Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
Contributor II

FortiNAC // Bypass access enforcement

Hello Fortinet Cummunity

I wonder how we can bypass access enforcement for the isolation logical networks.

I can find it on the admin guide (check Access Enforcement section):

https://docs.fortinet.com/document/fortinac/9.1.0/administration-guide/151724/model-configuration

 

However actually on my GUI (FNAC 9.2.2) the only available options are "Enforce" and "Deny".

access_enforcement.png

 

I need this option in order to assign different Authentication networks for hosts depending on some of their attributes.

 

Any idea on how we can do that?

 

Cheers!

AEK

 

1 Solution
ethomollari
Staff
Staff

HI AEK 

 

Bypass option  :


It exists for wireless enforcement configurations but not for wired. If you bypass a particular state for a wired connection, then you can omit the port from the appropriate enforcement group.'

A problem well-defined is a problem half solved.

View solution in original post

5 REPLIES 5
ethomollari
Staff
Staff

Hello 

 

The options Enforce and Deny are the only boolean options for the built in isolation networks

 

Deny--no further processing is done

Enforce ---> further processing and VLAN assignment will be done according to port group membership 

 

To develop different Authentication, Endpoint Complaince, Network Access Policies based on attributes , you can do that by creating different User Host Profiles with the required attributes and then map this UHP to your Policies 

 

https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/15797/user-host-profiles

 

Can you elaborate more your end objective , so we can check more specifically ?

A problem well-defined is a problem half solved.
AEK

Thanks for your reply, Ehtomollari

That would be the solution, but unfortunately there is no way to do it so, since the state based enforcement takes precedence over policy based access. Means when you have a host in state "Authentication" it will be dropped in the VLAN defined for "Authentication" network in Switch "model configuration" whatever is the profile that it may match.

 

My objective is simple.. Lets define few attributes first..

- Corp host : Host having FNAC persistent agent, specific OS, specific AV and so

- Guest host : Host with any other attibutes

 

My objective here is not to put Corp hosts and Guest hosts in the same authentication network when they are in authentication state, 1st because Guest hosts are not secure, 2nd because Corp hosts must have extra access to some resources even when in authentication state.

 

Any idea?

ethomollari
Staff
Staff

HI AEK 

 

Bypass option  :


It exists for wireless enforcement configurations but not for wired. If you bypass a particular state for a wired connection, then you can omit the port from the appropriate enforcement group.'

A problem well-defined is a problem half solved.
AEK
Contributor II

Thanks Edvin

Certainly I'll try this and advice.

Regards

 

AEK
Contributor II

I confirm it worked just fine. Removing the port port from "Forced Authentication" group allows the port to follow the network access policy that catches it.

Thanks for your help mate.