With Persistent Agent Version 2.2.2 and higher you can configure FortiNAC to authenticate users with their Windows domain logon credentials eliminating the need for the Persistent Agent to ask for credentials. You must use Active Directory and Group Policy Objects to manage your Windows hosts. To implement this feature your system must meet the following requirements:
- Active Directory — You must be using Active Directory to authenticate users. The Directory must be configured in System > Settings > Authentication > LDAP. See Authentication directories for configuration information.
- Authentication — In Policy > Policy Configuration. Under Authentication, click Configuration. Click Add, or select a configuration and click Modify. Make sure that Enable Authentication is selected.
- Passive Agent Configuration — At least one Passive Agent rule or configuration must be set up. The Persistent Agent uses this configuration to process session notification information from the host. Navigate to Policy > Passive Agent Configuration. Add a configuration that is enabled and that applies to a directory group that contains all the users for whom this feature is being implemented. If you plan to have the Persistent Agent register hosts as devices, you must also include that setting in the Passive Agent Configuration you are creating.
Persistent Agent Properties — Navigate to Policy > Persistent Agent Properties. Under Status Notifications, disable the Provide a Log Off functionality from the tray icon for authenticated hosts option. This can remain enabled, however, if the user were to log off using the Persistent Agent icon, the host would be automatically logged on again the next time the server requests credentials. If you plan to have the Persistent Agent register hosts as devices, click the Credential Configuration tab and enable the Register as Device option.
If you want to prevent users from being able to log off the network using the Agent Icon you must also disable the Display a special "Needs to Authenticate" icon when a host needs to authenticate. option on the Status Notification Tab. This is optional, not required.
GPO Templates — Download and install the latest Persistent Agent Administrative Templates.
After installing the templates on your Windows server you must modify the following Persistent Agent Template settings:
- Host Name — Ensures that the Persistent Agent is communicating with the correct FortiNAC server.
- Login Dialog — Allows you to enable or disable the Login dialog that is presented by the Persistent Agent during authentication. Disable the Login dialog to use the users' Windows login credentials.