Skip to main content
Hatibi
Staff & Editor
Hatibi
Staff & Editor
December 5, 2024

Technical Tip: Control BYOD access

  • December 5, 2024
  • 0 replies
  • 2142 views
Description This article provides some examples of the methods that can be used by FortiNAC in order to control access for BYOD scenarios.
Scope FortiNAC-F, FortiNAC.
Solution

Companies normally have in place BYOD policies, to allow their users to bring personal devices such as Smartphones or Tablets. There could be a variety of such devices, each having different Hardware and Software capabilities and presenting security concerns.

 

FortiNAC can enforce control and limit its access by differentiating these devices from corporate-owned devices.

To understand how FortiNAC applies Network Access policies check the below links:

 

There are different use cases and scenarios for BYOD access, however, the main goal is to use an attribute that can uniquely differentiate between a Company device versus personal devices.

 

The following options can be used :

 

  1. 802.1x authentication using EAP-TLS with Device/Computer Certificates (recommended).

 

  • This configuration will prevent a host from establishing a network connection if the host has not authenticated at the Layer 2 level.
  • The EAP-TLS authentication method is based on mutual Certificate authentication between a Server and a Client. This means that every device will need to present its unique Client Certificate for Authentication. FortiNAC as a Server will also present its own Server Certificate. Both Client and Server Certificates will be issued by an Internal Trusted Certificate Authority.
  • This article: Technical Tip: How to issue EAP certificate with Microsoft certification authority provides an example of how to issue Certificates using Windows Certificate Authority.
  • When a personal Laptop or smartphone will connect to the Corporate SSID, they will be prompted to use a Certificate for authentication. Since these devices do not have Certificates issued by the trusted Certificate Authority, they will be refused connection to the network. FortiNAC will respond with Access-Reject to the authentication requests in case a non-valid certificate will be used to attempt the authentication.
  • This type of enforcement is conform to the NIST SP 800-53 Rev 5.1.1 IA-03. This control states the following: Uniquely identify and authenticate a device before establishing a local/remote connection.

 

In such cases, the users will have to connect personal devices to a Guest SSID that will provide registration through the FortiNAC isolation portal and then allow limited access.

 

  1. Persistent Agent for Corporate Devices.

     

    The persistent agent can be used to register Company devices in FortiNAC and additionally be used for Compliance. By using the Persistent Agent presence as a criterion, it is possible to differentiate between BYOD and Company Devices.

    BYOD devices without the Persistent Agent will be forced to register through the FortiNAC Isolation portal and given restricted access based on a custom role.

     

    It is also possible to deny connection to specific non-domain devices by moving them to a Logical Network with Action set to "Deny". When a user authenticates with domain credentials from an external device (non-Corporate), FortiNAC will register the user to device but will apply the NAC Policy for non-domain devices with a Logical network configuration that denies access. The user will be disconnected instantly even though they will be initially able to establish a connection in Isolation network. It is important do define Host attributes that will make possible for FortiNAC to correctly differentiate between Domain and Non-domain hosts. Check the Model Configuration for more details.

     

    In some other cases, the Persistent Agent can be deployed to Hosts through the Isolation portal itself. At that point, the company will enforce Endpoint Compliance policies to make sure the Device is considered safe before being granted access to the network.

     

    Documentation:

    Persistent Agent Deployment and Configuration

     

  2. Integration with MDM solutions.

     

    Mobile Device Management solutions can be integrated with FortiNAC to register Hosts and additionally provide unique attributes and compliance states that can be leveraged to enforce control. The concept is the same as with the Persistent Agent, however, this can be very useful in cases where customers already have an existing MDM solution in place. 

    Users bringing personal devices, will either have to enroll them through MDM or will be limited in access by FortiNAC by being forced to register through the portal.

     

    Documentation:

    FortiClient EMS Integration

    Third Party MDM integration

    Technical Tip: Persistent Agent comparison to FortiClient EMS (MDM) for Network Access Control/Compliance

     

  3. Other FortiNAC features.

     

    1. Limit the number of devices that a User can register.

       

      This feature can be used when Corporate policies allow users to bring only a limited number of devices. Once this limit is reached, FortiNAC will not allow new device registrations for that user and will leave the Rogue host in the Isolation network where FortiNAC acts as DHCP and DNS server.

      Allowed hosts

       

    2. Host Inventory Management for users.

       

      Corporate policies might allow users to manage their registered devices. This means that a user can monitor and delete current assets. This allows them to delete an old device and register a new one without Administrator intervention.

 

Related article: 

Technical Tip: Host Inventory management through FortiNAC portal
Terms & ConditionsAccessibility statement