Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

USB/Thunderbolt external Ethernet adapters

The following information explains how FortiNAC manages records of hosts using external Ethernet adapters.

Thunderbolt adapters and docking stations

Thunderbolt Ethernet adapters are similar to USB Ethernet dongle adapters, but use the Thunderbolt connector.

Thunderbolt 2 docking stations have two Thunderbolt ports and one Ethernet port. This allows two computers to connect to the docking station using a Thunderbolt connection, but only one computer is able to have network access. The first computer to connect to the docking station is considered the "root user" and is associated to the Ethernet port. If a second computer connects to the docking station, it will not be able to access the network unless the first computer disconnects from the docking station.

FortiNAC treats the records of hosts connecting to this type of docking station (as well as the adapters) in the same manner as hosts using USB Ethernet dongle adapters.

Host record management when external adapters are moved between hosts

The Persistent Agent provides information regarding adapters enabled on the host. This allows FortiNAC to associate multiple adapters to the host record (not just the one connected during host registration). In conjunction with the Persistent Agent, FortiNAC is able to identify when an external adapter is moved from one host to another and update host records accordingly.

Hosts must have Persistent Agent installed and be communicating with FortiNAC before moving the adapter. This will prevent the second host from inheriting the network access of the original host. In this case, the second host would appear as the original host and would not be detected.

If a host record contains only one adapter and the adapter is removed from the host, the host record is removed.

Adapters cannot be successfully moved between hosts using the Dissolvable Agent.

Adapter is moved between registered hosts

Example 1: Registered Host A (with Persistent Agent) to Registered Host B (with Persistent Agent):

Once the adapter is removed from Registered Host A and connected to Registered Host B, the Persistent Agent on Registered Host B will notify FortiNAC of the new adapter. FortiNAC will then remove the adapter from Registered Host A’s record and add it to Registered Host B’s record. All other adapters associated with Registered Host A remain unaffected.

Example 2: Registered Host A (with Persistent Agent) to Rogue Host B (without Persistent Agent)

When the adapter is disconnected from Registered Host A, FortiNAC is notified that the adapter is offline with Registered Host A. Since Rogue Host B has no way to announce what adapters it owns, the external adapter will remain associated with Registered Host A’s record. If the adapter is then connected to Rogue Host B and FortiNAC sees it online, Rogue Host B will be assigned whatever network access policy matches for Registered Host A’s record, and the adapter will be shown as online for Registered Host A.

(Versions 8.6.4, 8.7.2 and above with additional configuration. Contact Support for assistance and reference KB article FD47971)

Example 2A: Registered Host A changes network connection

  1. Registered Host A disconnects from the external adapter.
  2. When Registered Host A changes network connection (e.g. connects to wireless), the agent communicates with FortiNAC and announces the adapters it owns. Since the external adapter is no longer connected, it is not included as one of the adapters. FortiNAC then removes the adapter from Registered Host A’s record.
  3. Rogue Host B connects using the same external adapter.
  4. A Rogue record is created for Rogue Host B and the external adapter is associated.

Example 2B: Registered Host A is offline when Rogue Host B connects

  1. Registered Host A disconnects from the external adapter and remains off the network.
  2. Rogue Host B connects using the same external adapter.
  3. Since Rogue Host B has no way to announce what adapters it owns, the external adapter will remain associated with Registered Host A’s record.
  4. After a specific amount of time has lapsed, the "Not Communicating" status is set on Registered Host A’s record and the event "Persistent Agent Not Communicating" is generated. The amount of time FortiNAC waits is based upon the value set (in seconds) for "Agent Contact Window on Connect" under System > Settings > Persistent Agent > Security Management in the Administration UI.
  5. Registered Host A’s record will continue to reflect the “Not Communicating” status as long as Registered Host A remains offline and Rogue Host B remains online.

  6. When Registered Host A reconnects to the network, the agent communicates with FortiNAC and announces the adapters it owns. Since the external adapter is no longer connected, it is not included as one of the adapters. FortiNAC removes the adapter from Registered Host A’s record.
  7. If Rogue Host B is online, a Rogue record is created for Rogue Host B with the external adapter associated.

Adapter is moved from a registered host to a rogue

Example 1: Registered Host A (with Persistent Agent) to Rogue Host B (with Persistent Agent):

Once the adapter is removed from Registered Host A and connected to Rogue Host B, the Persistent Agent on Rogue Host B will notify FortiNAC of all adapters (including the new external adapter), and the external adapter will be removed from Host A's host record.

All other adapters associated with Registered Host A remain unaffected.

Example 2: Registered Host A (with Persistent Agent) to Rogue Host B (without Persistent Agent):

When the adapter is disconnected from Registered Host A, FortiNAC is notified that the adapter is offline with Registered Host A. Since Rogue Host B has no way to announce what adapters it owns, the external adapter will remain associated with Registered Host A’s record. If the adapter is then connected to Rogue Host B and FortiNAC sees it online, Rogue Host B will be assigned whatever network access policy matches for Registered Host A’s record, and the adapter will be shown as online for Registered Host A.

USB/Thunderbolt external Ethernet adapters

The following information explains how FortiNAC manages records of hosts using external Ethernet adapters.

Thunderbolt adapters and docking stations

Thunderbolt Ethernet adapters are similar to USB Ethernet dongle adapters, but use the Thunderbolt connector.

Thunderbolt 2 docking stations have two Thunderbolt ports and one Ethernet port. This allows two computers to connect to the docking station using a Thunderbolt connection, but only one computer is able to have network access. The first computer to connect to the docking station is considered the "root user" and is associated to the Ethernet port. If a second computer connects to the docking station, it will not be able to access the network unless the first computer disconnects from the docking station.

FortiNAC treats the records of hosts connecting to this type of docking station (as well as the adapters) in the same manner as hosts using USB Ethernet dongle adapters.

Host record management when external adapters are moved between hosts

The Persistent Agent provides information regarding adapters enabled on the host. This allows FortiNAC to associate multiple adapters to the host record (not just the one connected during host registration). In conjunction with the Persistent Agent, FortiNAC is able to identify when an external adapter is moved from one host to another and update host records accordingly.

Hosts must have Persistent Agent installed and be communicating with FortiNAC before moving the adapter. This will prevent the second host from inheriting the network access of the original host. In this case, the second host would appear as the original host and would not be detected.

If a host record contains only one adapter and the adapter is removed from the host, the host record is removed.

Adapters cannot be successfully moved between hosts using the Dissolvable Agent.

Adapter is moved between registered hosts

Example 1: Registered Host A (with Persistent Agent) to Registered Host B (with Persistent Agent):

Once the adapter is removed from Registered Host A and connected to Registered Host B, the Persistent Agent on Registered Host B will notify FortiNAC of the new adapter. FortiNAC will then remove the adapter from Registered Host A’s record and add it to Registered Host B’s record. All other adapters associated with Registered Host A remain unaffected.

Example 2: Registered Host A (with Persistent Agent) to Rogue Host B (without Persistent Agent)

When the adapter is disconnected from Registered Host A, FortiNAC is notified that the adapter is offline with Registered Host A. Since Rogue Host B has no way to announce what adapters it owns, the external adapter will remain associated with Registered Host A’s record. If the adapter is then connected to Rogue Host B and FortiNAC sees it online, Rogue Host B will be assigned whatever network access policy matches for Registered Host A’s record, and the adapter will be shown as online for Registered Host A.

(Versions 8.6.4, 8.7.2 and above with additional configuration. Contact Support for assistance and reference KB article FD47971)

Example 2A: Registered Host A changes network connection

  1. Registered Host A disconnects from the external adapter.
  2. When Registered Host A changes network connection (e.g. connects to wireless), the agent communicates with FortiNAC and announces the adapters it owns. Since the external adapter is no longer connected, it is not included as one of the adapters. FortiNAC then removes the adapter from Registered Host A’s record.
  3. Rogue Host B connects using the same external adapter.
  4. A Rogue record is created for Rogue Host B and the external adapter is associated.

Example 2B: Registered Host A is offline when Rogue Host B connects

  1. Registered Host A disconnects from the external adapter and remains off the network.
  2. Rogue Host B connects using the same external adapter.
  3. Since Rogue Host B has no way to announce what adapters it owns, the external adapter will remain associated with Registered Host A’s record.
  4. After a specific amount of time has lapsed, the "Not Communicating" status is set on Registered Host A’s record and the event "Persistent Agent Not Communicating" is generated. The amount of time FortiNAC waits is based upon the value set (in seconds) for "Agent Contact Window on Connect" under System > Settings > Persistent Agent > Security Management in the Administration UI.
  5. Registered Host A’s record will continue to reflect the “Not Communicating” status as long as Registered Host A remains offline and Rogue Host B remains online.

  6. When Registered Host A reconnects to the network, the agent communicates with FortiNAC and announces the adapters it owns. Since the external adapter is no longer connected, it is not included as one of the adapters. FortiNAC removes the adapter from Registered Host A’s record.
  7. If Rogue Host B is online, a Rogue record is created for Rogue Host B with the external adapter associated.

Adapter is moved from a registered host to a rogue

Example 1: Registered Host A (with Persistent Agent) to Rogue Host B (with Persistent Agent):

Once the adapter is removed from Registered Host A and connected to Rogue Host B, the Persistent Agent on Rogue Host B will notify FortiNAC of all adapters (including the new external adapter), and the external adapter will be removed from Host A's host record.

All other adapters associated with Registered Host A remain unaffected.

Example 2: Registered Host A (with Persistent Agent) to Rogue Host B (without Persistent Agent):

When the adapter is disconnected from Registered Host A, FortiNAC is notified that the adapter is offline with Registered Host A. Since Rogue Host B has no way to announce what adapters it owns, the external adapter will remain associated with Registered Host A’s record. If the adapter is then connected to Rogue Host B and FortiNAC sees it online, Rogue Host B will be assigned whatever network access policy matches for Registered Host A’s record, and the adapter will be shown as online for Registered Host A.