Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Sx11
Staff
Staff

Created on ‎03-27-2024 06:32 AM

Article Id 306794

Technical Tip: Leverage the 'Security & Access Value' attribute as additional criteria for policy matching

Description

 

This article describes how we can leverage the 'Security Access Value' User attribute to apply control through NAC policies in addition to using the group membership and roles as criteria.

 

Scope

 

FortiNAC-F, FortiNAC.

 

Solution

 

The 'Security Access Value' can be a very helpful attribute to uniquely match Hosts and apply different controls based on it.

The value can be assigned to a User after it registers based on the following:

 

  1. Guest/Contractor Templates:

 

Figure 1. Security Access Value specified in Guest/contractor TemplateFigure 1. Security Access Value specified in Guest/contractor Template

 

 

  1. Standard User login in Portal Configuration.

     

    Figure 2. Security Access Value specified in Portal configuration for standard user loginFigure 2. Security Access Value specified in Portal configuration for standard user login

     

     

  2. Security Access Value inherited from user Attributes in the LDAP directory.

     

    To show an example of this, create a user 'jdoe' and modified the attribute 'company' to the value 'Fortinet' in the Attribute editor in AD:

     

    Figure 3. Attribute editor in Active Directory User and ComputersFigure 3. Attribute editor in Active Directory User and Computers

     

    Any of the listed attributes can be used as 'Security Access Value'. The benefit of this is that it is possible to leverage unique elements to apply control from FortiNAC and differentiate between users that may have the same Roles or group membership but unique Security Access Values.

     

    In FortiNAC in System -> Settings -> Authentication -> LDAP -> Modify -> User Attributes, add the 'company' attribute as the Security Access Value to be updated for each registered LDAP user.

     

    Figure 4. FortiNAC LDAP configuration of Security Access Value in User AttributesFigure 4. FortiNAC LDAP configuration of Security Access Value in User Attributes

     

     

  3. Validation.

     

    To test, perform registration as a Standard User login through the portal (LDAP authentication) and using the Security Attribute inherited from LDAP.

    The value is assigned to the User record in FortiNAC and the Host record will inherit it from the user.

     

    It is possible to verify in CLI as follows:

     

    execute enter-shell

    dumpuserrecords -userid jdoe


    UserRecord:
    Landscape = 91769544454 00:15:5D:E4:1F:06
    ID = 5
    Role = IT
    Type = UserRecord
    Admin Profile DBID = 0
    Directory Policy = Fortinet
    DN = CN=doe,CN=Users,DC=forti,DC=lab
    Position = null
    Email Address = null
    First Name = john
    Last Name = null
    User ID = jdoe
    Security Access Value = Fortinet

    Attribute: Directory = 10.10.10.2
    Attribute: MODEL_NAME = fortiDC
    Attribute: AuthenticateType = LDAP
    Attribute: msDS-PrincipalName = FORTI\jdoe

     

    The host will additionally inherit the value from the user associated with it:

     

    Host_Sec.png

    At this point, it is possible to leverage the Security Access Value in the Network Access policies as additional matching criteria for either the Host or Users.

 

Related documents:

User properties

Technical Tip: How to Populate a Role from a Group

93
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.