Stage 4. Define Registration Methods.
Once a host is learned from FortiNAC, it will be marked with the Rogue(?) host state.
This means that FortiNAC has not yet categorized or profiled this device as a known device type and will keep it in the isolation subnet/registration VLAN. This way, FortiNAC will not allow access without first acknowledging what kind of device it is dealing with. This is known as State based control and has precedence over Network Access policies, which will be configured later.
There are multiple methods to register devices depending on the scenario and customer requirements.
The most commonly used methods are provided below:
Device Profiler.
This method is beneficial in OT environments and for registering IoT 'headless' devices which have no user associated with them. FortiNAC leverages multiple methods to learn information from connected rogues and then profile or categorize them accordingly.
Device profiling rules should be prioritized as 'Already collected information' (such as Vendor by MAC, Location by traffic origin), information that might have to be read (such as an open TCP port), and information that is required to be receives (such as OS information via DHCP or active scan). Already collected information has less overhead than information that needs to be collected prior profiling.
Question:
Does this means only by configuring the profiling rules my user device will go from rogue to registered (either manually or auto ). Once it is registered, than NAP will come into play ? like post reg it will match the user profile and assign the related Network Access policy ?
There are several ways to register hosts like device profiling, through web portal, dot1x auto registration through RADIUS information, manual registration, import etc.
Yes, NAP will be applied only for hosts in normal state (not rogue, at-risk, need authentication). If the host is in normal state than the UHP will be evaluated and a NAP will be applied if Role based is enforced in port/SSID level.
DHCP device profiling rules should be at the bottom of the profiling rules list or else will cause issues. Right click on the device and check to see what it should the profile that it will match. The priority of the rules will matter so make sure a more specific rule is higher than a broader one at the bottom.
This topic is covered more in details in this document Device Profiler Configuration
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.