Description
This article provides steps to import administrative users from an Active Directory Group.
Scope
FortiNAC, FortiNAC-F.
Solution
Under System -> Settings -> Authentication -> LDAP.
- 'Double-click' on the directory.
- Select Search Branches.
- Configure a group search branch mapping.
Under the Selected Groups tab, place a checkmark in the group desired to give administrative privileges to (this case: Domain Admins).
Under System -> Scheduler.
- Select Synchronize Users with Directory.
- Select the Run Now button (the previously selected 'Domain Admins' group will be imported in FortiNAC as a Host group).
Under System -> Groups.
- Delete the group (because it is imported as a host group).
- Add a group with the exact same name 'Domain Admins'.
- Make the group type Administrator.
Under Users -> Admin Profiles -> Profile Mappings.
- Select Add.
- Use the drop-down to select the admin privileges the desired group to have. In this case 'Super Administrator'.
- Use the drop-down to select the group 'Domain Admins'.
- Select the OK button.
Figure 4. Create profile mapping with required permission sets.
The remote LDAP admin accounts will be created in FortiNAC Users -> Admin Users under the following scenarios:
- Manually added by an Administrator. FortiNAC will detect this is a Directory user and add it with the LDAP attributes collected after the directory Synchronization.
- The LDAP Administrator logs for first time in FortiNAC GUI.
- The LDAP Administrator account is registered through a host registration process. Initially it will be created as a User type account. In the next Directory synchronization, the user account is elevated to Administrator type account in FortiNAC and mapped to the Group profile.
