Linux Machines (Silent Onboard)
The Linux machine automatically registers upon connecting to the network once the installed Persistent Agent communicates with FortiNAC. This method is transparent to the end user.
How it Works:
-
Device connects to the network.
-
Persistent Agent initiates communication with FortiNAC.
-
FortiNAC registers the device (does not associate device with user).
Note the Following:
-
This method can be used in conjunction with the Windows Domain Single-Sign-On method.
-
Logged on users are not tracked for Mac and Linux.
Requirements:
-
Agent Deployment Method: Software Management Program
-
Root access to the Mac machine
Review Software Modifiable Settings for the Persistent Agent for other settings that may need to be modified.
Configuration
-
Navigate to System > Settings > Persistent Agent > Credential Configuration.
-
Select “Enable Registration” and “Register as Device.”
-
Configure any other necessary FortiNAC configurations. See FortiNAC Settings.
-
Create the Persistent Agent Settings policy file to be pushed to Linux machines. This file will override the default settings.
-
Install Persistent agent on a test machine. For instructions, see section Installation for Linux of the Administration Guide.
-
In the test machine CLI, create policy file PersistentAgentPolicy.conf by making a copy of PersistentAgent.conf
sudo cp /etc/xdg/com.bradfordnetworks/PersistentAgent.conf /etc/xdg/com.bradfordnetworks/PersistentAgentPolicy.conf
Note: Root access is required. If already logged in as root, the use of “sudo” in the syntax is not required.
-
-
Modify the new policy file with the appropriate Persistent Agent Settings. The following table provides recommended settings. Review Software Modifiable Settings for the Persistent Agent for additional options.
vi PersistentAgentPolicy.conf
Best practice: PersistentAgentPolicy.conf should be ASCII encoding. As of FortiNAC 8.7.0, UTF-8 can also be parsed.
Recommended Persistent Agent Settings
For details on these settings, see Persistent Agent on Linux in the Administration Guide.
Option
Value
Function
Home Server
homeServer
Name of FortiNAC appliance with which the agent must communicate.
Allowed Servers
allowedServers
Needed if agent could potentially roam to multiple FortiNAC appliances (NCM environment or High Availability).
Restrict Roaming
restrictRoaming
Agent will only communicate with server names provided by homeServer and allowedServers settings.
Login Dialog
LoginDialogDisabled
Credential popup will not display to the user.
System Tray Icon
ShowIcon
System tray icon will not display.
Balloon Notifications
ClientStateEnabled
State change notifications will not display.
Example
allowedServers=a.example.com,b.example.com
restrictRoaming=true
ShowIcon=0
ClientStateEnabled=0
LoginDialogDisabled=1
-
Push PersistentAgentPolicy.conf to the /etc/xdg/com.bradfordnetworks directory of Linux machines using a software management program.
-
Push agent package to Linux machines using the software management program.
Validate
-
Connect host to network.
-
Search for Windows machine in Users & Hosts > Hosts.
-
Verify the following:
-
Host record displays as registered.
-
UserID is displayed under “Logged On User” column.
-
The appropriate Endpoint Compliance Policy matches (right click on host and select Policy Details)
-
The applicable scan runs (right click on host and select Host Health)
-
The scan result accurately reflects the machine posture (e.g. does the scan pass when it should have failed?)
-
If any of the above do not work as expected, see KB article Troubleshooting the Persistent Agent.
After the network has been enforced:
-
Leave “Register as Device” enabled.
-
Create a scan policy that checks for a specific value defining the asset.
-
Do one of the following:
-
Enable Forced Remediation. If the host fails the scan, the host will register. However, it will be marked “At Risk” and placed in an Isolation VLAN.
-
Forced Remediation alternative: send an email notification for the Security Risk Host event. Note: if Forced Remediation is not used, non-domain machines with the Persistent Agent that auto register may gain access to the production network.
-