Dears,
We have a FortiNAC and deployed Persistent Agent on domain machines.
But what about if a non-domain machine installed Persistent Agent, will it be registered and have access ?
We need to grantee access to domain machines only.
how can we perform this scenario ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Mos
Hope this helps
Hi AEK,
Thanks for your reply.
- if you mean server certificate, the user can accept the certification warning of the fortinac certificate and access the network.
- using who in host-profile is a good option but what about if the user still not logged on the machine, is that machine can be accessible through RDP connection as in this situation host-profile is not matched because user is not logged in, is that true ?
- We trying to use a solution rather than promp users to enter theri credential on fortinac agent
Hello Mos
- I mean CA cert on client, and no there is no warning on FNAC PA that can be accepted, if no CA cert on client then no communication with FNAC
- When user is not logged in then your host is in isolation (auth network), so it is isolated and has no access to prod network and prod network should not have access to it
- You don't need to use PA credential, when you log in via Windows login screen then your PA sends this info to FNAC. So you can just disable PA credential window from the beginning in your GPO before pushing PA to hosts
What AEK says, is correct.
You don't need to use PA credential, when you log in via Windows login screen then your PA sends this info to FNAC.
You can have the domain clients login in (passive agent configuration), only these would be allowed with a username into the network. The users however MUST have DC connection as the Agents listens on this logon process. Then you have a host with a domain user attached to it. A user host profile against this user/group can then serve to be used in a network access policy. If not a member, get isolated, or whatever else you need these clients to be.
You can additionally define an Endpoint Scan that is done by the agent to read a registry value applied to your domain computers, specific AV- or other software installed.
Best regards,
Markus
Dears,
You mean configure Passive Agent, I have already configured it a shown in the below figure, but I didn't install passive agent on windows machines, I just installed Persistent Agent.
is the passive agent installation on windows machines mandatory to track user login ?
As I understand you mean disable Automatic registration ?
but if disabled, FortiNAC will redirect the new device to portal for registration and we don't need that, we need the registration process to be in the background when the user login using SSO.
So is that needs to install passive agent on the machines ? or just configure Passive agent configuration in FortiNAC GUI ?
Somehow we must be able to understand
1) a user
2) that the user successfully logged in
Now 1) is easy, but 2) requires us to see that the user is known to the domain and logged in. Either the Persistent Agent presents a popup for the user to login, or we listen in on the Windows login and see whether the login succeeded. Both ways NAC will know the user.
A completely different way, for completeness, is 802.1x on the Interface, wired, or wireless. Also provides the username and is not possible to anyone without proper credentials.
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.