- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to block a specific network in FortiNAC?
Hello, everyone.
Is there a way in FortiNAC to prevent a host with persistent agent to connect to, for example, a guest network SSID if they had previously signed in into a corporate network SSID?
Thank you all!
Solved! Go to Solution.
- Labels:
-
FortiNAC
Created on ‎10-16-2023 11:28 AM Edited on ‎10-16-2023 11:29 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case it is simple, just add a policy similar to this one:
- Who: Any host with persistent agent
- Where: Guest SSID
- Put in logical network: isolation or similar
So any host with persistent agent connecting to Guest SSID will find itself in isolation network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do it as suggested or change the User/Host profile for the Guests to limit only for the GuestSelfRegistration role (existing users will have a different role) and no Agent communicating like shown below:
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
You can do so only if your Guest SSID is controlled by FortiNAC.
But in some installation the Guest SSID may not be controlled by FortiNAC (for license optimization or to simplify Guest SSID usage). In that case, your FortiNAC can't control who can or who can't connect to it.
However you should be able to do this restriction at lease by blocking traffic at firewall level, by enabling tags between FortiNAC & your FortiGate, then by denying traffic coming from the Guest VLAN for the specific hosts/users.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, AEK
Thanks for your response. Indeed we have both the guest and production SSIDs controlled by FortiNAC. What we are trying to achieve is to let our coworkers that have the persistent agent to connect to the production SSID (which has limited Internet access) but prevent them from connecting to the guests SSID that is Internet "free".
Thanks!
Created on ‎10-16-2023 11:28 AM Edited on ‎10-16-2023 11:29 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case it is simple, just add a policy similar to this one:
- Who: Any host with persistent agent
- Where: Guest SSID
- Put in logical network: isolation or similar
So any host with persistent agent connecting to Guest SSID will find itself in isolation network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do it as suggested or change the User/Host profile for the Guests to limit only for the GuestSelfRegistration role (existing users will have a different role) and no Agent communicating like shown below:
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!
