This article will show an example of leveraging the 'Who/what by RADIUS Request Attribute' in FortiNAC User/Host Profiles in order to match Domain Machines and give them specific network access.
FortiNAC, Computer/Machine authentication, Domain joined hosts.
FortiNAC v9.2.2+.
In many cases, users would want to treat Domain joined Hosts differently than let's say mobile devices or other IoT accessing the network.
A host joining Active Directory will have a computer account created and a unique password will be negotiated between Active Directory and that host.
This computer object can now be used to identify the Host even when no user is logged in to it.
It can be used to provide the Host access to the network and is generally known as Computer authentication or Machine authentication.
FortiNAC utilizes the User/host profiles to match Endpoints/Hosts connecting to the network by using different filters.
When 802.1x authentication is in place an Access-request will be sent to FortiNAC acting as Local Radius Server.
In the user-name attribute, the computer credentials will be visible when Machine authentication is initiated.
The example below shows an incoming Radius Authentication Request:
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: [Access-Request] Post-Auth Request (16):
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Called-Station-Id = [YY:YY:YY:XX:XX:XX] (RadAttr Type=string)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Calling-Station-Id = [TT:TT:TT:XX:XX:XX] (RadAttr Type=string)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Cisco-AVPair = [service-type=Framed, audit-session-id=FFFFFFFFFF, method=dot1x, client-iif-id=XXXXXXXX] (RadAttr Type=string)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- EAP-Message = [0xffffffffffff] (RadAttr Type=octets)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- EAP-Type = [26, 25] (RadAttr Type=integer)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Event-Timestamp = [Apr 27 2022 11:09:45 BST] (RadAttr Type=date)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- FortiNAC-Nas-Src-Ip = [192.168.61.2] (RadAttr Type=FortiNAC-Nas-Src-Ip)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Framed-MTU = [1468] (RadAttr Type=integer)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- FreeRADIUS-Proxied-To = [127.0.0.1] (RadAttr Type=ipaddr)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- NAS-IP-Address = [192.168.61.2] (RadAttr Type=ipaddr)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- NAS-Port = [50110] (RadAttr Type=integer)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- NAS-Port-Id = [GigabitEthernet1/0/10] (RadAttr Type=string)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- NAS-Port-Type = [15] (RadAttr Type=integer)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- Service-Type = [2] (RadAttr Type=integer)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- State = [0xfffffffffffffffffffffffffffffff] (RadAttr Type=octets)
YY:YY:YY:XX:XX:XX CONFIG :: 2022-04-27 11:09:45:457 :: #939 :: -- User-Name = [host/PC22.forti.lab] (RadAttr Type=string)
So in this case, a matching filter will be created for all Hosts that are joined to domain forti.lab
To perform this, the User/Host profile entry will be configured in the 'Who/what by RADIUS Request Attribute' as below:
Name -> User-Name
Value -> host/*.forti.lab
Using the '*' (Wildcard), all Hostnames part of this domain will be matched.
Go to Policy & Objects and edit or create a new User Host profile and add a new entry in 'Who/what by RADIUS Request Attribute' as below:
The User/Host Profile will look like the image below:
Depending on the scenario additional matching criteria can be used for more granularity.
This way, all Domain joined computers can be treated differently by being assigned a specific network access configuration.
Related document:
https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/15797/user-host-profiles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.