FortiNAC
FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hawada1
Staff
Staff
Description This article describes WinRM Device Profile requirements and setup.
Solution

Requirements:

 

- WinRM service must be enabled on endpoints.

 

- The WinRM HTTP port(s) (5986 or 5985 (insecure)) must be enabled and available through the firewall to the FortiNAC App. server. HTTPS (5986) is strongly encouraged for security purposes.

 

- NTLM Authentication with domain credentials authorized to run powershell commands get-wmiobject, get-itemproperty, get-service, get-process, convertto-json, and read the registry.

 

- Minimum Windows Management Framework (WMF) version: 3.0


For testing open the FortiNAC CLI and cd /bsc/campusMgr/bin/internal then run the below commands:

 

root@fnc-ca1:/bsc/campusMgr/bin/internal

> winrmps

<Workstation-ip>:5985

Domain\username

<password>

ipconfig

 

Note.

After 'ipconfig' has been typed and enter has been pressed, should type '[ctrl+d]' to run the script.

 

Screenshot for illustration:

 

Hawada1_0-1639927180197.png

 

Disclaimer.

 

This is not a public API and the program input may change without notice.

Alternatively, it is possible to run winrmps using the below command if https port 5986 is used:

 

> /bsc/campusMgr/bin/internal/winrmps /bsc/.runtime/data/certificate/winrmps_ca.pem

10.27.2.139:5986

DOMAIN\Username

Password-in-plaintext

Ipconfig

 

where everything after the first line is stdin. 'ipconfig' is just an example command to run.

 

Important Note.

 

If FortiNAC version 9.1.x till version 9.2.1 is used, type the UPN name in the DPC role created in the FortiNAC DPC role.

Otherwise, DPC will not work correctly.


Also, it is necessary to be logged in to the workstation for FortiNAC to receive the ipconfig output.

Hawada1_1-1639927205864.png

 

Solution.

 

UPN username will be addressed in 9.2.2. Device Profiler WinRM Method -> Credentials are required to be in userPrincipalName format but shouldn't be.
https://docs.fortinet.com/document/fortinac/9.2.2/release-notes/317703/version-9-2-2

Useful technical document:

https://docs.fortinet.com/document/fortinac/8.7.0/administration-guide/246310/winrm-device-profile-r...

Contributors