Created on 06-09-2022 02:34 AM Edited on 03-18-2024 04:42 AM By Jean-Philippe_P
Description
This article describes how to configure endpoint registration using Passive Agent.
With this same procedure, we can also match an access policy and endpoint compliance according to the user that is logged on.
Scope
FortiNAC, Passive agent.
Solution
Active Directory configuration:
Download templates for GPO policies: Settings -> Updates -> Agent Packages.
Templates will be installed in:'C:\Program Files\Bradford Networks\Administrative Templates'.
Create a Group Policy Object:
Edit the GPO object and Import the template previously downloaded:
Modify Logon/Logoff scripts:
It is necessary to add the 'FortiNAC_Passive_Agent.exe' previously downloaded and add the parameters -logon and -logoff according to the script modified.
Point the server to connect (FortiNAC).
Computer Configuration -> Policies -> Classic Administrative Templates -> Bradfor PAssive Agent (machine).
URL should be: http://<FNAC_FQDN>/registration
FortiNAC Configuration.
It is necessary now to configure the Passive Agent Policy in Policy & Objects ->Passive Agent.
When a Windows host connects, it is possible to associate this with the logged-on user and apply policies according to the user group where it belongs.
It is important to add the port where the user connects at least to 'Forced Registration',' Forced Authentication groups', and 'Role based access' groups so FortiNAC can move the user to the corresponding VLAN.
Configuration check:
In case the host is unable to be registered using the Passive agent and there is no communication between PassiveAgent <> FortiNAC then the following verifications are to be performed:
**On the Windows client perform a group policy update. Open Command Prompt, and type:
gpupdate /force
** Verify that the computer group policy object is applied:
gpresult /r /scope computer
**Verify that the user group policy object is applied:
gpresult /r
Following domains are added in System - > Settings - > Control - > Allowed domains:
dc-name.domain.ltd
_mscds.domain.tld
_tcp.domain.tld
wpad.domain.tld
ca-name.domain.ltd
Firewall policies must be configured to allow access from the isolation networks to the domain controller. The following service must be allowed:
SMB(TCP 445) to access the shared folder.
HTTPS (TCP 443) to access the CRL.
KERBEROS (TCP and UDP 88) for authentication.
DCE/RPC (TCP and UDP 135).
SAMBA (TCP 139) to process the Group Policy Objects.
LDAP (TCP and UDP 389) to interrogate the domain controller.
Debugging Passive agent:
To verify directory authentication and passive agent communication with FortiNAC the following debugs must be enabled through FortiNAC CLI:
nacdebug -name DirectoryManager true
nacdebug -name DirectoryAuthentication true
nacdebug -name SecurityScanEntryInterface true
nacdebug -name AgentServer true
nacdebug -name AgentManagement true
nacdebug -name DirectoryAgentServer true
Related documents:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.