Description
This article describes the role assignment for FortiNAC users, hosts, and network devices. If more than one method is applied, the role selection will be chosen according to this list.
Scope
FortiNAC.
Solution
If multiple methods are used to set a role, the order of precedence is determined by the order of the roles on the Roles view
Starting from the top of the list, the first role match found is used.
Example.
If roles are assigned to hosts based on groups, the same host may be added to 2 groups after registration. For example, if the host is added to both 'Zebra_Handheld' and '-Local-User-GRP', the role assigned to the host will be the highest ranked role 'local-rad-role' associated with the '-Local-user-GRP'.
- When a user and a host have different roles, the user role is applied if the user logs into the host.
- If multiple methods are used to assign a role to a host, a hierarchy determines which role to assign as ranked below:
- Roles assigned by device profiling rules have the highest precedence
- Roles inherited from directory attributes
- Roles assigned by group membership
- Roles associated with Vendor OUI
- Roles assigned through Portal pages have the lowest precedence.
Related documents:
Assigning roles - FortiNAC administration guide
Managing rules - FortiNAC administration guide
Technical Tip: How to populate a role from a group
Technical Tip: Assign Roles based on User LDAP Directory
