Cant find 'Redirect all non-compliant/unregistered FortiClient devices to captive portal'

neonbit · ‎12-07-2014

I've been trying to test out the FortiClient NAC control lately and have come to a dead end trying to get non-compliant devices to be directed to a captive portal (where it explains how they don't have FortiClient installed and gives them a link).

Page 1746 of the 5.2 handbook says that "If the security policy has Redirect all non-compliant/unregistered FortiClient compatible devices to a captive portal enabled, users of non-compliant devices are redirected to a captive portal that is defined by the Endpoint NAC Download Portal replacement message",

The problem is that on 5.2.2 this option doesn't seem to exist in the webGUI or the CLI. In FortiOS 5.0 this option is available in the GUI (picture attached).

Has anyone tested this out or knows howto enable this option on 5.2?

Dave_Hall · ‎12-08-2014

See endpoint-compliance and endpoint-check option under Policy/policy6.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

neonbit · ‎12-08-2014

Thanks David, unfortunately the endpoint-check option isn't available in my policy, only the endpoint-compliance is there.

fortigate (32) # set endpoint-check enable

command parse error before 'endpoint-check' Command fail. Return code -61

Even when I do the 'tree' command in the policy I can't see an option for endpoint-check.

fortigate (32) # tree
-- [policy] --*policyid (0,4294967294)
            |- uuid 
            |- [srcintf] --*name (65)
            |- [dstintf] --*name (65)
            |- [srcaddr] --*name (65)
            |- [dstaddr] --*name (65)
            |- rtp-nat 
            |- [rtp-addr] --*name (65)
            |- action 
            |- send-deny-packet 
            |- firewall-session-dirty 
            |- status 
            |- schedule (36)
            |- schedule-timeout 
            |- [service] --*name (65)
            |- utm-status 
            |- profile-type 
            |- profile-group (36)
            |- av-profile (36)
            |- webfilter-profile (36)
            |- spamfilter-profile (36)
            |- dlp-sensor (36)
            |- ips-sensor (36)
            |- application-list (36)
            |- voip-profile (36)
            |- icap-profile (36)
            |- profile-protocol-options (36)
            |- ssl-ssh-profile (36)
            |- logtraffic 
            |- logtraffic-start 
            |- capture-packet 
            |- wanopt 
            |- wanopt-detection 
            |- wanopt-passive-opt 
            |- wanopt-profile (36)
            |- wanopt-peer (36)
            |- webcache 
            |- webcache-https 
            |- traffic-shaper (36)
            |- traffic-shaper-reverse (36)
            |- per-ip-shaper (36)
            |- nat 
            |- permit-any-host 
            |- permit-stun-host 
            |- fixedport 
            |- ippool 
            |- [poolname] --*name (65)
            |- central-nat 
            |- session-ttl (0,0)
            |- vlan-cos-fwd (0,0)
            |- vlan-cos-rev (0,0)
            |- inbound 
            |- outbound 
            |- natinbound 
            |- natoutbound 
            |- wccp 
            |- ntlm 
            |- ntlm-guest 
            |- [ntlm-enabled-browsers] --*user-agent-string (65)
            |- fsso 
            |- wsso 
            |- rsso 
            |- fsso-agent-for-ntlm (36)
            |- [groups] --*name (65)
            |- [users] --*name (65)
            |- [devices] --*name (36)
            |- auth-path 
            |- disclaimer 
            |- vpntunnel (36)
            |- natip 
            |- match-vip 
            |- diffserv-forward 
            |- diffserv-reverse 
            |- diffservcode-forward 
            |- diffservcode-rev 
            |- tcp-mss-sender (0,65535)
            |- tcp-mss-receiver (0,65535)
            |- comments 
            |- label (64 xss)
            |- global-label (64 xss)
            |- auth-cert (36)
            |- auth-redirect-addr (64)
            |- redirect-url (128)
            |- identity-based-route (36)
            |- block-notification 
            |- [custom-log-fields] --*field_id (36)
            |- [tags] --*name (65)
            |- replacemsg-override-group (36)
            |- srcaddr-negate 
            |- dstaddr-negate 
            |- service-negate 
            |- endpoint-compliance 
            |- timeout-send-rst 
            +- captive-portal-exempt

Dave_Hall · ‎12-08-2014

What happens if you enable endpoint-compliance first? Some "sub" options don't even show up unless you enable a main or master option.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

neonbit · ‎12-08-2014

Nope, it still doesn't show up even when endpoint-compliance is enabled :(

config firewall policy
    edit 32
        set uuid ad2d9656-7ea1-51e4-cfd2-318694170163
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "n_int"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set devices "all"
        set endpoint-compliance enable
        set av-profile "default"
        set webfilter-profile "block-malware"
        set spamfilter-profile "default"
        set ips-sensor "protect_client"
        set application-list "default"
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next 
end

RyanS · ‎06-03-2015

Was a solution every found out for this? I am having the same issue where i have no option to redirect non-compliant devices to a captive portal.

I have my FortiClient working great with an SSL VPN connection but I want to redirect any devices that are not using the FortiClient to connect to a captive portal telling them to download the FortiClient.

Any help with this would be much appreciated I am running 5.2.3