FortiNAC Secure Network Access Control - BYOL

FortiNAC to use Entra ID as native authentication source

FortiNAC now supports username password/certification authentication from Microsoft Entra ID in RADIUS 802.1X and portal login. Username password authentication from Microsoft Entra ID in portal login is also supported. See the Microsoft Entra ID Authentication Guide.

FortiNAC SAML SSO enhancements

FortiNAC now supports comprehensive SAML 2.0 Single Sign-On (SSO) for both administrators and end users.

• Admin SAML SSO enables login via external Identity Providers (IdPs) like Microsoft Entra ID, with support for role mapping, auto account creation, and high availability.
• User SAML SSO allows end users to authenticate through the Captive Portal using IdP credentials, with group assignment based on SAML attributes.
• A simplified FortiCloud SSO option is also available for admin login, requiring minimal setup using a preconfigured IdP. See the FortiNAC SAML SSO Guide.

Armis integration

An Armis service connector now allows FortiNAC to communicate with Armis Centrix, adding devices managed by Armis onto FortiNAC as hosts, along with relevant IP, MAC Address, and compliance level info. See the Armis Integration Guide.

Secure Boot and File integrity verification

Version F 7.6.3 also introduces a new security enhancement designed to protect the system from unauthorized modifications and ensure software authenticity across all platforms.

• File Integrity Verification at Boot and Runtime: A defined set of boot-critical files are hashed and verified during boot.
• Signed Firmware Enforcement: GA firmware images are now cryptographically signed with both Fortinet and external authority signatures.
• Controlled Upgrade/Downgrade Paths: Systems running signed builds will block unsigned upgrades by default, ensuring a trusted upgrade path. Downgrade to pre-7.6.3 unsigned builds is still allowed if needed, with user confirmation.
• No Lock-In or Upgrade Dead-Ends: Customers are not restricted or locked out of their systems.
• Air-Gapped Environment Support: The integrity checks and signature verification are fully self-contained and function without internet access. The command can be accessed in CLI with: execute set-next-reboot

EMS Cloud configuration

FortiClient EMS Cloud is now supported in addition to the on-premise solution. See FortiClient EMS Integration for details.

Link Aggregation Group (LAG) support on FortiNAC appliances

FortiNAC now supports Link Aggregation, optimizing port usage by linking a group of ports together to form a single Link Aggregation Group (LAG). Aggregating ports multiplies the bandwidth between two devices, increases port flexibility, and provides link redundancy. See Aggregation and Redundancy in the CLI Reference Manual.

Enhancements

Automated certificate sync

In a High Availability system, users can now configure certificates for the secondary server directly through the primary server's GUI, streamlining certificate management across the cluster.

Improved failover time for High Availability Active-Stand-by Mode

This feature reduces failover time from the primary to the secondary node by keeping services on the secondary running at all times. See the High Availability FortiNAC-OS Guide.

Independent IP CA N+1 setup

Version F 7.6.3 introduces command line configuration support for N+1 failover port 1 independent IP. When a primary is down and the secondary takes control, the secondary can be accessed by the independent IP. Each primary server has its own independent IP settings. See the N+1 High Availability Configurations in the CLI Reference Manual.

NCM Cluster shared IP for FortiNAC manager

This feature introduces a shared IP feature similar to legacy HA. It allows administrators to access any appliance using the same IP address, regardless of which is currently acting as the primary control server-providing a single point of access for managing the HA group.

N+1 Health Check refinement

Feature simplifies and enhances the custom health check process, removing "RADIUS" and "TCP echo" types and retaining only "ICMP" and "TCP (on specific port)." The Secondary CA now automatically performs a health check on the Primary CA before promotion, eliminating the need for gateway check logic. Additionally, a CLI interface is provided to adjust health check interval parameters for greater flexibility.

Split Brain prevention

HA pairs managed by a FortiNAC Manager are now less prone to split-brain scenarios, improving overall system stability and reliability. See the High Availability FortiNAC-OS Guide.

Device Detection database with FortiGuard

This enhancement expands the FortiNAC database by incorporating new device types aligned with FortiGuard Category/Subcategory mappings. Previously, FortiNAC supported only 27 device types, while FortiGuard offers over 120 subcategories. Now, improved integration with FortiGuard's IoT detection capabilities enables FortiNAC to support over 140 device types in total. See Device Types in the Administration Guide.

Firmware upgrade enhancements

Upgrading FortiNAC from the FortiGuard Distribution Network (FDN) allows the device to automatically fetch and install the latest recommended firmware directly from Fortinet, ensuring quick access to new feature with minimal manual effort. See Updates in the Administration Guide.

TEAP enhancement

FortiNAC now supports TEAP (Tunnel Extensible Authentication Protocol) multiple authentication types (inner methods) to be performed inside the tunnel such as username/password or certificates. It supports flexible combinations of user and machine authentication. See Authenticate Devices Using TEAP.

Customize device attributes with output from Vulnerability Scanner

Vulnerability Scanner has been added as a new Service Connector type. FortiNAC now supports integration with Tenable and Qualys vulnerability scanners. Once configured, additional device attributes from the scanner output are available in the Hosts and Vulnerability views under Users & Hosts. See Vulnerability Scanner in the Administration Guide.

MS Intune integration now pulls in ownership information

An enhancement to the MS Intune MDM Service Connector on the FortiNAC side adds the display of enrolled devices, ownership in the "Host Role" column in Users & Hosts > Hosts view.

CLI Access via FortiNAC GUI

Users can now access the FortiNAC CLI directly from the FortiNAC GUI, providing easier administrative access and improved usability. See CLI Console in the Administration Guide.