Description
This article describes what causes a host to be moved to an imported LDAP Host Group.
Scope
FortiNAC.
Solution
Upon initial synchronization, a host group is created for each LDAP group selected in the Select Groups tab of the LDAP configuration.
Note: If an Administrator group with the same name already exists, a host group will not be created.
Hosts become members of these groups when registered with a user who is a member of that LDAP group.
A host registered as a device with a logged-on user who is a member of the LDAP group:
- Will not move the host to the host group that corresponds to the LDAP group.
- Will match only policies whose criteria include LDAP group membership based on the logged-on user.
Example:
Network Access Policy in the selected User/Host Profile 'IT Group' requires 'NetworkIT' LDAP Group membership:
'NetworkIT' LDAP Group is imported and appears as a host group:
The user 'gimi' is a member of the 'NetworkIT' LDAP group.
Scenarios:
Host A is registered to user 'gimi'. Upon registration, Host A becomes a member of the 'NetworkIT' host group.
Host B is registered as a device. Upon registration, Host B does not become a member of the 'NetworkIT' host group.
When Host A connects to the network, it matches the User/Host profile 'IT Group' and the Network Access Policy, and the corresponding VLAN is assigned.
When Host B connects to the network, it does not match the 'IT Group' Network Access Policy until the user 'gimi' logs on. Upon login, Host B matches the 'IT Group' Network Access Policy, and the corresponding VLAN is assigned. However, Host B does not move to the 'NetworkIT' host group.
This is the expected behavior.
Related article:
Related article:
