FortiNAC and Docking Stations

From OISecWiki

Using docking stations in combination with Network Access Control solutions, usually present with a few problems.

  • The docking station does not support pass-trough MAC address and the used mac adress will be the docking stations. DisplayLink docking stations are notorious for this.
  • The docking station does support pass-trough MAC address, but the laptop in question does not have a reserved MAC-address

Obviously the best combo will be a docking station that does support pass-trough MAC address and a laptop that has a reserved mac address. However this type is getting rare.

Below is a FortiNet advised option to fix the issue we have with docking stations and FortiNAC, where mac adresses are permanent for the docking station and not the laptop. This is in conjunction with Persistent Agent.

Internal KB 193199 references that, if using the persistent agent, we have the ability to enable the behavior on FortiNAC that removes unreported adapters (adapters no longer seen connected to the host by the agent). To do this, you'll run this command from the CLI of the FortiNAC control server.

Enable:

globaloptiontool -name persistentAgentSecMgmt.removeUnreportedAdapters -set true

Disable:

globaloptiontool -name persistentAgentSecMgmt.removeUnreportedAdapters -set false

However there is one clear disadvantage off this solution. If the laptop remains offline for quite a while the mac address of the docking station will remain registered and thus will be granted access to the network.

To completely circumvent this problem there are really 3 options:

  1. Switch over to 802.1x authentication with certificates as this will not use the mac address of the client. This might be a problem in places where BYOD is normal, to really get this working correctly all laptops should be managed. This will require an external radius server and a PKI setup.
  2. Make sure all dockingstations only do pass-trough and all laptops have a reserved mac address. This will be a problem with cheaper docking stations and laptops, and again if a lot of BYOD devices are used there is not really a solution.
  3. Do not use ethernet on the docking stations but let all clients work on WIFI.