FortiNAC 802.1x authentication based on AD Group for user and machines

Mokkasin · ‎02-14-2023

Hello everyone,

I setup a FortiNAC (with FortiGate, FortiSwitch and FortiAP) and the basic 802.1x and MAB authentication is working fine.

But now I want to return a specific VLAN ID based on the AD group membership of a device or user.

I can import AD groups to the FortiNAC but no members are displayed.

How am I doing this?

Thanks in advance

Mokka

NSE7

ebilcari · ‎02-14-2023

The AD groups will be auto populated when a Host will have an Registered User from that AD group. If you manually "Register Host to User" and type on of the User ID part of an AD group you have synchronised, it will show as member in the groups. This should be for testing, usually you have to configure some automatic procedure for this like the PA.

After that you can select this groups on "User/Host Profile" on the field "Who/What by Group:" or by using the Host Role that can be mapped in Policy & Objects > Roles

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Mokkasin · ‎03-06-2023

Hello emirjon,

thanks for your reply.
For user this is fine - but what about maschines? Is there an option to check the group membership of a computer object in the AD?

Thanks in advance

Best regards

Mokka

NSE7

ebilcari · ‎03-08-2023

Hi, actually yes. You can pull them and it will show like this:

but I haven't test them on Roles to generate Roles based on this groups.

If you plan to dedicate the LDAP to Computers group only, maybe it's better to change the Object class from "user" to "Computer" and the other fields accordingly.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

FortiNAC 802.1x authentication based on AD Group for user and machines

Nominate a Forum Post for Knowledge Article Creation