Fortinet white logo
Fortinet white logo

Administration Guide

USB/Thunderbolt external Ethernet adapters

USB/Thunderbolt external Ethernet adapters

The following information explains how FortiNAC manages records of hosts using external Ethernet adapters.

Thunderbolt adapters and docking stations

Thunderbolt Ethernet adapters are similar to USB Ethernet dongle adapters, but use the Thunderbolt connector.

Thunderbolt 2 docking stations have two Thunderbolt ports and one Ethernet port. This allows two computers to connect to the docking station using a Thunderbolt connection, but only one computer is able to have network access. The first computer to connect to the docking station is considered the "root user" and is associated to the Ethernet port. If a second computer connects to the docking station, it will not be able to access the network unless the first computer disconnects from the docking station.

FortiNAC treats the records of hosts connecting to this type of docking station (as well as the adapters) in the same manner as hosts using USB Ethernet dongle adapters.

Host record management when external adapters are moved between hosts

The Persistent Agent provides information regarding adapters enabled on the host. This allows FortiNAC to associate multiple adapters to the host record (not just the one connected during host registration). In conjunction with the Persistent Agent, FortiNAC is able to identify when an external adapter is moved from one host to another and update host records accordingly.

Note

Hosts must have Persistent Agent 2.2 and above installed and be communicating with FortiNAC before moving the adapter. This will prevent the second host from inheriting the network access of the original host. In this case, the second host would appear as the original host and would not be detected.

Note

If a host record contains only one adapter and the adapter is removed from the host, the host record is removed.

Note

Adapters cannot be successfully moved between hosts using the Dissolvable Agent.

Adapter is moved between registered hosts

Example 1: Registered Host A (with Persistent Agent) to Registered Host B (with Persistent Agent):

Once the adapter is removed from Registered Host A and connected to Registered Host B, the Persistent Agent on Registered Host B will notify FortiNAC of the new adapter. FortiNAC will then remove the adapter from Registered Host A’s record and add it to Registered Host B’s record. All other adapters associated with Registered Host A remain unaffected.

Example 2: Registered Host A (with Persistent Agent) to Registered Host B (without Persistent Agent):

When the adapter is disconnected from Registered Host A, FortiNAC is notified that the adapter is offline with Registered Host A. Since Registered Host B has no way to announce what adapters it owns, the external adapter will remain associated with Host A’s record. If the adapter is then connected to Registered Host B and FortiNAC sees it online, Registered Host B will be assigned whatever network access policy matches for Registered Host A’s record, and the adapter will be shown as online for Registered Host A.

Adapter is moved from a registered host to a rogue

Example 1: Registered Host A (with Persistent Agent) to Rogue Host B (with Persistent Agent):

Once the adapter is removed from Registered Host A and connected to Rogue Host B, the Persistent Agent on Rogue Host B will notify FortiNAC of all adapters (including the new external adapter), and the external adapter will be removed from Host A's host record.

All other adapters associated with Registered Host A remain unaffected.

Example 2: Registered Host A (with Persistent Agent) to Rogue Host B (without Persistent Agent):

When the adapter is disconnected from Registered Host A, FortiNAC is notified that the adapter is offline with Registered Host A. Since Rogue Host B has no way to announce what adapters it owns, the external adapter will remain associated with Registered Host A’s record. If the adapter is then connected to Rogue Host B and FortiNAC sees it online, Rogue Host B will be assigned whatever network access policy matches for Registered Host A’s record, and the adapter will be shown as online for Registered Host A.

USB/Thunderbolt external Ethernet adapters

USB/Thunderbolt external Ethernet adapters

The following information explains how FortiNAC manages records of hosts using external Ethernet adapters.

Thunderbolt adapters and docking stations

Thunderbolt Ethernet adapters are similar to USB Ethernet dongle adapters, but use the Thunderbolt connector.

Thunderbolt 2 docking stations have two Thunderbolt ports and one Ethernet port. This allows two computers to connect to the docking station using a Thunderbolt connection, but only one computer is able to have network access. The first computer to connect to the docking station is considered the "root user" and is associated to the Ethernet port. If a second computer connects to the docking station, it will not be able to access the network unless the first computer disconnects from the docking station.

FortiNAC treats the records of hosts connecting to this type of docking station (as well as the adapters) in the same manner as hosts using USB Ethernet dongle adapters.

Host record management when external adapters are moved between hosts

The Persistent Agent provides information regarding adapters enabled on the host. This allows FortiNAC to associate multiple adapters to the host record (not just the one connected during host registration). In conjunction with the Persistent Agent, FortiNAC is able to identify when an external adapter is moved from one host to another and update host records accordingly.

Note

Hosts must have Persistent Agent 2.2 and above installed and be communicating with FortiNAC before moving the adapter. This will prevent the second host from inheriting the network access of the original host. In this case, the second host would appear as the original host and would not be detected.

Note

If a host record contains only one adapter and the adapter is removed from the host, the host record is removed.

Note

Adapters cannot be successfully moved between hosts using the Dissolvable Agent.

Adapter is moved between registered hosts

Example 1: Registered Host A (with Persistent Agent) to Registered Host B (with Persistent Agent):

Once the adapter is removed from Registered Host A and connected to Registered Host B, the Persistent Agent on Registered Host B will notify FortiNAC of the new adapter. FortiNAC will then remove the adapter from Registered Host A’s record and add it to Registered Host B’s record. All other adapters associated with Registered Host A remain unaffected.

Example 2: Registered Host A (with Persistent Agent) to Registered Host B (without Persistent Agent):

When the adapter is disconnected from Registered Host A, FortiNAC is notified that the adapter is offline with Registered Host A. Since Registered Host B has no way to announce what adapters it owns, the external adapter will remain associated with Host A’s record. If the adapter is then connected to Registered Host B and FortiNAC sees it online, Registered Host B will be assigned whatever network access policy matches for Registered Host A’s record, and the adapter will be shown as online for Registered Host A.

Adapter is moved from a registered host to a rogue

Example 1: Registered Host A (with Persistent Agent) to Rogue Host B (with Persistent Agent):

Once the adapter is removed from Registered Host A and connected to Rogue Host B, the Persistent Agent on Rogue Host B will notify FortiNAC of all adapters (including the new external adapter), and the external adapter will be removed from Host A's host record.

All other adapters associated with Registered Host A remain unaffected.

Example 2: Registered Host A (with Persistent Agent) to Rogue Host B (without Persistent Agent):

When the adapter is disconnected from Registered Host A, FortiNAC is notified that the adapter is offline with Registered Host A. Since Rogue Host B has no way to announce what adapters it owns, the external adapter will remain associated with Registered Host A’s record. If the adapter is then connected to Rogue Host B and FortiNAC sees it online, Rogue Host B will be assigned whatever network access policy matches for Registered Host A’s record, and the adapter will be shown as online for Registered Host A.