Description
This article explains the use of Persistent Agent for user tracking purposes and the criteria needed to directly upgrade agent versions on specific hosts from the FortiNAC GUI.
Scope
Persistent Agent, FortiNAC.
Solution
User Information is gathered through integration with LDAP where FortiNAC receives user data from the Agent and validates it against the directory database. This is also one of the first steps taken when implementing FortiNAC to set up remote user authentication and then leverage the information gathered for tracking User-Host association.
User tracking is validated by checking to see if any usernames are visible under the 'Logged On User' section of the FortiNAC host view. This article will demonstrate gathering logged in information through the persistent agent which forwards the user information to FortiNAC. The 'Registered to' field is used for tracking ownership of assets(BYOD).
1) User tracking with Persistent Agent
a) LDAP integration and additional configuration steps
Go to System -> Settings -> LDAP and complete all necessary fields, then validate the credentials. After, expand the 'Additional Configuration' field:
Under 'Additional Configuration', leave the 'Domain Name' entry empty.
If this field contains a domain name entry, users must include the domain name in their login to be authenticated against this directory and the User ID to be retrieved by FortiNAC.
More information is provided here:
https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/724520/configuration
In this example, leave the 'Domain name' entry empty so FortiNAC will first lookup the user name and the domain name. If this fails, it will attempt by using only the user name and successfully retrieve the user ID.
b) Passive agent configuration
This setup will also require a Passive agent configuration rule.
The Persistent Agent uses this configuration to process information received from the host.
Only a 'Catch_all' rule will be required here to enable tracking for all users in the environment instead of applying it only to members of specific groups.
An 'Apply to Members of Group' rule can be used to tracking only for a few users that are part of particular groups in the directory.
Go to Policy & Objects -> Passive Agent and add the following configuration:
See the documentation for more information:
https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/60485/using-windows-domain-lo...
c) Persistent Agent Credentials
Go to System -> Settings -> Persistent Agent -> Credential Configuration to configure Persistent Agent Credentials.
The following configuration defines that Registration will be performed automatically by the persistent agent without providing a credential prompt to the end user.
The host will be registered with a 'NAC-default' role in host view.
d) Restriction for Hosts registering through the Persistent Agent which are part of specific LDAP groups (selective user tracking)
They may be cases where administrators would want to perform tracking only for specific LDAP groups and treat all other users that register through the Agent differently.
To track only users of specific groups, first select the groups in Setting -> Authentication -> LDAP -> Select Groups:
Perform a manual synchronization with LDAP so that the group is populated in the FortiNAC database.
Next, select the following groups in the Policy & Objects -> Passive Agent configuration as below:
In this case, the desired outcome is to track only Domain Admins, so only that group was included.
The 'Register as' field indicates whether the host will be registered:
1) Based on the login name of the user as a host, or
2) Based on the hostname as a device.
See the following document for more information: https://docs.fortinet.com/document/fortinac-f/7.2.0/administration-guide/188046/manage-configuration....
Finally, the administrator can use a wildcard on the 'logged on user' Host filter in order to create policies that match Host records only for the tracked Domain Admins:
This way, any Host record where tracking is applied can be treated differently from other Domain hosts that are also registered by the agent but have no user tracking. A catch-all policy would match the Domain users that have no tracking through the configured Persistent Agent.
More matching criteria can be added by utilizing roles.
In such scenarios, these options can be used:
- User Roles Based On Groups - Users can be assigned roles by placing them in a group and then associating that group with a role under Role View.
- User Roles Based On A Directory Field - Users can be assigned a role based on a field in LDAP or the Active Directory.
Roles could then be also used as Filters in Network Access policies to further discern and apply control to directory users.
Documentation on how roles work:
https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/245839/assigning-roles
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Role-assignment-order/ta-p/250790
2) Upgrading Agents on Specific Hosts directly from FortiNAC host view:
Agent updates can be performed globally under System -> Settings -> Persistent Agent -> Agent Update.
FortiNAC has the option to also upgrade only specific hosts for testing purposes.
To do this, right-click a host under FortiNAC host view and select 'Update Persistent Agent'.
(The agent must first have communication established and display with a green tick icon.)
In some cases, the following error may appear when attempting an upgrade:
'The host was not updated from 5.3.0.77 or it has not communicated yet.'
To remedy this issue, check the following:
a) Verify that the FortiNAC hostname is correctly specified under Settings -> Persistent Agent -> Properties.
This is a requirement for Agent updates. In this case, test.ftnt.demo is the FQDN of the FortiNAC server.
b) Check that the following necessary ports for PA communication and upgrade are opened between all hops from the Host to FortiNAC:
- TCP 4568 (for agent communication)
- TCP 80 (required for upgrades)
**Clients upgrading the Persistent Agent must have access to Port 80 on the FortiNAC appliances.
Related document:
https://docs.fortinet.com/document/fortinac/9.4.0/persistent-agent-deployment-and-configuration
