If I understood your request correctly, you want to update the host with domain users that are logged in? If yes this can be achieved with the Passive Agent. Just create a entry in Policy & Objects > Passive Agent without specifying much settings. It allows FortiNAC to process the information coming from Persistent Agent regarding the domain logged in user on the PC that have the agent installed.
1st you need to create a custom scan (Policy & Objects > Endpoint Compliance > Scans > Custom Scans) and configure a Windows Domain check policy. Add in the appropriate place the domain. (It's actually the NetBIOS name, not domain)
2nd attach that custom scan to a compliance check (Policy & Objects > Endpoint Compliance > Scans > Add > Windows > Custom > Tick the custom scan you just created)
There may be other methods too, like registry checking for certain keys and so on, but IMO that's probably the simplest to get you going.
In addition to Jason response, you can create a dedicated Scan, add the same logic and if you don't want to change the host status to "at risk" but just to change their access you can create a configuration that changes only the roles like the example below:
And than create a Network Access Policy to assign different VLANs based on this new roles. If the domain check succeed the host will be assigned the Corporate role, on fail something else.
- Emirjon If you have found a solution, please like and accept it to make it easily accessible for others.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.