This article describes how we can leverage the 'Security Access Value' User attribute to apply control through NAC policies in addition to using the group membership and roles as criteria.
FortiNAC-F, FortiNAC.
The 'Security Access Value' can be a very helpful attribute to uniquely match Hosts and apply different controls based on it.
The value can be assigned to a User after it registers based on the following:
Standard User login in Portal Configuration.
Security Access Value inherited from user Attributes in the LDAP directory.
To show an example of this, create a user 'jdoe' and modified the attribute 'company' to the value 'Fortinet' in the Attribute editor in AD:
Any of the listed attributes can be used as 'Security Access Value'. The benefit of this is that it is possible to leverage unique elements to apply control from FortiNAC and differentiate between users that may have the same Roles or group membership but unique Security Access Values.
In FortiNAC in System -> Settings -> Authentication -> LDAP -> Modify -> User Attributes, add the 'company' attribute as the Security Access Value to be updated for each registered LDAP user.
Validation.
To test, perform registration as a Standard User login through the portal (LDAP authentication) and using the Security Attribute inherited from LDAP.
The value is assigned to the User record in FortiNAC and the Host record will inherit it from the user.
It is possible to verify in CLI as follows:
execute enter-shell
dumpuserrecords -userid jdoe
UserRecord:
Landscape = 91769544454 00:15:5D:E4:1F:06
ID = 5
Role = IT
Type = UserRecord
Admin Profile DBID = 0
Directory Policy = Fortinet
DN = CN=doe,CN=Users,DC=forti,DC=lab
Position = null
Email Address = null
First Name = john
Last Name = null
User ID = jdoe
Security Access Value = Fortinet
Attribute: Directory = 10.10.10.2
Attribute: MODEL_NAME = fortiDC
Attribute: AuthenticateType = LDAP
Attribute: msDS-PrincipalName = FORTI\jdoe
The host will additionally inherit the value from the user associated with it:
At this point, it is possible to leverage the Security Access Value in the Network Access policies as additional matching criteria for either the Host or Users.
Related documents:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.