Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎05-19-2022 07:01 AM

FortiNAC // Bypass access enforcement

Hello Fortinet Cummunity

I wonder how we can bypass access enforcement for the isolation logical networks.

I can find it on the admin guide (check Access Enforcement section):

https://docs.fortinet.com/document/fortinac/9.1.0/administration-guide/151724/model-configuration

 

However actually on my GUI (FNAC 9.2.2) the only available options are "Enforce" and "Deny".

access_enforcement.png

 

I need this option in order to assign different Authentication networks for hosts depending on some of their attributes.

 

Any idea on how we can do that?

 

Cheers!

AEK

 

AEK
AEK
Labels:
2926
0 Kudos
1 Solution
Anonymous
Not applicable

Created on ‎05-26-2022 07:21 AM

HI AEK 

 

Bypass option  :


It exists for wireless enforcement configurations but not for wired. If you bypass a particular state for a wired connection, then you can omit the port from the appropriate enforcement group.'

View solution in original post

2834
5 REPLIES 5
Anonymous
Not applicable

Created on ‎05-19-2022 04:42 PM Edited on ‎05-19-2022 04:43 PM

Hello 

 

The options Enforce and Deny are the only boolean options for the built in isolation networks

 

Deny--no further processing is done

Enforce ---> further processing and VLAN assignment will be done according to port group membership 

 

To develop different Authentication, Endpoint Complaince, Network Access Policies based on attributes , you can do that by creating different User Host Profiles with the required attributes and then map this UHP to your Policies 

 

https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/15797/user-host-profiles

 

Can you elaborate more your end objective , so we can check more specifically ?

2853
0 Kudos
AEK
SuperUser
SuperUser
In response to Anonymous

Created on ‎05-20-2022 01:45 AM

Thanks for your reply, Ehtomollari

That would be the solution, but unfortunately there is no way to do it so, since the state based enforcement takes precedence over policy based access. Means when you have a host in state "Authentication" it will be dropped in the VLAN defined for "Authentication" network in Switch "model configuration" whatever is the profile that it may match.

 

My objective is simple.. Lets define few attributes first..

- Corp host : Host having FNAC persistent agent, specific OS, specific AV and so

- Guest host : Host with any other attibutes

 

My objective here is not to put Corp hosts and Guest hosts in the same authentication network when they are in authentication state, 1st because Guest hosts are not secure, 2nd because Corp hosts must have extra access to some resources even when in authentication state.

 

Any idea?

AEK
AEK
2844
0 Kudos
Anonymous
Not applicable

Created on ‎05-26-2022 07:21 AM

HI AEK 

 

Bypass option  :


It exists for wireless enforcement configurations but not for wired. If you bypass a particular state for a wired connection, then you can omit the port from the appropriate enforcement group.'

2835
AEK
SuperUser
SuperUser

Created on ‎05-26-2022 02:22 PM

Thanks Edvin

Certainly I'll try this and advice.

Regards

 

AEK
AEK
2781
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎05-31-2022 06:18 AM

I confirm it worked just fine. Removing the port port from "Forced Authentication" group allows the port to follow the network access policy that catches it.

Thanks for your help mate.

 

AEK
AEK
2739
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.