| Description |
This article describes how to apply FortiSwitch NAC policies with different effects based on different, specific Windows OS versions. |
| Scope |
A FortiSwitch managed by FortiGate. |
| Solution |
Consider a scenario in which the administrator intends to filter access to end devices on the basis of specific operating system versions when connected through FortiSwitch. For example, to restrict access from Windows 7 and allow every version of Windows 10.
Similar options to restrict access based on specific OS versions can be found in SSL VPN Portals:
This is possible to achieve by applying an NAC-based policy inside the SwitchController tab. This feature is only available when FortiSwitch is managed by FortiGate. It is necessary to enable device detection features available in the interfaces.
To view the connected device, run the following command:
diagnose user device list hosts vd root/0 20:1a:06:f8:9d:78 gen 28 req HU/18 created 5074s gen 17 seen 3328s nac_segment gen 3 hardware vendor 'Lenovo' src fortiguard id 0 weight 136 type 'Home & Office' src fortiguard id 0 weight 136 family 'Computer' src fortiguard id 0 weight 136 os 'Windows' src fortiguard id 0 weight 136 software version '7' src mwbs id 3334 weight 50 host 'SUPPORT-07' src mwbs
vd root/0 e0:db:55:c3:27:1f gen 27 req HU/18 created 17936s gen 1 seen 0s nac_segment gen 1 hardware vendor 'Dell' src mac id 0 weight 128 type 'Home & Office' src fortiguard id 0 weight 126 family 'Computer' src fortiguard id 0 weight 126 os 'Windows' src dhcp id 848 weight 128 software version '10 / 2016' src mwbs id 3331 weight 50 host 'DESKTOP-RAK7PQT' src dhcp
Use grep to query the software version of the connected end devices:
diagnose user device list | grep software software version '7' src mwbs id 3334 weight 50 software version '10 / 2016' src mwbs id 3331 weight 50
Deny access from any version of Windows 7:
To restrict access from Windows 7, configure an NAC policy and apply quarantine VLAN to Windows 7 when detected by FortiGate (FortiGuard IoT detection service). Change the port mode from 'Static' to 'NAC'.
1) Configure NAC Policy:
config user nac-policy edit "Deny Win7" set os "Windows" set sw-version "7" set switch-fortilink "fortilink" set switch-mac-policy "Deny Win7" next end
2) Apply NAC mode on the FortiSwitch Port:
3) View the results:
To view Windows 7 and end device information, navigate to the 'FortiSwitch Client' and 'Users & Devices' tabs in the GUI.
In the CLI:
diagnose user device list hosts vd root/0 20:1a:06:f8:9d:78 gen 14 req 0 created 1742s gen 8 seen 704s quarantine gen 4 hardware vendor 'Lenovo' src fortiguard id 0 weight 136 type 'Home & Office' src fortiguard id 0 weight 136 family 'Computer' src fortiguard id 0 weight 136 os 'Windows' src fortiguard id 0 weight 136 software version '7' src mwbs id 3334 weight 50 host 'SUPPORT-07' src llmnr
Allow access from any edition of Windows 10:
To allow Windows 10, configure NAC policy and specify a version with '10*'. This will mean that any edition of Windows 10 will be accepted. Once again, change the port mode from 'Static' to 'NAC'.
1) Configure NAC Policy:
config user nac-policy edit "Accept any Edition of Win10" set os "Windows" set sw-version "10*" set switch-fortilink "fortilink" set switch-mac-policy "Accept any Edition of Win10" next end
2) Apply NAC mode on the FortiSwitch Port:
3) View the results:
View the detected clients in the 'FortiSwitch Client' and 'User and Devices' tabs in the GUI:
In the CLI:
diagnose user device list hosts vd root/0 e0:db:55:c3:27:1f gen 27 req HU/18 created 17936s gen 1 seen 10s VLAN-10 gen 1 hardware vendor 'Dell' src mac id 0 weight 128 type 'Home & Office' src fortiguard id 0 weight 128 family 'Computer' src fortiguard id 0 weight 128 os 'Windows' src dhcp id 848 weight 128 software version '10 / 2016' src mwbs id 3331 weight 50 host 'DESKTOP-RAK7PQT' src dhcp |
