Currently I have a typical Active Directory on-prem setup.
1- Persistent Agent gleans the username from the PC.
2- NAC is linked to AD and pulls the group info for the user.
3- NAC sends the group tags to the Fortigate for use in FW policy to limit access for certain groups
If we move to EntraID (which does not have directory services), how can we keep this design ?
Is there any kind of workaround ?
Don
Solved! Go to Solution.
Created on 02-14-2025 12:47 AM Edited on 04-25-2025 12:36 AM
Yes, at the moment FortiNAC can use only AD on-premise as native authentication source for Persistent agent, radius or other methods.
Once Entra ID will be supported in FortiNAC new releases, it will be able to perform authentication and user/group lookup in Entra ID and use that group membership in policies etc..
I'd see from FortiAuthenticator side if it can help.
Edit: I mean you may explore the possibility to put FAC between FNAC and Entra ID.
This is being planned to be added in FortiNAC future releases.
Is it safe to say that until the new feature request becomes available, there is only 1 option to accomplish my firewall tagging requirement: Purchase and deploy Entra Domain Services ?
Created on 02-14-2025 12:47 AM Edited on 04-25-2025 12:36 AM
Yes, at the moment FortiNAC can use only AD on-premise as native authentication source for Persistent agent, radius or other methods.
Once Entra ID will be supported in FortiNAC new releases, it will be able to perform authentication and user/group lookup in Entra ID and use that group membership in policies etc..
thanks all !
User | Count |
---|---|
2546 | |
1354 | |
795 | |
643 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.