Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anhminh918123
New Contributor

Created on ‎02-09-2023 07:12 PM

Regarding to 'agent joined Windows Domain' check on FortiNAC

Hi Team, 

We are running FortiNAC v9.4.1, and we need to run checking if 'agent joined Windows Domain'. Can you share us the guide for this task?

Thanks a lot. 

Labels:
1322
0 Kudos
4 REPLIES 4
ebilcari
Staff
Staff

Created on ‎02-10-2023 05:59 AM

If I understood your request correctly, you want to update the host with domain users that are logged in? If yes this can be achieved with the Passive Agent. Just create a entry in Policy & Objects > Passive Agent without specifying much settings. It allows FortiNAC to process the information coming from Persistent Agent regarding the domain logged in user on the PC that have the agent installed.


You can read more about it here: https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/60485/using-windows-domain-lo...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1299
0 Kudos
anhminh918123
New Contributor

Created on ‎02-10-2023 05:36 PM

Hi emirjon, 

Thank you so much for your response. 

it isn't our case. We would like to create a policy: 'a PC (running persistent agent) can connect to Employee VLAN only if it is joined domain example  'abc.bank.vn'.  


1287
0 Kudos
JasonM
Staff
Staff
In response to anhminh918123

Created on ‎02-10-2023 10:39 PM Edited on ‎02-10-2023 10:40 PM

Hi

 

1st you need to create a custom scan (Policy & Objects > Endpoint Compliance > Scans > Custom Scans) and configure a Windows Domain check policy.  Add in the appropriate place the domain. (It's actually the NetBIOS name, not domain)

 

2nd attach that custom scan to a compliance check (Policy & Objects > Endpoint Compliance > Scans > Add > Windows > Custom > Tick the custom scan you just created)

 

There may be other methods too, like registry checking for certain keys and so on, but IMO that's probably the simplest to get you going.

1280
ebilcari
Staff
Staff
In response to anhminh918123

Created on ‎02-14-2023 07:47 AM Edited on ‎02-14-2023 07:49 AM

In addition to Jason response, you can create a dedicated Scan, add the same logic and if you don't want to change the host status to "at risk" but just to change their access you can create a configuration that changes only the roles like the example below:

ebilcari_0-1676389183782.png

 

And than create a Network Access Policy to assign different VLANs based on this new roles. If the domain check succeed the host will be assigned the Corporate role, on fail something else.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1269
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.