- if you mean server certificate, the user can accept the certification warning of the fortinac certificate and access the network.
- using who in host-profile is a good option but what about if the user still not logged on the machine, is that machine can be accessible through RDP connection as in this situation host-profile is not matched because user is not logged in, is that true ?
- We trying to use a solution rather than promp users to enter theri credential on fortinac agent
- I mean CA cert on client, and no there is no warning on FNAC PA that can be accepted, if no CA cert on client then no communication with FNAC
- When user is not logged in then your host is in isolation (auth network), so it is isolated and has no access to prod network and prod network should not have access to it
- You don't need to use PA credential, when you log in via Windows login screen then your PA sends this info to FNAC. So you can just disable PA credential window from the beginning in your GPO before pushing PA to hosts
You don't need to use PA credential, when you log in via Windows login screen then your PA sends this info to FNAC.
You can have the domain clients login in (passive agent configuration), only these would be allowed with a username into the network. The users however MUST have DC connection as the Agents listens on this logon process. Then you have a host with a domain user attached to it. A user host profile against this user/group can then serve to be used in a network access policy. If not a member, get isolated, or whatever else you need these clients to be.
You can additionally define an Endpoint Scan that is done by the agent to read a registry value applied to your domain computers, specific AV- or other software installed.
Now 1) is easy, but 2) requires us to see that the user is known to the domain and logged in. Either the Persistent Agent presents a popup for the user to login, or we listen in on the Windows login and see whether the login succeeded. Both ways NAC will know the user.
A completely different way, for completeness, is 802.1x on the Interface, wired, or wireless. Also provides the username and is not possible to anyone without proper credentials.