Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
khoffman
Staff
Staff

Created on ‎05-20-2024 10:56 AM

Article Id 316108

Technical Tip: Connector based FSSO vs Fabric Based with FortiNAC

Description This article describes the technical differences between Connector Based FSSO (Legacy) and Fabric Based Dynamic Address Tags. 

FortiNAC supports provisioning access to endpoints using two different methods: Connector Based and Fabric Based.
Scope FortiNAC-F 7.2, 7,4 & FortiNAC 9.4.
Solution

Connector based FSSO and the Security Fabric Based SSO cannot be used together on the same firewall. This will cause instability when sending firewall tags.  

Connector Based FSSO

Technical Tip: Configure FortiNAC Tags with FortiOS 7.2.4 GA

 

  • FSSO
  • Port 8000
  • Tags includes Username (If available), IP address and Tag/Group information.
  • FortiNAC Debug: SSOManager  


FortiNAC logs (output.master) will show the following when sending an FSSO Tag.  
 

yams.SSOManager INFO :: 2023-12-15 07:45:23:734 :: #808 :: SSOManager.sendMessage sending message to 172.22.1.234 for client 7C:57:58:8A:1D:65, MSG=UserIDMessage[logon, mac=7C:57:58:8A:1D:65, ip=10.1.250.9, user=Pete, tags=[Registered Hosts, VPN Access, VPN_Auth]] 
 

FortiNAC logs (output.master) will show the following when removing an FSSO Tag. 

 

yams.SSOManager INFO :: 2023-12-15 07:45:24:509 :: #808 :: SSOManager.sendMessage sending message to 172.22.1.234 for client 7C:57:58:8A:1D:65, MSG=UserIDMessage[logoff, mac=7C:57:58:8A:1D:65, ip=10.1.250.9, user=Pete, tags=[Registered Hosts, VPN Access, VPN_Auth]] 

 

Fabric Based (Dynamic Address Tags)

Technical Tip: How to quickly configure the security fabric with FortiNAC and FortiGate

 

  • Supported on FortiNAC version 9.2.2 and later and FOS v7 and later.
  • API Based
  • Port 8013
  • FortiNAC dynamically adds and removed IP address from Dynamic Address Tag Objects on the firewall.
  • FortiNAC Debug: SSOManager & SecurityFabricManager.

 

FortiNAC logs (output.master) will show the following when sending a Dynamic Address Tag.


yams.SSOManager INFO :: 2023-11-21 11:12:30:087 :: #606348 :: sendDynamicAddressUpdate(192.68.1.15) json = {"command_version":2,"commands":[{"command":"update","vdom":"root","addresses":[{"uuid":"VPN_AUTH","type":"ip","values":["10.40.14.1"]}]}],"serial":"FNVXCATM23000555","device_type":"fortinac"}

FortiNAC logs (output.master) will show the following when removing a Dynamic Address Tag.


yams.SSOManager INFO :: 2023-11-21 13:23:50:253 :: #606348 :: sendDynamicAddressUpdate(192.68.1.15) json = {"command_version":2,"commands":[{"command":"update","vdom":"root","addresses":[]}],"serial":"FNVXCATM23000555","device_type":"fortinac"}
395
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.