Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
doncacciatoconsuting
Contributor

Created on ‎02-12-2025 02:08 PM

FortiNAC integration with EntraID

Currently I have a typical Active Directory on-prem setup.

 

1- Persistent Agent gleans the username from the PC. 

2- NAC is linked to AD and pulls the group info for the user.

3- NAC sends the group tags to the Fortigate for use in FW policy to limit access for certain groups

 

If we move to EntraID (which does not have directory services), how can we keep this design ?

Is there any kind of workaround ?

 

Don

 

 

 

Labels:
409
0 Kudos
1 Solution
Hatibi
Staff
Staff
In response to doncacciatoconsuting

Created on ‎02-14-2025 12:47 AM

Yes, at the moment FortiNAC can use only AD on-premise as native authentication source for Persistent agent, radius or other methods. 

 

Once Entra ID will be supported in v7.6.3 GA, it will be able to perform authentication and user/group lookup in Entra ID and use that group membership in policies etc..

 

My suggestion to you is to wait until that version is available and request a Proof of Concept from your Fortinet Sales Engineer. This will confirm that there are no issues and that the feature is stable once it releases. Only after confirming this part then you could purchase and deploy Entra ID in order to proceed with the migration.

 

View solution in original post

325
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎02-12-2025 02:34 PM Edited on ‎02-15-2025 12:36 AM

I'd see from FortiAuthenticator side if it can help.

 

Edit: I mean you may explore the possibility to put FAC between FNAC and Entra ID.

AEK
AEK
402
Hatibi
Staff
Staff

Created on ‎02-13-2025 06:05 AM

This feature has been submitted as NFR ID: 0949927 and is being planned to be added in FortiNAC v7.6.3 GA.

This can change however due to engineering priority shifts. 

You can track this through your Fortinet Sales Engineer.

357
doncacciatoconsuting
Contributor
In response to Hatibi

Created on ‎02-13-2025 09:43 AM

Is it safe to say that until the new feature request becomes available, there is only 1 option to accomplish my firewall tagging requirement: Purchase and deploy Entra Domain Services ?

339
0 Kudos
Hatibi
Staff
Staff
In response to doncacciatoconsuting

Created on ‎02-14-2025 12:47 AM

Yes, at the moment FortiNAC can use only AD on-premise as native authentication source for Persistent agent, radius or other methods. 

 

Once Entra ID will be supported in v7.6.3 GA, it will be able to perform authentication and user/group lookup in Entra ID and use that group membership in policies etc..

 

My suggestion to you is to wait until that version is available and request a Proof of Concept from your Fortinet Sales Engineer. This will confirm that there are no issues and that the feature is stable once it releases. Only after confirming this part then you could purchase and deploy Entra ID in order to proceed with the migration.

 

326
doncacciatoconsuting
Contributor

Created on ‎02-14-2025 06:25 AM

thanks all !

308
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.