Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

When no profile or policy exists

The following describes authentication scenarios when no authentication profile or policy exists. In these cases, authentication was done via LDAP using the configuration in System > Settings > Authentication > LDAP.

Without an authentication policy, no host is marked with a red "A" to indicate the need to authenticate or to force authentication.

Wired connection and wireless MAC auth (authentication set to enforce)

You must have a Passive Agent configuration set up in order to obtain logged on users via the Passive Agent.

When the Passive Agent configuration is set to Register Host by User and a directory user logs into the host/domain where the rogue is registered, a logged on user is displayed. The logged on user is the user who is logged onto the domain. When the user logs off the domain, the logged on user in FortiNAC is removed.

If the Passive Agent configuration is not set to register the host, the host must register by another method. Once registered whenever the host is logged onto a domain, the logged on user will be set to the domain user.

If an online host with a logged on user disconnects before logging off the user, the logged on user is removed from the host after 10 minutes. A red "A" is displayed with the offline host, indicating a need to authenticate. If the host connects with or without user information from the Passive Agent, the red "A" is no longer displayed.

802.1X with the Passive Agent (authentication set to enforce)

This scenario is similar to the wired connection and wired MAC auth (authentication set to enforce) scenario, except the logged on user is initially set to the 802.1x user, and is then switched to the user logged onto the domain.

802.1X without Passive Agent (authentication set to enforce)

When registered via the Portal, the logged on user is displayed as the 802.1x user.

Wired connection registering via the pop up dialog provide by the PA

The rogue is connected to a port that is not in forced authentication. After entering directory credentials the host is registered to that user, and there is no logged on user.

When no profile or policy exists

The following describes authentication scenarios when no authentication profile or policy exists. In these cases, authentication was done via LDAP using the configuration in System > Settings > Authentication > LDAP.

Without an authentication policy, no host is marked with a red "A" to indicate the need to authenticate or to force authentication.

Wired connection and wireless MAC auth (authentication set to enforce)

You must have a Passive Agent configuration set up in order to obtain logged on users via the Passive Agent.

When the Passive Agent configuration is set to Register Host by User and a directory user logs into the host/domain where the rogue is registered, a logged on user is displayed. The logged on user is the user who is logged onto the domain. When the user logs off the domain, the logged on user in FortiNAC is removed.

If the Passive Agent configuration is not set to register the host, the host must register by another method. Once registered whenever the host is logged onto a domain, the logged on user will be set to the domain user.

If an online host with a logged on user disconnects before logging off the user, the logged on user is removed from the host after 10 minutes. A red "A" is displayed with the offline host, indicating a need to authenticate. If the host connects with or without user information from the Passive Agent, the red "A" is no longer displayed.

802.1X with the Passive Agent (authentication set to enforce)

This scenario is similar to the wired connection and wired MAC auth (authentication set to enforce) scenario, except the logged on user is initially set to the 802.1x user, and is then switched to the user logged onto the domain.

802.1X without Passive Agent (authentication set to enforce)

When registered via the Portal, the logged on user is displayed as the 802.1x user.

Wired connection registering via the pop up dialog provide by the PA

The rogue is connected to a port that is not in forced authentication. After entering directory credentials the host is registered to that user, and there is no logged on user.