FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
ebujedo
Staff
Staff
Article Id 214115

Description

 

This article describes how to configure endpoint registration using Passive Agent.

When a user connects to the network and logs in, FortiNAC determines the directory group to which the user belongs.
Based on that group, a Passive Agent configuration is used. The configuration registers the user and the associated host in FortiNAC.

With this same procedure, we can also match an access policy and endpoint compliance according to the user that is logged on.

 

Scope

 

FortiNAC, Passive agent.

 

Solution

 

Active Directory configuration:

 

  1. It is necessary first to download the agent package from: Settings -> Updates -> Agent Packages.

 

ebujedo_0-1654686056569.png

 

  1. Download templates for GPO policies: Settings -> Updates -> Agent Packages.

     

    ebujedo_0-1654693926303.png

     

     

  2. Templates will be installed in:'C:\Program Files\Bradford Networks\Administrative Templates'.

     

    ebujedo_1-1654694037968.png

     

     

  3. Create a Group Policy Object: 

     

    ebujedo_3-1654695091436.png

     

     

  4. Edit the GPO object and Import the template previously downloaded:

    ebujedo_4-1654695259221.pngebujedo_5-1654695383943.png

     

     

  5. Modify Logon/Logoff scripts:

     

    ebujedo_6-1654695671235.png

     

    It is necessary to add the 'FortiNAC_Passive_Agent.exe' previously downloaded and add the parameters -logon and -logoff according to the script modified.

     

    ebujedo_10-1654696666448.png

     

    ebujedo_9-1654696621704.png

     

     

  6. Point the server to connect (FortiNAC).

    Computer Configuration -> Policies -> Classic Administrative Templates -> Bradfor PAssive Agent (machine).

     

    ebujedo_0-1654765271717.png

     

    URL should be: http://<FNAC_FQDN>/registration

     

    ebujedo_1-1654765312128.png

     

    FortiNAC Configuration.

     

    It is necessary now to configure the Passive Agent Policy in Policy & Objects ->Passive Agent.

    When a Windows host connects, it is possible to associate this with the logged-on user and apply policies according to the user group where it belongs.

     

    ebujedo_0-1654765740929.png

     

    It is important to add the port where the user connects at least to 'Forced Registration',' Forced Authentication groups', and 'Role based access' groups so FortiNAC can move the user to the corresponding VLAN.

     

    ebujedo_1-1654766819070.png

     

Configuration check:

In case the host is unable to be registered using the Passive agent and there is no communication between PassiveAgent <> FortiNAC  then the following verifications are to be performed:

 

  1. GPO verification.

**On the Windows client perform a group policy update. Open Command Prompt, and type:


gpupdate /force


** Verify that the computer group policy object is applied:


gpresult /r /scope computer


**Verify that the user group policy object is applied:


gpresult /r

 

  1. Following domains are added in System - > Settings - > Control - > Allowed domains:


    dc-name.domain.ltd

    _mscds.domain.tld
    _tcp.domain.tld
    wpad.domain.tld
    ca-name.domain.ltd

     

  2. Firewall policies must be configured to allow access from the isolation networks to the domain controller. The following service must be allowed:


    SMB(TCP 445) to access the shared folder.

    HTTPS (TCP 443) to access the CRL.
    KERBEROS (TCP and UDP 88) for authentication.
    DCE/RPC (TCP and UDP 135).
    SAMBA (TCP 139) to process the Group Policy Objects.
    LDAP (TCP and UDP 389) to interrogate the domain controller.

     

    Debugging Passive agent:

     

    To verify directory authentication and passive agent communication with FortiNAC the following debugs must be enabled through FortiNAC CLI:

     

    nacdebug -name DirectoryManager true

    nacdebug -name DirectoryAuthentication true

    nacdebug -name SecurityScanEntryInterface true

    nacdebug -name AgentServer true                 

    nacdebug -name AgentManagement true            

    nacdebug -name DirectoryAgentServer true       

     

Related documents:

Passive Agent

Agent packages

Administrative templates for GPO

Endpoint compliance