Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Sx11
Staff
Staff

Created on ‎09-09-2024 01:25 AM

Article Id 339579

Technical Tip: 'State based Control' concept and VLAN changes

Description

 

This article describes how FortiNAC applies state-based control and the enforcement groups for each host state.

 

Scope

 

FortiNAC-F, FortiNAC.

 

Solution

 

FortiNAC will provide captive services to hosts based on their state. 

When the Host is 'Not Trusted' or 'Not Normal' it can be in one of the following four states listed in the below table.

 

HOST STATE System Group Membership for port/device Logical Network/VLAN where the host will be moved Description
rogue.png

Rogue(not registered)

 Port is a member of 'Forced Registration' REGISTRATION 'Rogue' is the initial state before the host is registered and marked as a Trusted host. The host is not yet categorized/registered.

Authentication.pngNot Authenticated

 Port is a member of 'Forced Authentication' AUTHENTICATION The host is registered but has failed to authenticate with the defined configuration in the Authentication policy. The host remains in the Authentication VLAN until it authenticates.

remediation.png

At Risk

 Port is a member of 'Forced Registration' REMEDIATION/QUARANTINE The host is registered but has failed a scan and marked 'At Risk'. The host remains in the Remediation VLAN until it successfully passes the compliance scans.

Disabled.png

 Disabled

 The device is a member of 'Physical Address Filtering'  DEAD END The host is registered but is disabled either manually by the administrator or from an automated security action.

 

If the requirement is to have FortiNAC be able to enforce all the above states then each Switchport or SSID where hosts will connect should be made members of the defined System groups in the table.

 

  • In case the Switchport or SSID is not a member of 'Forced Remediation' then FortiNAC will not be able to apply compliance and scan the host. So there will be no enforcement (VLAN change) for the 'At Risk' hosts in the Remediation VLAN.
  • Each Logical Network that Matches the states should have an Access Value (VLAN) defined in the Model Configuration of the Device where Hosts are connecting. If there is no VLAN defined in the Logical networks then FortiNAC will not be able to enforce control on that Port/SSID and make the VLAN change on the respective VLAN based on Host state.
  • The enforced Host states will override the Network Access Policy match for a particular host. For example, if the host is marked 'At Risk' but is also matches a Network access policy, FortiNAC will move the host to the Remediation VLAN and present the Remediation Captive portal. The Network Access policy is ignored. The same condition applies to all other 'Not Trusted' states.

 

The following article describes with an example the steps needed to verify when the VLAN does not change based on state-based control:

Troubleshooting Tip: VLANs not changing on a wired switch

 

Related documentation:

125
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.