Fortinet black logo

Administration Guide

Administrative templates for GPO

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:941268
Download PDF

Administrative templates for GPO

Administrative templates are used to configure registry settings on Windows endpoints through Group policy objects. For the Persistent Agent and the Passive Agent, there are templates to configure the Server URL of the FortiNAC Application Server with which the agent will communicate. There are also per-computer and per-user templates to enable or disable the system tray icon or Balloon Notifications of status changes. The Balloon Notification template does not affect the Server IP and is not required.

FortiNAC does not support an Administrative Template for deploying configuration changes to macOS computers or users through GPO. You can investigate 3rd party applications, such as Likewise Enterprise that support macOS computers using Group Policy Object editor. The modifications shown in the tables below can be made in the Preferences file on macOS hosts, using the tool of your choice.

Note

The Persistent Agent running on a macOS computer can determine the server to which it should connect via DNS server records it does not require changes to Preferences.

If you are using the Persistent Agent, your Windows login credentials are automatically passed to FortiNAC. You can modify the Administrative Template to hide the Persistent Agent Login dialog and use the Windows login credentials sent by the Persistent Agent by modifying the settings in the Administrative Template. See Using Windows domain logon credentials.

Security is enabled by default. It is recommended that you update to the latest template files and configure the templates for the new security settings.

Requirements:
  • Active Directory
  • Group Policy Objects
  • Template Files From Fortinet
Templates:

The templates listed below are provided by Fortinet. You must run the installation program for the templates on your Windows server . Be sure to select the appropriate MSI for your Windows server architecture.

  • 32-bit (x86): Bradford Networks Administrative Templates.msi
  • 64-bit (x86_64): Bradford Networks Administrative Templates-x64.msi

Install a GPO template

  1. In FortiNAC, select System > Settings > Updates > Agent Packages.
  2. At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the appropriate template file.
  3. Copy the template file to the domain server.
  4. On the domain server, double-click the msi file to start the installation wizard.
  5. Click through the installation wizard. When installation has completed, the Microsoft Group Policy Management Console is required to complete the installation. Refer to the Windows Server documentation for details.
  6. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  7. Right-click Computer Configuration > Administrative Templates and select Add/ Remove Templates, shows the current templates pop-up.
  8. Click Add and browse to Program Files\Bradford Networks\Administrative Templates.
    1. To use the Persistent Agent, select FortiNAC Persistent Agent.adm and click Open.
    2. To use the Passive Agent, select FortiNAC Passive Agent.adm and click Open.
  9. Click Close, and the Administrative Templates will be imported into the GPO.

Install an updated template with balloon notifications

If you already have a Fortinet Administrative Template installed for the Persistent Agent and the Balloon Notifications were ever set to anything other than Not Configured (e.g. enabled or disabled), you must unconfigure the Balloon Notifications and push the settings to your clients. When your clients have all been updated, then the new template can be installed. These templates affect the registry settings on the client host. In the case of the Balloon Notifications, removing the previous configuration before installing the new one ensures that the keys will be set correctly.

Before updating a template, be sure to record the current template settings. Existing template settings are lost when the new template is installed.

  1. In FortiNAC, navigate to System > Settings > Persistent Agent Properties.
  2. Select Security Management and make sure that Display Notifications is disabled. When you have uploaded and configured the new template, come back to this view and restore the Display Notifications option to its original state.
  3. Log into your Windows server and open the Group Policy Management Tool.
  4. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  5. Select Computer Configuration > Administrative Templates > Bradford Persistent Agent.
  6. In the pane on the right, right-click on the Balloon Notifications setting and select Properties.
  7. On the Setting tab in the Properties window, select Not Configured and click OK.
  8. When all of your clients have received the updated settings, the new template can be installed.
  9. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  10. Right-click Computer Configuration > Administrative Templates and select Add/ Remove Templates to show the current templates pop-up.
  11. Select the old template and click Remove. Follow the instructions in Install a GPO template to install the new template.

Install an updated template without balloon notifications

Note

Before updating a template, be sure to record the current template settings. Existing template settings are lost when the new template is installed.

  1. On your Windows server, open the Group Policy Management Tool.
  2. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  3. Right-click Computer Configuration > Administrative Templates and select Add/ Remove Templates to show the current templates pop-up.
  4. Select the old template and click Remove. Follow the instructions in Install a GPO template to install the new template.

Modify template settings

See the table below for settings which can be configured using the Administrative Templates provided.

Settings

Option

Definition

Persistent Agent template

Balloon Notifications

Enables or Disables Balloon Notifications on a per-host or per-user basis. This setting is not required for configuring Server IP information. Options include:

  • Enabled: Forces balloon notifications for host state changes to be enabled on the host.
  • Disabled: Forces balloon notifications for host state changes to be disabled on the host.
  • Not Configured: Use the non-policy setting (Enabled).

Login Dialog

Enables or Disables the login dialog on a per-host or per-user basis. This setting is not required for configuring Server IP information. See Using Windows domain logon credentials for further instructions. Options include:

  • Enabled: The login dialog is enabled. This can be used per-user to override a per-host setting of Disabled.
  • Disabled: The login dialog is disabled. The agent will never prompt the user for credentials. This is useful in certain Single-sign-on configurations.
  • Not Configured: The login dialog is enabled, unless overridden by a per-user configuration.

System Tray Icon

Enables or Disables the system tray icon on a per-host or per-user basis. This setting is not required for configuring Server IP information. (Requires Persistent Agent 2.2.3 or higher). Options include:

  • Enabled: The system tray icon is enabled. This can be used per-user to override a per-host setting of Disabled.
  • Disabled: The system tray icon is disabled. Disabling the system tray icon also disables the following functionality: Status Notifications (Show Network Access Status, Login, Logout), Message Logs and the About dialog.
  • Not Configured: The system tray icon is enabled, unless overridden by a per-user configuration.

Max Connection Interval

The maximum number of seconds between attempts to connect to FortiNAC.

Security settings

Security Mode

Indicates whether security is enabled or disabled.

Home Server

Server with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this servers is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

Limit Connections To Servers

Enabled: Agent communicates only with its Home Server and servers listed under Allowed Servers list displayed.

Disabled: Agent searches for additional servers when the home server is unavailable.

Allowed Servers List: In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Servers or FortiNAC Servers with which the agent can communicate.

Passive Agent template

Passive Agent

Server URL List: Comma separated list of URLs (HTTP(s)://<server_name>/<context> formatted) for the FortiNAC servers that hosts running an agent should contact. Hosts must be able to reach all of the URLs in order to run properly.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

Registry keys

The template setup shown in the table above modifies the Windows host's registry settings. The table below shows the modifications made to the host's registry keys by the Group Policy Object using the administrative template. If you use a tool other than GPO, you must make sure to set the appropriate keys on each host.

Upon installation of the Persistent Agent, the following key is created by default (and can be viewed using the Windows registry editor on the endstation):

HKLM\Software\Bradford Networks\Client Security Agent

When registry settings are pushed to a host via software, one or both of the following keys are created (depending upon the values pushed):

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

HKLM\Software\Policies\Bradford Networks\Persistent Agent

When the settings are pushed, the values for HKLM\Software\Bradford Networks\Client Security Agent will remain the same, but any settings altered via the software push will override those listed in the original key.

On 64-bit operating systems in RegEdit, these registry values will appear in the following key: HKLM\Software\wow6432node.

Key

Value

Data

Persistent Agent

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: Not Configured

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ClientStateEnabled

0: Do not show balloon notifications on status changes.

1: Show balloon notifications on status changes.

Data Type: DWORD

Default: Not Configured

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

ClientStateEnabled

0: Do not show balloon notifications on status changes.

1: Show balloon notifications on status changes. Data Type: DWORD

Default: Not Configured

HKLM\Software\Policies\Bradford Networks\Persistent Agent

LoginDialogDisabled

0: Enable Login Dialog.

1: Disable Login Dialog.

Data Type: DWORD

Default: Not Configured

(Login Dialog displayed)

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

LoginDialogDisabled

0: Enable Login Dialog.

1: Disable Login Dialog.

Data Type: DWORD

Default: Not Configured

(Login Dialog displayed)

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Data Type: DWORD

Default: Not Configured

(Tray icon displayed)

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Data Type: DWORD

Default: Not Configured

(Tray icon displayed)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

securityEnabled

0: Disable Agent Security.

1: Enable Agent Security

Data Type: Integer

Default: 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

homeServer

The fully qualified hostname of the default server with which the agent should communicate.

Data Type: String

Default: Empty

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

restrictRoaming

0: Do not restrict roaming. Allow agent to communicate with any server.

1: Restrict roaming to the home server and the allowed servers list.

Data Type: Integer

Default: 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

allowedServers

Comma-separated list of fully qualified hostnames with which the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

Data Type: String

Default: Empty

Passive Agent

HKEY_USERS\{SID}\Software\
Policies\Bradford Networks
\PASSIVE

ServerURL

Server URL List: Comma separated list of URLs for the FortiNAC servers that an agent should contact.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

HKLM\Software\Policies\Bradford Networks\PASSIVE

ServerURL

Server URL List: Comma separated list of URLs for the FortiNAC servers that an agent should contact.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

Deploy the Passive Agent

  1. On your Windows server open the Group Policy Management Tool.
  2. Navigate to the Group Policy Object you want to edit.
  3. Right-click the Group Policy Object and select Edit to display the GPO Editor pane.
  4. Click User Configuration > Policies > Windows > Settings Scripts (Logon/Logoff) to display the Logon and Logoff script configurations.
  5. Double click Logon for Logon Properties.
  6. Click Add and then browse to the location of FortiNAC_Passive_Agent.exe.
  7. Select FortiNAC_Passive_Agent.exe to add it to the Script Name field.
  8. Enter -logon in the Script Parameters field.
  9. Click OK.

To ensure the user is logged off the host upon logging out, do the following:

  1. Follow steps 1-4, and then double-click Logoff.
  2. Add FortiNAC_Passive_Agent.exe to the Script Name field, and then enter
    -logoff in the Script Parameter field.
  3. Click OK.

Administrative templates for GPO

Administrative templates are used to configure registry settings on Windows endpoints through Group policy objects. For the Persistent Agent and the Passive Agent, there are templates to configure the Server URL of the FortiNAC Application Server with which the agent will communicate. There are also per-computer and per-user templates to enable or disable the system tray icon or Balloon Notifications of status changes. The Balloon Notification template does not affect the Server IP and is not required.

FortiNAC does not support an Administrative Template for deploying configuration changes to macOS computers or users through GPO. You can investigate 3rd party applications, such as Likewise Enterprise that support macOS computers using Group Policy Object editor. The modifications shown in the tables below can be made in the Preferences file on macOS hosts, using the tool of your choice.

Note

The Persistent Agent running on a macOS computer can determine the server to which it should connect via DNS server records it does not require changes to Preferences.

If you are using the Persistent Agent, your Windows login credentials are automatically passed to FortiNAC. You can modify the Administrative Template to hide the Persistent Agent Login dialog and use the Windows login credentials sent by the Persistent Agent by modifying the settings in the Administrative Template. See Using Windows domain logon credentials.

Security is enabled by default. It is recommended that you update to the latest template files and configure the templates for the new security settings.

Requirements:
  • Active Directory
  • Group Policy Objects
  • Template Files From Fortinet
Templates:

The templates listed below are provided by Fortinet. You must run the installation program for the templates on your Windows server . Be sure to select the appropriate MSI for your Windows server architecture.

  • 32-bit (x86): Bradford Networks Administrative Templates.msi
  • 64-bit (x86_64): Bradford Networks Administrative Templates-x64.msi

Install a GPO template

  1. In FortiNAC, select System > Settings > Updates > Agent Packages.
  2. At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the appropriate template file.
  3. Copy the template file to the domain server.
  4. On the domain server, double-click the msi file to start the installation wizard.
  5. Click through the installation wizard. When installation has completed, the Microsoft Group Policy Management Console is required to complete the installation. Refer to the Windows Server documentation for details.
  6. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  7. Right-click Computer Configuration > Administrative Templates and select Add/ Remove Templates, shows the current templates pop-up.
  8. Click Add and browse to Program Files\Bradford Networks\Administrative Templates.
    1. To use the Persistent Agent, select FortiNAC Persistent Agent.adm and click Open.
    2. To use the Passive Agent, select FortiNAC Passive Agent.adm and click Open.
  9. Click Close, and the Administrative Templates will be imported into the GPO.

Install an updated template with balloon notifications

If you already have a Fortinet Administrative Template installed for the Persistent Agent and the Balloon Notifications were ever set to anything other than Not Configured (e.g. enabled or disabled), you must unconfigure the Balloon Notifications and push the settings to your clients. When your clients have all been updated, then the new template can be installed. These templates affect the registry settings on the client host. In the case of the Balloon Notifications, removing the previous configuration before installing the new one ensures that the keys will be set correctly.

Before updating a template, be sure to record the current template settings. Existing template settings are lost when the new template is installed.

  1. In FortiNAC, navigate to System > Settings > Persistent Agent Properties.
  2. Select Security Management and make sure that Display Notifications is disabled. When you have uploaded and configured the new template, come back to this view and restore the Display Notifications option to its original state.
  3. Log into your Windows server and open the Group Policy Management Tool.
  4. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  5. Select Computer Configuration > Administrative Templates > Bradford Persistent Agent.
  6. In the pane on the right, right-click on the Balloon Notifications setting and select Properties.
  7. On the Setting tab in the Properties window, select Not Configured and click OK.
  8. When all of your clients have received the updated settings, the new template can be installed.
  9. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  10. Right-click Computer Configuration > Administrative Templates and select Add/ Remove Templates to show the current templates pop-up.
  11. Select the old template and click Remove. Follow the instructions in Install a GPO template to install the new template.

Install an updated template without balloon notifications

Note

Before updating a template, be sure to record the current template settings. Existing template settings are lost when the new template is installed.

  1. On your Windows server, open the Group Policy Management Tool.
  2. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  3. Right-click Computer Configuration > Administrative Templates and select Add/ Remove Templates to show the current templates pop-up.
  4. Select the old template and click Remove. Follow the instructions in Install a GPO template to install the new template.

Modify template settings

See the table below for settings which can be configured using the Administrative Templates provided.

Settings

Option

Definition

Persistent Agent template

Balloon Notifications

Enables or Disables Balloon Notifications on a per-host or per-user basis. This setting is not required for configuring Server IP information. Options include:

  • Enabled: Forces balloon notifications for host state changes to be enabled on the host.
  • Disabled: Forces balloon notifications for host state changes to be disabled on the host.
  • Not Configured: Use the non-policy setting (Enabled).

Login Dialog

Enables or Disables the login dialog on a per-host or per-user basis. This setting is not required for configuring Server IP information. See Using Windows domain logon credentials for further instructions. Options include:

  • Enabled: The login dialog is enabled. This can be used per-user to override a per-host setting of Disabled.
  • Disabled: The login dialog is disabled. The agent will never prompt the user for credentials. This is useful in certain Single-sign-on configurations.
  • Not Configured: The login dialog is enabled, unless overridden by a per-user configuration.

System Tray Icon

Enables or Disables the system tray icon on a per-host or per-user basis. This setting is not required for configuring Server IP information. (Requires Persistent Agent 2.2.3 or higher). Options include:

  • Enabled: The system tray icon is enabled. This can be used per-user to override a per-host setting of Disabled.
  • Disabled: The system tray icon is disabled. Disabling the system tray icon also disables the following functionality: Status Notifications (Show Network Access Status, Login, Logout), Message Logs and the About dialog.
  • Not Configured: The system tray icon is enabled, unless overridden by a per-user configuration.

Max Connection Interval

The maximum number of seconds between attempts to connect to FortiNAC.

Security settings

Security Mode

Indicates whether security is enabled or disabled.

Home Server

Server with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this servers is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

Limit Connections To Servers

Enabled: Agent communicates only with its Home Server and servers listed under Allowed Servers list displayed.

Disabled: Agent searches for additional servers when the home server is unavailable.

Allowed Servers List: In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Servers or FortiNAC Servers with which the agent can communicate.

Passive Agent template

Passive Agent

Server URL List: Comma separated list of URLs (HTTP(s)://<server_name>/<context> formatted) for the FortiNAC servers that hosts running an agent should contact. Hosts must be able to reach all of the URLs in order to run properly.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

Registry keys

The template setup shown in the table above modifies the Windows host's registry settings. The table below shows the modifications made to the host's registry keys by the Group Policy Object using the administrative template. If you use a tool other than GPO, you must make sure to set the appropriate keys on each host.

Upon installation of the Persistent Agent, the following key is created by default (and can be viewed using the Windows registry editor on the endstation):

HKLM\Software\Bradford Networks\Client Security Agent

When registry settings are pushed to a host via software, one or both of the following keys are created (depending upon the values pushed):

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

HKLM\Software\Policies\Bradford Networks\Persistent Agent

When the settings are pushed, the values for HKLM\Software\Bradford Networks\Client Security Agent will remain the same, but any settings altered via the software push will override those listed in the original key.

On 64-bit operating systems in RegEdit, these registry values will appear in the following key: HKLM\Software\wow6432node.

Key

Value

Data

Persistent Agent

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: Not Configured

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ClientStateEnabled

0: Do not show balloon notifications on status changes.

1: Show balloon notifications on status changes.

Data Type: DWORD

Default: Not Configured

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

ClientStateEnabled

0: Do not show balloon notifications on status changes.

1: Show balloon notifications on status changes. Data Type: DWORD

Default: Not Configured

HKLM\Software\Policies\Bradford Networks\Persistent Agent

LoginDialogDisabled

0: Enable Login Dialog.

1: Disable Login Dialog.

Data Type: DWORD

Default: Not Configured

(Login Dialog displayed)

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

LoginDialogDisabled

0: Enable Login Dialog.

1: Disable Login Dialog.

Data Type: DWORD

Default: Not Configured

(Login Dialog displayed)

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Data Type: DWORD

Default: Not Configured

(Tray icon displayed)

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Data Type: DWORD

Default: Not Configured

(Tray icon displayed)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

securityEnabled

0: Disable Agent Security.

1: Enable Agent Security

Data Type: Integer

Default: 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

homeServer

The fully qualified hostname of the default server with which the agent should communicate.

Data Type: String

Default: Empty

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

restrictRoaming

0: Do not restrict roaming. Allow agent to communicate with any server.

1: Restrict roaming to the home server and the allowed servers list.

Data Type: Integer

Default: 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

allowedServers

Comma-separated list of fully qualified hostnames with which the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

Data Type: String

Default: Empty

Passive Agent

HKEY_USERS\{SID}\Software\
Policies\Bradford Networks
\PASSIVE

ServerURL

Server URL List: Comma separated list of URLs for the FortiNAC servers that an agent should contact.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

HKLM\Software\Policies\Bradford Networks\PASSIVE

ServerURL

Server URL List: Comma separated list of URLs for the FortiNAC servers that an agent should contact.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

Deploy the Passive Agent

  1. On your Windows server open the Group Policy Management Tool.
  2. Navigate to the Group Policy Object you want to edit.
  3. Right-click the Group Policy Object and select Edit to display the GPO Editor pane.
  4. Click User Configuration > Policies > Windows > Settings Scripts (Logon/Logoff) to display the Logon and Logoff script configurations.
  5. Double click Logon for Logon Properties.
  6. Click Add and then browse to the location of FortiNAC_Passive_Agent.exe.
  7. Select FortiNAC_Passive_Agent.exe to add it to the Script Name field.
  8. Enter -logon in the Script Parameters field.
  9. Click OK.

To ensure the user is logged off the host upon logging out, do the following:

  1. Follow steps 1-4, and then double-click Logoff.
  2. Add FortiNAC_Passive_Agent.exe to the Script Name field, and then enter
    -logoff in the Script Parameter field.
  3. Click OK.