Fortinet white logo
Fortinet white logo

Registration Use Cases: Company Assets

Registration Use Cases: Company Assets

Windows Domain (Silent Onboard (Single-Sign-On))

Windows machines are automatically registered when the user logs on to the domain. This method is recommended for Windows domain machines and is transparent to the end user.

How it Works:

The agent listens for changes in the Windows logon sessions. Any session activity (such as logon, logoff, lock, unlock or remote connection) triggers the agent to send the information to FortiNAC.

  1. The Persistent Agent and applicable Persistent Agent Settings are pushed to the domain machines.

  2. User enters credentials to logon to the Windows domain.

  3. The Persistent Agent submits the NETBIOS domain name and sAMAccountName to FortiNAC.

  4. FortiNAC determines the directory group to which the user belongs.

  5. If the directory group matches, the applicable Passive Agent Configuration is applied.

  6. Based on the Passive Agent Configuration, the Windows machine is registered.

Requirements:

  • Under System > Settings > LDAP > User Attributes, Identifier = sAMAccountName

  • Agent Deployment Method: Software Management Program

  • Windows machine is a member of a domain

  • User ID is a valid User ID in the domain

  • User account must have Last Name

Review Software Modifiable Settings for the Persistent Agent for other settings that may need to be modified.

Configure

Important: To prevent network interruption, register all Windows domain assets from within the production network prior to the enforcement phase of the implementation.

  1. Navigate to System > Settings > Persistent Agent > Credential Configuration.

  2. Select “Enable Registration” and “Register as Device.”

  3. Select Authentication Type.

  4. Click Save Settings.

  5. Navigate to Policy & Objects > Passive Agent.

  6. Click Add.

  7. Configure the Passive Agent Rule to register Windows domain machines during the initial push of the agents. Set the following:

    • If rule will only apply to members of a specific AD Group.

    • Register As: Device.

    • Whether or not the host will be scanned.

    • FortiNAC Host Group to which host will be added. Adding hosts to a group (such as “Company Assets”) helps keep track of which hosts were registered using this rule and not some other means.

  8. Click OK.

  9. Verify FortiNAC can match a userID against the rule:

    • Click Test

    • Enter a User Name that should authenticate to the domain.

    • Enter Domain Name

    • Click OK

    • A message should display stating the rule matches.

  10. Configure any other necessary FortiNAC configurations. See FortiNAC Settings.

  11. Push Persistent Agent settings to existing Windows machines using a software management program. See Stage Agent for Deployment - Software Management Program.

    32-bit operating systems (Registry Key): HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent Agent

    64-bit operating systems (Registry Key): HKLM\Software\wow6432node\Policies\Bradford Networks\Persistent Agent

Recommended Persistent Agent Settings

Option

Value

Data Type

Data

Function

Home Server

homeServer

String

FortiNAC Server or Application Server fully-qualified hostname

Name of FortiNAC appliance with which the agent must communicate.

Allowed Servers

allowedServers

String

Comma-separated list of fully-qualified hostnames with which the agent can communicate.

“a.example.com, b.example.com”

(Important: no spaces between commas and names)

Needed if agent could potentially roam to multiple FortiNAC appliances (NCM environment or High Availability).

Recommended Persistent Agent Settings (continued)

Option

Value

Data Type

Data

Function

Restrict Roaming

restrictRoaming

DWORD

1

Agent will only communicate with server names provided by homeServer and allowedServers settings.

Login Dialog

LoginDialogDisabled

DWORD

1

Credential popup will not display to the user.

System Tray Icon

ShowIcon

DWORD

0

System tray icon will not display.

Balloon Notifications

ClientStateEnabled

DWORD

0

State change notifications will not display.

  1. Push Persistent Agent installer (.msi) to existing Windows machines using a software management program. It is not necessary to reboot the domain machine.

  2. Once the agent has been pushed, Windows machines will register the next time they are logged in to the domain.

Validate

If any of the below do not work as expected, see KB article Troubleshooting the Persistent Agent.

  1. Login to domain

  2. Search for Windows machine in Users & Hosts > Hosts.

  3. Verify the following:

  • Host record displays as registered.

  • UserID is displayed under “Logged On User” column.

  • The appropriate Endpoint Compliance Policy matches (right click on host and select Policy Details)

  • The applicable scan runs (right click on host and select Host Health)

  • The scan result accurately reflects the machine posture (e.g. does the scan pass when it should have failed?)

After the network has been enforced:

  1. (This step applies if the only machines registering using the PA are Windows computers). Disable the “Enable registration” option in the Security Configuration > Agent Settings > Credential Configuration. This prevents automatic registration of non-domain machines that have the Persistent Agent. Note: If Mac or Linux machines are also registered using the PA, this setting must remain enabled.

  2. Use a secure staging area for newly purchased/imaged PC’s to register Windows domain machines.

    • Adding the agent to the disk image is recommended.

    • Keep the switch in this area out of enforcement so the machine can login to the domain.

Registration Use Cases: Company Assets

Registration Use Cases: Company Assets

Windows Domain (Silent Onboard (Single-Sign-On))

Windows machines are automatically registered when the user logs on to the domain. This method is recommended for Windows domain machines and is transparent to the end user.

How it Works:

The agent listens for changes in the Windows logon sessions. Any session activity (such as logon, logoff, lock, unlock or remote connection) triggers the agent to send the information to FortiNAC.

  1. The Persistent Agent and applicable Persistent Agent Settings are pushed to the domain machines.

  2. User enters credentials to logon to the Windows domain.

  3. The Persistent Agent submits the NETBIOS domain name and sAMAccountName to FortiNAC.

  4. FortiNAC determines the directory group to which the user belongs.

  5. If the directory group matches, the applicable Passive Agent Configuration is applied.

  6. Based on the Passive Agent Configuration, the Windows machine is registered.

Requirements:

  • Under System > Settings > LDAP > User Attributes, Identifier = sAMAccountName

  • Agent Deployment Method: Software Management Program

  • Windows machine is a member of a domain

  • User ID is a valid User ID in the domain

  • User account must have Last Name

Review Software Modifiable Settings for the Persistent Agent for other settings that may need to be modified.

Configure

Important: To prevent network interruption, register all Windows domain assets from within the production network prior to the enforcement phase of the implementation.

  1. Navigate to System > Settings > Persistent Agent > Credential Configuration.

  2. Select “Enable Registration” and “Register as Device.”

  3. Select Authentication Type.

  4. Click Save Settings.

  5. Navigate to Policy & Objects > Passive Agent.

  6. Click Add.

  7. Configure the Passive Agent Rule to register Windows domain machines during the initial push of the agents. Set the following:

    • If rule will only apply to members of a specific AD Group.

    • Register As: Device.

    • Whether or not the host will be scanned.

    • FortiNAC Host Group to which host will be added. Adding hosts to a group (such as “Company Assets”) helps keep track of which hosts were registered using this rule and not some other means.

  8. Click OK.

  9. Verify FortiNAC can match a userID against the rule:

    • Click Test

    • Enter a User Name that should authenticate to the domain.

    • Enter Domain Name

    • Click OK

    • A message should display stating the rule matches.

  10. Configure any other necessary FortiNAC configurations. See FortiNAC Settings.

  11. Push Persistent Agent settings to existing Windows machines using a software management program. See Stage Agent for Deployment - Software Management Program.

    32-bit operating systems (Registry Key): HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent Agent

    64-bit operating systems (Registry Key): HKLM\Software\wow6432node\Policies\Bradford Networks\Persistent Agent

Recommended Persistent Agent Settings

Option

Value

Data Type

Data

Function

Home Server

homeServer

String

FortiNAC Server or Application Server fully-qualified hostname

Name of FortiNAC appliance with which the agent must communicate.

Allowed Servers

allowedServers

String

Comma-separated list of fully-qualified hostnames with which the agent can communicate.

“a.example.com, b.example.com”

(Important: no spaces between commas and names)

Needed if agent could potentially roam to multiple FortiNAC appliances (NCM environment or High Availability).

Recommended Persistent Agent Settings (continued)

Option

Value

Data Type

Data

Function

Restrict Roaming

restrictRoaming

DWORD

1

Agent will only communicate with server names provided by homeServer and allowedServers settings.

Login Dialog

LoginDialogDisabled

DWORD

1

Credential popup will not display to the user.

System Tray Icon

ShowIcon

DWORD

0

System tray icon will not display.

Balloon Notifications

ClientStateEnabled

DWORD

0

State change notifications will not display.

  1. Push Persistent Agent installer (.msi) to existing Windows machines using a software management program. It is not necessary to reboot the domain machine.

  2. Once the agent has been pushed, Windows machines will register the next time they are logged in to the domain.

Validate

If any of the below do not work as expected, see KB article Troubleshooting the Persistent Agent.

  1. Login to domain

  2. Search for Windows machine in Users & Hosts > Hosts.

  3. Verify the following:

  • Host record displays as registered.

  • UserID is displayed under “Logged On User” column.

  • The appropriate Endpoint Compliance Policy matches (right click on host and select Policy Details)

  • The applicable scan runs (right click on host and select Host Health)

  • The scan result accurately reflects the machine posture (e.g. does the scan pass when it should have failed?)

After the network has been enforced:

  1. (This step applies if the only machines registering using the PA are Windows computers). Disable the “Enable registration” option in the Security Configuration > Agent Settings > Credential Configuration. This prevents automatic registration of non-domain machines that have the Persistent Agent. Note: If Mac or Linux machines are also registered using the PA, this setting must remain enabled.

  2. Use a secure staging area for newly purchased/imaged PC’s to register Windows domain machines.

    • Adding the agent to the disk image is recommended.

    • Keep the switch in this area out of enforcement so the machine can login to the domain.