Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎10-01-2018 04:08 AM Edited on ‎12-17-2025 06:03 AM By Community Manager

Article Id 190725

Technical Tip: What causes a host to be moved to an imported LDAP Host Group

Description

 

This article describes what causes a host to be moved to an imported LDAP Host Group.


Scope

 

FortiNAC.


Solution

 
Upon initial synchronization, a host group is created for each LDAP group selected in the Select Groups tab of the LDAP configuration.
Note: If an Administrator group with the same name already exists, a host group will not be created.
 
Hosts become members of these groups when registered with a user who is a member of that LDAP group.
 
A host registered as a device with a logged-on user who is a member of the LDAP group:
  • Will not move the host to the host group that corresponds to the LDAP group.
  • Will match only policies whose criteria include LDAP group membership based on the logged-on user. 

Example:
Network Access Policy in the selected User/Host Profile 'IT Group' requires 'NetworkIT' LDAP Group membership:
 
uhpa.PNG

 

'NetworkIT' LDAP Group is imported and appears as a host group: 
 
group.PNG
The user 'gimi' is a member of the 'NetworkIT' LDAP group.
 
Scenarios:
Host A is registered to user 'gimi'. Upon registration, Host A becomes a member of the 'NetworkIT' host group.
 
win-gimi.PNG


Host B is registered as a device. Upon registration, Host B does not become a member of the 'NetworkIT' host group.  

When Host A connects to the network, it matches the User/Host profile 'IT Group' and the Network Access Policy, and the corresponding VLAN is assigned.

When Host B connects to the network, it does not match the 'IT Group' Network Access Policy until the user 'gimi' logs on. Upon login, Host B matches the 'IT Group' Network Access Policy, and the corresponding VLAN is assigned. However, Host B does not move to the 'NetworkIT' host group.

This is the expected behavior.
 
Starting from FortiNAC version 7.6, two groups will be created for each group synchronized with the directory:
  • <DirectoryGroupName>_host. This group functions like the standard group used previously. It will be populated with hosts registered by users who belong to the corresponding directory group.
  • <DirectoryGroupName>_user. This group contains user accounts listed under Users & Hosts -> User Accounts. These accounts can be manually created as LDAP users or automatically created when a user registers a host in FortiNAC.

 

user groups.png

Related articles:
2612
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.