Fortinet white logo
Fortinet white logo

Administration Guide

Mobile Agent

Mobile Agent

Mobile Agent is an application that works on Android devices to identify them to FortiNAC, assist with authentication and provide an inventory of installed Apps. The Mobile Agent can scan the device for indicators of rooting. Rooting is a process allowing users of devices running the Android operating system to attain privileged control (known as "root access") within Android's subsystem.

FortiNAC will only require or respond to a Mobile Agent if the Policy that applies to the host includes settings requiring the Mobile Agent. If for any reason a mobile device had a Mobile Agent installed, the user would not be able to register the device unless the policy assigned included the Mobile Agent. If the policy assigned is set to None-Deny, the mobile device is not allowed to register. If the policy is set to None-Bypass, the mobile device can be registered but not using the installed Mobile Agent.

The Mobile Agent does work within the context of FortiNAC's VPN integration.

Setup Requirements
  • Make sure the latest Agent package is installed on the FortiNAC server.
  • Add SRV records to your production DNS server that allow the agent to locate the FortiNAC Server or Application server to which it should connect. See and .
  • The Mobile device must be running Android operating system 2.3.3 or higher.
  • Users can download the agent one of two ways:
    • If the Android device is configured to allow downloads from unknown sources, the Mobile Agent can be downloaded from the captive portal. For example, configure an Android phone by choosing Settings from a Home screen, then selecting Applications and enabling the Unknown Sources option.
    • If the Android device does not allow downloads from unknown sources, the Mobile Agent must be downloaded through Google Play.
  • FortiNAC appliance must be configured with SSL and must have a valid third party SSL certificate from a certificate authority. A self-signed certificate cannot be used. See Agent server communications.
  • Create an Endpoint Compliance Policy for Android devices to control whether or not an agent is required and whether or not the device can register. See Endpoint compliance policies.
  • To prevent Rooted devices from registering, enable Root Detection in the Scans used for Mobile devices. See Add or modify a scan. When Root Detection is not enabled, the Mobile Agent still determines whether the device is rooted, but allows the device to register and appends (Rooted) to the operating system information displayed in the Host View.

    Note

    Root Detection happens only during registration. If a user registers a device and then later alters that device causing it to be Rooted, FortiNAC is not notified. You may want to age these devices out of the database quickly so the user is forced to re-register periodically.

  • Enable the Potential Rooted Device event and alarm to be notified when the Mobile Agent determines that the devices may be rooted. The event message contains the username of the user and the MAC addresses of the device. See Enable and disable events.
  • Mobile device users are authenticated based on the settings for Standard User Login. Navigate to System > Portal Configuration > Content Editor. In the tree on the left select Global > Settings and verify that the Standard User Login Type is correct.
  • You can modify the default text shown in the captive portal as mobile device users connect to the network. Navigate to System > Portal Configuration > Content Editor. In the tree on the left scroll to the Registration > Mobile Agent Download section to review or modify the download page. In the tree on the left, scroll to the Agent > Mobile section to review or modify the Login page.
Notes
  • If the Mobile device attempts to connect to the network but never reaches the agent download page and is never prompted for credentials, verify that the device is receiving an IP address within the Registration VLAN. Verify that the device is connected to the correct SSID.
  • If the user receives a message indicating that they do not have rights to access the network, verify that there is a Policy in place for mobile devices and that it is configured correctly.

Mobile Agent

Mobile Agent

Mobile Agent is an application that works on Android devices to identify them to FortiNAC, assist with authentication and provide an inventory of installed Apps. The Mobile Agent can scan the device for indicators of rooting. Rooting is a process allowing users of devices running the Android operating system to attain privileged control (known as "root access") within Android's subsystem.

FortiNAC will only require or respond to a Mobile Agent if the Policy that applies to the host includes settings requiring the Mobile Agent. If for any reason a mobile device had a Mobile Agent installed, the user would not be able to register the device unless the policy assigned included the Mobile Agent. If the policy assigned is set to None-Deny, the mobile device is not allowed to register. If the policy is set to None-Bypass, the mobile device can be registered but not using the installed Mobile Agent.

The Mobile Agent does work within the context of FortiNAC's VPN integration.

Setup Requirements
  • Make sure the latest Agent package is installed on the FortiNAC server.
  • Add SRV records to your production DNS server that allow the agent to locate the FortiNAC Server or Application server to which it should connect. See and .
  • The Mobile device must be running Android operating system 2.3.3 or higher.
  • Users can download the agent one of two ways:
    • If the Android device is configured to allow downloads from unknown sources, the Mobile Agent can be downloaded from the captive portal. For example, configure an Android phone by choosing Settings from a Home screen, then selecting Applications and enabling the Unknown Sources option.
    • If the Android device does not allow downloads from unknown sources, the Mobile Agent must be downloaded through Google Play.
  • FortiNAC appliance must be configured with SSL and must have a valid third party SSL certificate from a certificate authority. A self-signed certificate cannot be used. See Agent server communications.
  • Create an Endpoint Compliance Policy for Android devices to control whether or not an agent is required and whether or not the device can register. See Endpoint compliance policies.
  • To prevent Rooted devices from registering, enable Root Detection in the Scans used for Mobile devices. See Add or modify a scan. When Root Detection is not enabled, the Mobile Agent still determines whether the device is rooted, but allows the device to register and appends (Rooted) to the operating system information displayed in the Host View.

    Note

    Root Detection happens only during registration. If a user registers a device and then later alters that device causing it to be Rooted, FortiNAC is not notified. You may want to age these devices out of the database quickly so the user is forced to re-register periodically.

  • Enable the Potential Rooted Device event and alarm to be notified when the Mobile Agent determines that the devices may be rooted. The event message contains the username of the user and the MAC addresses of the device. See Enable and disable events.
  • Mobile device users are authenticated based on the settings for Standard User Login. Navigate to System > Portal Configuration > Content Editor. In the tree on the left select Global > Settings and verify that the Standard User Login Type is correct.
  • You can modify the default text shown in the captive portal as mobile device users connect to the network. Navigate to System > Portal Configuration > Content Editor. In the tree on the left scroll to the Registration > Mobile Agent Download section to review or modify the download page. In the tree on the left, scroll to the Agent > Mobile section to review or modify the Login page.
Notes
  • If the Mobile device attempts to connect to the network but never reaches the agent download page and is never prompted for credentials, verify that the device is receiving an IP address within the Registration VLAN. Verify that the device is connected to the correct SSID.
  • If the user receives a message indicating that they do not have rights to access the network, verify that there is a Policy in place for mobile devices and that it is configured correctly.