Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
azakaria
New Contributor

Created on ‎09-05-2023 05:52 PM

Fortinac dot1x combined with persistent agent need opinions

Hello,

 

Is it recommended to setup 802.1x with persistent agent for authentication&registration with dot1x and scan safe/at risk/rogue with persistent agent ?

 

Regards!

FortiNAC 

Labels:
496
0 Kudos
2 Solutions
qasimbashir6242
New Contributor III

Created on ‎09-05-2023 10:55 PM

Hey,

From a security standpoint, combining 802.1x with a persistent agent for additional endpoint scanning seems like a solid approach to me. You're essentially layering your security, which is generally a good practice. The 802.1x handles the network-level authentication, while the persistent agent can do more in-depth scans for risk assessment.

However, you'll want to consider the overhead and potential for conflicts. Persistent agents can sometimes interfere with system operations or create false positives that could lead to legitimate devices being blocked. Also, if the agent crashes or has a vulnerability, it could potentially open up a new attack surface.

If you can test this setup in a lab environment first, I'd definitely recommend doing so. Keep an eye on resource usage, conflict with other software, and overall system stability. Also, consider the user experience—additional security layers can sometimes create more hoops for users to jump through, so you'll want to balance security with usability.

Would love to hear other opinions on this as well.

Cheers,
Ahmad

View solution in original post

475
0 Kudos
ebilcari
Staff
Staff
In response to qasimbashir6242

Created on ‎09-06-2023 08:02 AM

In addition to this, Persistent Agent is stable if it's properly configured :)

I would mention that as a starting point you can use it for visibility only (not enforcing Forced Remediation) at port/SSID Group Membership. In this way it will not affect your network until you get familiar with it and than start enforcing it.

Endpoint Compliance Policies (Scans) can also be configured in Audit Only or Delayed. This will allow the administrator to have more time to evaluate and remediate the hosts before they are put in isolation for "At-Risk" issues.

reme.PNG

If Audit Only is enabled, the host is scanned and the information associated with the scan is recorded.If the host fails the scan, it is not marked "at risk". Therefore, it is not forced into Remediation and can continue using the network. The administrator can review the scan results and take corrective action without disrupting users on the network.

If Delayed is enabled, hosts who fail this scan are set to Pending at Risk for the number of days indicated in the Remediation Delay field. Hosts set to Pending at Risk are not placed in remediation until the number of days indicated has elapsed.

 

More information can be read in the Agent deployment guide

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

458
0 Kudos
2 REPLIES 2
qasimbashir6242
New Contributor III

Created on ‎09-05-2023 10:55 PM

Hey,

From a security standpoint, combining 802.1x with a persistent agent for additional endpoint scanning seems like a solid approach to me. You're essentially layering your security, which is generally a good practice. The 802.1x handles the network-level authentication, while the persistent agent can do more in-depth scans for risk assessment.

However, you'll want to consider the overhead and potential for conflicts. Persistent agents can sometimes interfere with system operations or create false positives that could lead to legitimate devices being blocked. Also, if the agent crashes or has a vulnerability, it could potentially open up a new attack surface.

If you can test this setup in a lab environment first, I'd definitely recommend doing so. Keep an eye on resource usage, conflict with other software, and overall system stability. Also, consider the user experience—additional security layers can sometimes create more hoops for users to jump through, so you'll want to balance security with usability.

Would love to hear other opinions on this as well.

Cheers,
Ahmad

476
0 Kudos
ebilcari
Staff
Staff
In response to qasimbashir6242

Created on ‎09-06-2023 08:02 AM

In addition to this, Persistent Agent is stable if it's properly configured :)

I would mention that as a starting point you can use it for visibility only (not enforcing Forced Remediation) at port/SSID Group Membership. In this way it will not affect your network until you get familiar with it and than start enforcing it.

Endpoint Compliance Policies (Scans) can also be configured in Audit Only or Delayed. This will allow the administrator to have more time to evaluate and remediate the hosts before they are put in isolation for "At-Risk" issues.

reme.PNG

If Audit Only is enabled, the host is scanned and the information associated with the scan is recorded.If the host fails the scan, it is not marked "at risk". Therefore, it is not forced into Remediation and can continue using the network. The administrator can review the scan results and take corrective action without disrupting users on the network.

If Delayed is enabled, hosts who fail this scan are set to Pending at Risk for the number of days indicated in the Remediation Delay field. Hosts set to Pending at Risk are not placed in remediation until the number of days indicated has elapsed.

 

More information can be read in the Agent deployment guide

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
459
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.