with Directory.
  • Select the Run Now button (the previously selected 'Domain Admins' group will be imported in FortiNAC as a Host group).


Figure 3. Perform directory synchronization after making group changes.Figure 3. Perform directory synchronization after making group changes.


Under System -> Groups.

  • Delete the group (because it is imported as a host group).
  • Add a group with the exact same name, 'Domain Admins'.
  • Make the group type Administrator.

Under Users -> Admin Profiles ->  Profile Mappings.

  • Select Add.
  • Use the drop-down to select the admin privileges the desired group to have. In this case, 'Super Administrator'.
  • Use the drop-down to select the group 'Domain Admins'.
  • Select the OK button.

    Figure 4. Create profile mapping with required permission sets.Figure 4. Create profile mapping with required permission sets.


Note: LDAP sync does not automatically create records for all users in LDAP. If 'aduser' has never attempted to log in, then it will not show up in FortiNAC. 

The remote LDAP admin accounts will be created automatically under Users -> Admin Users under the following scenarios after the first attempt at authentication.

 

  1. Log out of FortiNAC and log in with the LDAP user account.
  2. End-user will receive the 'Terms and Conditions' page. Accept it and select OK.
  3. The LDAP Administrator logs in for the first time in the FortiNAC GUI.
  4. The LDAP Administrator account is registered through a host registration process. Initially, it will be created as a User type account. In the next Directory synchronization, the user account is elevated to an Administrator type account in FortiNAC and mapped to the Group profile.

If attempting to log in using the LDAP user authentication when the 'Domain Name' is added (example: forti.lab), the user should log in with the domain name in the first attempt, for example: aduser1@forti.lab or forti.lab\aduser1.


Domain Name LDAP.png


The second attempt will allow the user to log in with his 'aduser1' account without adding the domain name, or with the domain name.

 

Related documents:
Labels:
2228
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.