Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mostafahasanin38
New Contributor

Fortinac deny non-domain machines

Dears,

 

We have a FortiNAC and deployed Persistent Agent on domain machines.

 

But what about if a non-domain machine installed Persistent Agent, will it be registered and have access ?

 

We need to grantee access to domain machines only.

 

how can we perform this scenario ?

6 REPLIES 6
AEK
Contributor II

Hello Mos

  • If someone installs a persistent agent on his PC he still can't even connect to FortiNAC without a valid certificate
  • In your access policy (User-Host profile) you can add your favorite AD groups in the "Who" field to allow only these groups to access some VLANs
  • Optionally you can also disable auto host registration for new host that have P-Agent newly installed

Hope this helps

 

mostafahasanin38

Hi AEK,

Thanks for your reply.

- if you mean server certificate, the user can accept the certification warning of the fortinac certificate and access the network.

- using who in host-profile is a good option but what about if the user still not logged on the machine, is that machine can be accessible through RDP connection as in this situation host-profile is not matched because user is not logged in, is that true ? 

- We trying to use a solution rather than promp users to enter theri credential on fortinac agent 

 

AEK

Hello Mos

- I mean CA cert on client, and no there is no warning on FNAC PA that can be accepted, if no CA cert on client then no communication with FNAC

- When user is not logged in then your host is in isolation (auth network), so it is isolated and has no access to prod network and prod network should not have access to it

- You don't need to use PA credential, when you log in via Windows login screen then your PA sends this info to FNAC. So you can just disable PA credential window from the beginning in your GPO before pushing PA to hosts

Markus_M
Staff
Staff

What AEK says, is correct.


You don't need to use PA credential, when you log in via Windows login screen then your PA sends this info to FNAC.

You can have the domain clients login in (passive agent configuration), only these would be allowed with a username into the network. The users however MUST have DC connection as the Agents listens on this logon process. Then you have a host with a domain user attached to it. A user host profile against this user/group can then serve to be used in a network access policy. If not a member, get isolated, or whatever else you need these clients to be.

 

You can additionally define an Endpoint Scan that is done by the agent to read a registry value applied to your domain computers, specific AV- or other software installed.

 

Best regards,

 

Markus

mostafahasanin38
New Contributor

Dears,

You mean configure Passive Agent, I have already configured it a shown in the below figure, but I didn't install passive agent on windows machines, I just installed Persistent Agent.

is the passive agent installation on windows machines mandatory to track user login ?

2022-20-48 10-21-48-fnac-demo__9.1__FortiNAC-VM-CA and 5 more pages - Work - Microsoft​ Edge.png

 

As I understand you mean disable Automatic registration ?

but if disabled, FortiNAC will redirect the new device to portal for registration and we don't need that, we need the registration process to be in the background when the user login using SSO. 

2022-20-53 10-37-53-fnac-demo__9.1__FortiNAC-VM-CA and 5 more pages - Work - Microsoft​ Edge.png

 

So is that needs to install passive agent on the machines ? or just configure Passive agent configuration in FortiNAC GUI ?

Markus_M

Somehow we must be able to understand

1) a user

2) that the user successfully logged in

Now 1) is easy, but 2) requires us to see that the user is known to the domain and logged in. Either the Persistent Agent presents a popup for the user to login, or we listen in on the Windows login and see whether the login succeeded. Both ways NAC will know the user.

A completely different way, for completeness, is 802.1x on the Interface, wired, or wireless. Also provides the username and is not possible to anyone without proper credentials.

 

Best regards,

 

Markus