FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Sx11
Staff
Staff
Article Id 232010
Description

 

This article will show an example of leveraging the 'Who/what by RADIUS Request Attribute' in FortiNAC User/Host Profiles in order to match Domain Machines and give them specific network access.

 

Scope

 

FortiNAC, Computer/Machine authentication, Domain joined hosts.

FortiNAC v9.2.2+.

 

Solution

 

In many cases, users would want to treat Domain joined Hosts differently than let's say mobile devices or other IoT accessing the network.

 

A host joining Active Directory will have a computer account created and a unique password will be negotiated between Active Directory and that host.

This computer object can now be used to identify the Host even when no user is logged in to it.

It can be used to provide the Host access to the network and is generally known as Computer authentication or Machine authentication.

 

FortiNAC utilizes the User/host profiles to match Endpoints/Hosts connecting to the network by using different filters.

 

When 802.1x authentication is in place an Access-request will be sent to FortiNAC acting as Local Radius Server.

In the user-name attribute, the computer credentials will be visible when Machine authentication is initiated.

 

The example below shows an incoming Radius Authentication Request:

 

YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: [Access-Request] Post-Auth Request (16):
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Called-Station-Id = [YY:YY:YY:XX:XX:XX] (RadAttr Type=string)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Calling-Station-Id = [TT:TT:TT:XX:XX:XX] (RadAttr Type=string)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Cisco-AVPair = [service-type=Framed, audit-session-id=FFFFFFFFFF, method=dot1x, client-iif-id=XXXXXXXX] (RadAttr Type=string)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- EAP-Message = [0xffffffffffff] (RadAttr Type=octets)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- EAP-Type = [26, 25] (RadAttr Type=integer)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Event-Timestamp = [Apr 27 2022 11:09:45 BST] (RadAttr Type=date)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- FortiNAC-Nas-Src-Ip = [192.168.61.2] (RadAttr Type=FortiNAC-Nas-Src-Ip)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Framed-MTU = [1468] (RadAttr Type=integer)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- FreeRADIUS-Proxied-To = [127.0.0.1] (RadAttr Type=ipaddr)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- NAS-IP-Address = [192.168.61.2] (RadAttr Type=ipaddr)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- NAS-Port = [50110] (RadAttr Type=integer)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- NAS-Port-Id = [GigabitEthernet1/0/10] (RadAttr Type=string)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- NAS-Port-Type = [15] (RadAttr Type=integer)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Service-Type = [2] (RadAttr Type=integer)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- State = [0xfffffffffffffffffffffffffffffff] (RadAttr Type=octets)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- User-Name = [host/PC22.forti.lab] (RadAttr Type=string)

 

So in this case, a matching filter will be created for all Hosts that are joined to domain forti.lab

 

To perform this, the User/Host profile entry will be configured in the 'Who/what by RADIUS Request Attribute' as below:

 

Name -> User-Name
Value -> host/*.forti.lab

 

Using the '*' (Wildcard), all Hostnames part of this domain will be matched.

 

Go to Policy & Objects and edit or create a new User Host profile and add a new entry in 'Who/what by RADIUS Request Attribute' as below:

 

Sx11_0-1669895829994.png

 

The User/Host Profile will look like the image below:

Depending on the scenario additional matching criteria can be used for more granularity.

 

 

Sx11_1-1669895863209.png

 

This way, all Domain joined computers can be treated differently by being assigned a specific network access configuration. 

 

Related document:

https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/15797/user-host-profiles

https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/366458/configure-local-radius...

Contributors