machine authentication Fortiauthenticator

pmmauduit · ‎08-18-2017

I now use a vm fac to achieve 802.1x authentication on the network (Machine authentication) It is the FAC that sends the vlan ID when the authentication succeeds. Is it possible to make a filter on computers and to apply a different vlan depending on the computer

Example: The pc of the marketing department must be in the vlan 2 and the pc of the IT department must be in vlan 3

Today all the pc are in the same vlan, I can not configure the fac with different vlans, I do not see how to make a filter on computers

Thank you for your help

ergotherego · ‎08-18-2017

I haven't gotten this setup yet on my network but want to.

It would involve a few main things:

[ul]

Joining your FAC to the domain and getting machine accounts

Putting those machine accounts into different groups on the FAC - probably based on OU membership of the machines themselves

In the FAC group used for certain machines, returning the proper RADIUS value to indicate the VLAN. Basically the same way you would return a FGT group name for VPN connections, except you return a different VSA and value (VLAN ID)[/ul]

xsilver_FTNT · ‎08-21-2017

ergotherego

you are on the right track. Remote user sync rules can sync LDAP users to "remote users" storage (known to FAC but authentication is proxied to LDAP/AD as FAC do not have user's LDAP password) and automatically assign them to groups.

In the RADIUS Client profile set auth to that LDAP (assume that all the users are from same AD/Domain/LDAP) and choose those two remote groups (one group VLAN-2 one groups VLAN-3. And assign proper RADIUS AVP (the one you are using to pass the VLAN to NAS) containing proper VLAN to each group.

FAC side done.

Kind regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

pmmauduit · ‎08-22-2017

Hello

Thank you for your reply. I managed to create two groups and assign one vlan per group. I use machine authentication. In the Radius Service Client, I do not see how to specify multiple groups. (Check machine authentication / Override group membership when only machine authenticated) Thank you

pmmauduit · ‎08-22-2017

Is it possible to select multiple groups to perform machine authentication?

ergotherego · ‎08-22-2017

Someone else may know better, but I am not sure you want to override group membership in that bottom section.

I notice you already have multiple groups selected and mapped to that realm. As long as a given machine is only a member of a single group, I believe that will do what you need.

Let us know how goes, very interested to see someone get this working on FAC!

pmmauduit · ‎12-08-2017

Hello,

I managed to create rules in the user groups Depending on the name of the machine, a specific vlan is applied. (radius attribute)

the problem is that in the configuration part of the client, I can not select multiple groups to perform a machine authentication.

Thanks for your help