Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff
Staff

Created on ‎12-05-2024 02:52 AM

Article Id 361788

Technical Tip: Control BYOD access

Description This article provides some examples of the methods that can be used by FortiNAC in order to control access for BYOD scenarios.
Scope FortiNAC-F, FortiNAC.
Solution

Companies normally have in place BYOD policies, to allow their users to bring personal devices such as Smartphones or Tablets. There could be a variety of such devices, each having different Hardware and Software capabilities and presenting security concerns.

 

FortiNAC can enforce control and limit its access by differentiating these devices from corporate-owned devices.

To understand how FortiNAC applies Network Access policies check the below links:

 

There are different use cases and scenarios for BYOD access, however, the main goal is to use an attribute that can uniquely differentiate between a Company device versus personal devices.

 

The following options can be used :

 

  1. 802.1x authentication using EAP-TLS with Device/Computer Certificates (recommended).

 

  • This configuration will prevent a host from establishing a network connection if the host has not authenticated at the Layer 2 level.
  • The EAP-TLS authentication method is based on mutual Certificate authentication between a Server and a Client. This means that every device will need to present its unique Client Certificate for Authentication. FortiNAC as a Server will also present its own Server Certificate. Both Client and Server Certificates will be issued by an Internal Trusted Certificate Authority.
  • This article: Technical Tip: How to issue EAP certificate with Microsoft certification authority provides an example of how to issue Certificates using Windows Certificate Authority.
  • When a personal Laptop or smartphone will connect to the Corporate SSID, they will be prompted to use a Certificate for authentication. Since these devices do not have Certificates issued by the trusted Certificate Authority, they will be refused connection to the network. FortiNAC will respond with Access-Reject to the authentication requests in case a non-valid certificate will be used to attempt the authentication.
  • This type of enforcement is conform to the NIST SP 800-53 Rev 5.1.1 IA-03. This control states the following: Uniquely identify and authenticate a device before establishing a local/remote connection.

 

In such cases, the users will have to connect personal devices to a Guest SSID that will provide registration through the FortiNAC isolation portal and then allow limited access.

 

  1. Persistent Agent for Corporate Devices.

     

    The persistent agent can be used to register Company devices in FortiNAC and additionally be used for Compliance. By using the Persistent Agent presence as a criterion, it is possible to differentiate between BYOD and Company Devices.

    BYOD devices without the Persistent Agent will be forced to register through the FortiNAC Isolation portal and given restricted access based on a custom role.

    In some other cases, the Persistent Agent can be deployed to Hosts through the Isolation portal itself. At that point, the company will enforce Endpoint Compliance policies to make sure the Device is considered safe before being granted access to the network.

     

    Documentation:

    Persistent Agent Deployment and Configuration

     

     

  2. Integration with MDM solutions.

     

    Mobile Device Management solutions can be integrated with FortiNAC to register Hosts and additionally provide unique attributes and compliance states that can be leveraged to enforce control. The concept is the same as with the Persistent Agent, however, this can be very useful in cases where customers already have an existing MDM solution in place. 

    Users bringing personal devices, will either have to enroll them through MDM or will be limited in access by FortiNAC by being forced to register through the portal.

     

    Documentation:

    FortiClient EMS Integration

    Third Party MDM integration

    Technical Tip: Persistent Agent comparison to FortiClient EMS (MDM) for Network Access Control/Compl...

     

     

  3. Other FortiNAC features.

     

     

    1. Limit the number of devices that a User can register.

       

      This feature can be used when Corporate policies allow users to bring only a limited number of devices. Once this limit is reached, FortiNAC will not allow new device registrations for that user and will leave the Rogue host in the Isolation network where FortiNAC acts as DHCP and DNS server.

      Allowed hosts

       

       

    2. Host Inventory Management for users.

       

      Corporate policies might allow users to manage their registered devices. This means that a user can monitor and delete current assets. This allows them to delete an old device and register a new one without Administrator intervention.

 

Related article: 

Technical Tip: Host Inventory management through FortiNAC portal
160
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.