Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dan_Eng52
Contributor

Seamless Authentication for Corporate Laptops - Solution Guidance

Hi everyone, 
 
I hope you're well. 
 
I am exploring possible solutions to seamlessly authenticate and allow our corporate laptops to connect to wired/wireless LAN VLAN and am currently looking into what is possible with either FortiSwitch NAC and/or WPA3 SAE-PK. 
 
Currently, we have AVD/App servers in Azure with Entra ID and Fortinet Secure Branch consisting of FortiGate, FortiSwitch, FortiAP and FortiAnalyzer. Currently there is VLAN segmentation and all VLAN's terminate on the FGT. 
 
I am looking at FortiClient ZTNA to support our laptop web-filtering when off site but this is a future project and would like to deploy a solution which meets the above scope preferably without incurring additional license costs etc.
 
Has anyone done something similar and would be able to provide some guidance for design or implementation of, to further secure our environment. 

Many thanks, 
Dan.  
3 REPLIES 3
AEK
SuperUser
SuperUser

Hello Dan

 

To do real NAC and seamless authentication you need FortiClient EMS in addition to what you already have. It will allow you do NAC based on AD groups, posture (AV, vulnerabilities, updates, ...) and other ZTNA tags, plus IPsec, Web filter, and other features. In addition your offsite hosts remain under control as well.

 

If you don't have ZTNA for the moment then you can do very basic NAC (MAC, vendor, ...), you can also do seamless authentication for your Corp hosts with FSSO, but it is L3 and less secure. You can add security with RADIUS via client certificate authentication, but here we are starting to make things more complicated than the first option.

AEK
AEK
Dan_Eng52

Hi AEK,

 

Thanks for the response. 

 

I was thinking that, unfortunately with the "NAC Lite" features I can only as mentioned do very basic NAC and due to the amount of devices this just isn't feasible using MAC or vendor. We will be deploying FortiClient ZTNA but at a later data so I need an alternative solution to bide the time. 

Since we use Entra ID I was looking into authentication with Entra ID as a SAML IdP, do you think that this would be a good option and have any experience with this? 

 

Outbound firewall authentication with Microsoft Entra ID as a SAML IdP | FortiGate / FortiOS 7.4.1 |...

Many thanks, 
Dan. 

Sx11
Staff
Staff

For Corporate users i would suggest enforcing 802.1x with EAP-TLS.

It is also the authentication method that fulfills NIST compliance for identification and auth control.

 

For web filtering when hosts are off site/remote you can either use ZTNA with EMS which will require FortiClient on all laptops or you can use Agentless method with FortiSASE acting as secure web gateway. In this case you can achieve authentication for users by configuring ENTRA ID as SAML IDP.

https://docs.fortinet.com/document/fortisase/latest/architecture-guide/834810/sia-for-agentless-remo...

sx11
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors