Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jprocha
New Contributor II

FNAC - Dot1x auto registration role

Hello everyone!

 

I am looking to leverage the Dot1x auto registration option on FortiNAC to register devices that log in to my network using WiFi. Yet, I need some way to identify that these guys became registered using this method, so I can apply scans, Net Access Policies and so on. The issue is they get assigned the NAC-Default role and I don't see any option to apply a role as we do on the portal for example, where I can give a BYOD or Guest role for example.

 

Does anyone have any suggestions on how can I apply roles or can think of other ways to leverage this option but still have control of the way the device connected and became registered to the network?

 

Appreciate the help!

 

FortiNAC 

jprocha
FCSS - FortiNAC - FortiSwitch
jprochaFCSS - FortiNAC - FortiSwitch
1 Solution
scitlak
Staff
Staff

You can not differentiate users if they used Radius, Persistent Agent, or 802.1x but you may differentiate the hosts that were registered with one of them.
1. 802.1X registered host.
You will have a Radius Fingerprint for this kind of hosts and you will have an "Auth Type" attribute under Adaptors. By using the Radius fingerprint or Auth Type field as criteria in UHP, you may differentiate these hosts.

2. Portal Registered: You may add "Security & Access Value" for Portal registered hosts and by using this attribute you may differentiate these hosts. 

View solution in original post

3 REPLIES 3
ebilcari
Staff
Staff

You can use Roles matching with an LDAP group. When a host is registered by a user that exist in one of the LDAP groups, that host will be moved to that group and a role can be applied. The role can be used later on the Network access policy like you mentioned above.

In case of machine authentication the LDAP configuration need to be change a bit, like shown here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
jprocha
New Contributor II

Perfect!

 

Thank you very much for the reply, will proceed this way.

Just confirming, there is no way to differentiate users registered via this method from other means like portal/persistent agent correct?

jprocha
FCSS - FortiNAC - FortiSwitch
jprochaFCSS - FortiNAC - FortiSwitch
scitlak
Staff
Staff

You can not differentiate users if they used Radius, Persistent Agent, or 802.1x but you may differentiate the hosts that were registered with one of them.
1. 802.1X registered host.
You will have a Radius Fingerprint for this kind of hosts and you will have an "Auth Type" attribute under Adaptors. By using the Radius fingerprint or Auth Type field as criteria in UHP, you may differentiate these hosts.

2. Portal Registered: You may add "Security & Access Value" for Portal registered hosts and by using this attribute you may differentiate these hosts. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors