Description
This article describes how FortiNAC applies state-based control and the enforcement groups for each host state.
Scope
FortiNAC-F, FortiNAC.
Solution
FortiNAC will provide captive services to hosts based on their 'Not Trusted' state.
When the Host is 'Not Trusted' or 'Not Normal' it can be in one of the 4 following four states listed in the below table.
The fifth state (Online/Enabled) is applied when the host is already registered and marked as safe by FortiNAC. In this state, the VLAN changes are defined by the Network access policy configuration.
| HOST STATE | System Group Membership for port/device | Logical Network/VLAN where the host will be moved | Description |
1. Rogue(not registered) |
Port is a member of 'Forced Registration' | REGISTRATION | 'Rogue' is the initial state before the host is registered and marked as a Trusted host. The host is not yet categorized/registered. |
|
|
Port is a member of 'Forced Authentication' | AUTHENTICATION | The host is registered but has failed to authenticate with the defined configuration in the Authentication policy. The host remains in the Authentication VLAN until it authenticates. |
|
3. At Risk |
Port is a member of 'Forced Registration' | REMEDIATION/QUARANTINE | The host is registered but has failed a scan and marked 'At Risk'. The host remains in the Remediation VLAN until it successfully passes the compliance scans. |
|
4. Disabled |
The device is a member of 'Physical Address Filtering' | DEAD END | The host is registered but is disabled either manually by the administrator or from an automated security action. |
|
5. Online/Enabled |
The port where the host is connected is part of "Role Based Access" | Custom Logical Network | The host is registered and matches a Network Access policy that applies a logical network configuration with the VLAN specified in the model configuration. FortiNAC will change the VLAN based on the Policy configuration. |
If the requirement is to have FortiNAC be able to enforce all the above states then each Switchport or SSID where hosts will connect should be made members of the defined System groups in the table.
- In case the Switchport or SSID is not a member of 'Forced Remediation' then FortiNAC will not be able to apply compliance and scan the host. So there will be no enforcement (VLAN change) for the 'At Risk' hosts in the Remediation VLAN.
- Each Logical Network that Matches the states should have an Access Value (VLAN) defined in the Model Configuration of the Device where Hosts are connecting. If there is no VLAN defined in the Logical networks then FortiNAC will not be able to enforce control on that Port/SSID and make the VLAN change on the respective VLAN based on Host state.
- The enforced Host states will override the Network Access Policy match for a particular host. For example, if the host is marked 'At Risk' but is also matches a Network access policy, FortiNAC will move the host to the Remediation VLAN and present the Remediation Captive portal. The Network Access policy is ignored. The same condition applies to all other 'Not Trusted' states.
- For FortiNAC to perform VLAN changes based on the Policy configuration, the port/SSID where the host is connected should be made part of the 'Role Based Access' system group.
The following article describes with an example the steps needed to verify when the VLAN does not change based on state-based control:
Troubleshooting Tip: VLANs not changing on a wired switch
Related documentation:
