Technical Tip: Using the same host to dynamically change network policies via ‘logged on user’ from LDAP roles

sjerry · ‎03-31-2024

Description

This article is a setup assistance that can be used on one workstation to change network access policies based on a logged-on user.

Scope

FortiNAC.

Solution

If a host is being used with different logged-on users and a different network access policy is desired, review the following.

Example:

Upon importing LDAP groups handle groups by placing them into 'Type: Host' because they are tied to a host. FortiNAC cannot does not have a direct way to associate the host with a user, so it is possible to create roles to accomplish this association

Solution:

Navigate to Policy -> Roles.
Select 'Add' and input a Role name and select the correct LDAP group.
Resync the Active Directory.

Due to the solutions for logged-on users being via captive portal, persistent agent, or 802.1x the 'registered to' value will remain tied to the initial user that registered the host: Technical Note: Solutions for tracking logged in users

Registered To: The user ID of the user to which this host is registered: Settings

Who/What By Group 'Host or User groups where the host or user must be a member to match this profile: User/host profiles

However, because the host is tied to the original user1 LDAP group. it will be necessary to add a condition to Who/What in the user tab.

For example: user1 is part of role FNAC_LAB. The role per logged-on user is dynamic and follows the user vs the host role will be tied to the user in which the host was registered review the host record below:

User 1:

User 2:

Host record: Notice the host is tied to the owner of user1 and its role.