Hello team,
I have some points regarding persistence agent deployments:
1- is a DNS record mandatory or there is a way to configure the agent to reach FNAC via its IP
2- I understand that when registering endpoint as a host, the device is tied to a user, whereas as
"device" it is not, so why we need "authentication" when choosing "register as device" under "system--persistence agent / credential management?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 04-21-2024 12:33 AM Edited on 04-21-2024 12:34 AM
Technically the field "lastConnectedServer" in the registry will be populated for the host that had the agent running while being isolated but the DNS entries in production DNS are still needed even for this hosts.
On the link you shared there are two scenarios, the first one technically replaces the registration through the portal and does it via the agent, more like a friendly UI for rouge hosts that have the agent previously installed. This will happen if there is no EPC configured.
The 2nd scenario shown in guide: "(Persistent Agent installed via Captive Portal-Assumes network under enforcement)" assumes that there is an EPC that handles rouge hosts. It will automatically download the selected Agent to the end host:
and than as shown in the previous reply based on the Scan options it will Remediate or Register the host.
As I know "Enable Registration" without "Register as Device" will try silent registration of the host to the current logged in user. If the currently logged user can't be found in the LDAP server, than the PA will pop up for credentials. Using "Register as Device" will register the host (without a user) regardless of the logged in user, so no verification will happen with the authentication server. A passive agent rule can be added to populate the "Logged On User" field in this type of hosts to be later used in UHP.
Hi Mostafa
PA needs you that you define the FNAC FQDN in the below variable.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent Agent
homeServer (SZ): fortinac.yourdomain.com
Didn't try to define it with IP address but I guess it should work.
So if defined as FQDN then either you need to create a DNS A record for fortinac.yourdomain.com, or I guess you also can define it in Windows /etc/hosts file (which is not so good solution).
For your second question, if I'm not wrong the "register as device" setting for PA is overridden by the authentication policy (Global Authentication Convention).
Hi AEK, thanks for replying.
So, is editing the registry the only way to specify the Hostname/IP?
What if I configured primary host name and secondary hostname from the agent properties on FortiNAC, would this cause the downloaded agents to be preconfigured with the NAC hostname?
Properties | FortiNAC 9.4.0 | Fortinet Document Library
Also, do you have an idea how to change transport to UDP? cause I did not find from where to change that under transport settings.
Transport configurations | FortiNAC 9.4.0 | Fortinet Document Library
Created on 04-17-2024 04:30 PM Edited on 04-18-2024 05:22 AM
Hi Mostafa
In normal deployment you should not edit the registry but you should deploy PA with GPO, and this will push the registry values as well on all your corp hosts.
Editing registry is just for test one agent in your lab.
What if I configured primary host name and secondary hostname from the agent properties on FortiNAC, would this cause the downloaded agents to be preconfigured with the NAC hostname?
-> Honestly I don't remember if I used this section before and I don't know for what it is used for.
UDP for agent is not supported anymore cause not secure, it has been dropped since like 2 or 3 years. I've read it somewhere in official doc but don't remember where sorry.
The agent installation file can't be customized to include FNACs IP. The changes need to be pushed via the GPO template or registry editor (via GPO or scripts) to the end hosts.
Another way is the DNS SRV records needed only for production networks. If the host is in isolation FNAC will handle it via its built in DNS server (no extra configuration needed).
Hi Emirjon,
You mentioned the case of a host in an isolation network.
In such case, is it mandatory for the host to download the agent from the captive portal, and would an Endpoint compliance policy be necessary prior to the registeration?
And could you please advise regarding my second question:
2- I understand that when registering endpoint as a host, the device is tied to a user, whereas as
"device" it is not, so why we need "authentication" when choosing "register as device" under "system--persistence agent / credential management?
That depends on the Endpoint compliance policy, Scan configurations [Agent Order of Operations:]:
If there is no EPC matching, the host can also be registered without scanning.
I was referring to, if the Agent need to find and reach FNAC while the host is in isolation the DHCP/DNS provided by FNAC will point the agent to FNAC (out of the box).
Authentication type is shown as a drop down but it will not be used when [Register As Device] is selected. The host entry will contain only the "Host Name" and an empty "Registered To" value.
Thanks Emirijon for the clarification, I am almost one step close to remove my confusion regarding this subject.
You mentioned that in case the client in an isolation network, FortiNAC will be handling the SRV record resolution.
After successful registration and when the client moves to production network, would the name/IP of FortiNAC as obtained in the isolation step, be saved in the windows registries? I mean Do I still to prepare my DNS in the production VLAN?
Secondly, the existence of the ECP, is the ECP mandatory for the agent to be available within the captive portal or not? This is important to me to understand the workflow of FortiNAC registration.
(please see step 4 in the below link
"
FortiNAC matches the device with the appropriate Endpoint Compliance Policy (determines which agent type and version to distribute as well as which scan to run)"
Registration Use Cases: Personal Devices | FortiNAC-F 7.2.0 | Fortinet Document Library
Finally, about the "register as device" point, and the relevant of hte authentication in this case, the below use case involves a scenario with "register as device" option being checked, and still relaying on Active directory for authentication, which brings me back to the confusion if authentication is still being taken place for device registration, so what is the difference between a device and a host??
Registration Use Cases: Company Assets | FortiNAC-F 7.2.0 | Fortinet Document Library
I always use a "A" DNS record in corporate DNS for persistent agent, since the FQDN is installed in the client registry with GPO.
I find the SRV DNS record more suitable for dissolvable agent (lets call it DA), since it doesn't have such registry key.
Keep in mind it is more natural to use PA for corporate clients, and DA for non-corporate clients, like contractors or guest. However all companies I know never use DA for non-corporate clients because they find it intrusive to force a guest to install an agent on its host, they just drop them in a guest or contractor VLAN after portal authentication. So I think using DA is no so common.
All the above is applicable for agents in production VLAN, where the corporate DNS replies to any clients DNS query.
When a hosts exits from isolation to production VLAN it will not write the FNAC hostname/IP in the registry. PA already has the FQDN in its registry from its first deployment (GPO), and DA doesn't have such registry key, since it uses the SRV DNS record.
Hope this clarifies things a bit more.
Created on 04-21-2024 12:33 AM Edited on 04-21-2024 12:34 AM
Technically the field "lastConnectedServer" in the registry will be populated for the host that had the agent running while being isolated but the DNS entries in production DNS are still needed even for this hosts.
On the link you shared there are two scenarios, the first one technically replaces the registration through the portal and does it via the agent, more like a friendly UI for rouge hosts that have the agent previously installed. This will happen if there is no EPC configured.
The 2nd scenario shown in guide: "(Persistent Agent installed via Captive Portal-Assumes network under enforcement)" assumes that there is an EPC that handles rouge hosts. It will automatically download the selected Agent to the end host:
and than as shown in the previous reply based on the Scan options it will Remediate or Register the host.
As I know "Enable Registration" without "Register as Device" will try silent registration of the host to the current logged in user. If the currently logged user can't be found in the LDAP server, than the PA will pop up for credentials. Using "Register as Device" will register the host (without a user) regardless of the logged in user, so no verification will happen with the authentication server. A passive agent rule can be added to populate the "Logged On User" field in this type of hosts to be later used in UHP.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.