Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anhminh918123
New Contributor

Regarding to 'agent joined Windows Domain' check on FortiNAC

Hi Team, 

We are running FortiNAC v9.4.1, and we need to run checking if 'agent joined Windows Domain'. Can you share us the guide for this task?

Thanks a lot. 

4 REPLIES 4
ebilcari
Staff
Staff

If I understood your request correctly, you want to update the host with domain users that are logged in? If yes this can be achieved with the Passive Agent. Just create a entry in Policy & Objects > Passive Agent without specifying much settings. It allows FortiNAC to process the information coming from Persistent Agent regarding the domain logged in user on the PC that have the agent installed.


You can read more about it here: https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/60485/using-windows-domain-lo...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
anhminh918123
New Contributor

Hi emirjon, 

Thank you so much for your response. 

it isn't our case. We would like to create a policy: 'a PC (running persistent agent) can connect to Employee VLAN only if it is joined domain example  'abc.bank.vn'.  


JasonM

Hi

 

1st you need to create a custom scan (Policy & Objects > Endpoint Compliance > Scans > Custom Scans) and configure a Windows Domain check policy.  Add in the appropriate place the domain. (It's actually the NetBIOS name, not domain)

 

2nd attach that custom scan to a compliance check (Policy & Objects > Endpoint Compliance > Scans > Add > Windows > Custom > Tick the custom scan you just created)

 

There may be other methods too, like registry checking for certain keys and so on, but IMO that's probably the simplest to get you going.

ebilcari

In addition to Jason response, you can create a dedicated Scan, add the same logic and if you don't want to change the host status to "at risk" but just to change their access you can create a configuration that changes only the roles like the example below:

ebilcari_0-1676389183782.png

 

And than create a Network Access Policy to assign different VLANs based on this new roles. If the domain check succeed the host will be assigned the Corporate role, on fail something else.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Top Kudoed Authors