NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
This article provides a table of enforcement groups with explanations of each. Enforcement groups are used by NAC to change Network Access based on host state for hosts connected to wired switch ports. There are several enforcement groups available.
Scope
FortiNAC 8.x, 9.x.
Solution
Review the table to decide which groups will be required:
Forced Authentication (Port Group)
When a host connects to a port in this group and the associated user is not authenticated, the port is switched to an 'isolation' VLAN. The host is forced to authenticate.
The 'isolation' VLAN value is determined by the value set for the Authentication host state in Model Configuration.
Forced Registration (Port Group)
When an unregistered (rogue) host connects to a port in this group, the port is switched to an 'isolation' VLAN. The host is forced to register.
The 'isolation' VLAN value is determined by the value set for the Registration host state in Model Configuration.
Forced Remediation (Port Group)
When a host marked 'At-Risk' (due to failing a scan, etc) connects to a port in this group, the port is switched to an 'isolation' VLAN. The host is forced to remediate.
The 'isolation' VLAN value is determined by the value set for the Quarantine host state in Model Configuration.
Role-Based Access (Port Group)
When a registered host connects to a port in this group, VLAN is switched based upon matching one of the following: - Network Access Policy - Network Device Role
Ports must be members of this group in order to use Network Access Policies to dynamically provision network access.
For example: 1) A printer is registered with the host role 'Accounting'. 2) Network Access Policy 'Accounting Dept' is configured to assign hosts with the 'Accounting' host role to VLAN 200. 3) Printer connects to a port in the Role-Based access group. 4) Printer matches the 'Accounting Dept' Network Access Policy. 5) Printer is placed in VLAN 200.
The VLAN value is determined by the value set for the Logical Network Policy in Model Configuration.
Physical Address Filtering (Device Group)
When a host marked 'Disabled' connects to a switch in this group, the port is switched to an 'isolation' VLAN.
The 'isolation' VLAN value is determined by the value set for the Dead End host state in Model Configuration.
