Skip to main content
Hatibi
Staff & Editor
Hatibi
Staff & Editor
June 24, 2022

Troubleshooting Tip: FortiNAC and FortiGate FSSO ZTA TAG troubleshooting

  • June 24, 2022
  • 0 replies
  • 4585 views

Description

 

This article describes how to troubleshoot FSSO TAG information and communication between FortiNAC and FortiGate.

 

Scope

 

FortiGate, FortiNAC, FSSO.

 

Solution

 

To implement this scenario, Fortinet provides the following documentation, which describes how this works and the needed requirements:

Fortinet Security Fabric/FSSO Integration Guide

 

FSSO is the passive IP-based authentication method by which users can transparently authenticate to FortiGate.

 

FortiNAC acts as a Collector Agent: it collects and compiles information about user logons.

 

The flow when a host connects to the network is as follows:

  • The host is connected to the network.
  • Switch sends MAC Notification trap to FortiNAC.
  • The host is evaluated against the existing Network Access Policies.
  • The correct access policy is matched with a configuration containing TAG on the logical network.
  • The FSSO Logon message is sent to FortiGate with TAG information.

 

Important considerations:

Network access policies will not match when the host has the following status:

  • The host is not registered (appearing as Rogue in FortiNAC).
  • The host is registered but offline.

 

Other:

  • Host status has precedence over network access policies.
  • Groups/Tag information must be included in the Network Access policy configuration.
  • When the host status changes (Registered, Authenticated, Unauthenticated, At-Risk, Safe, Disabled, or Rogue), then FortiNAC will re-evaluate the network access policies.
  • When the host disconnects from the network, FortiNAC will update the FortiGate with an SSO logoff message and stop the SSO session. The network access policies that were previously applied will be removed.
  • L3 polling is required for the FortiGate model configuration in FortiNAC since SSO is an IP-based type of authentication. FortiNAC will need to frequently L3 poll the FortiGate.
  • FortiNAC will communicate with FortiGate every 15 Minutes. This applies to versions 8.8.11, 9.1.5, 9.2.2, and greater.

 

Configuration Validation.

 

Validate FortiNAC configuration and Host status.

 

Host adapter showing online in Adapter view.

This is seen by the green icon adapter:

 

Sx11_3-1678456089408.png

 

 

The host has an IP showing on the FortiNAC host view.

A valid IP address from the production network should be seen.

 

Sx11_4-1678456220779.png

 

Host is matching a policy with the Logical network where TAG is defined in the Model configuration.

Go to Hosts -> Select the affected host and then select -> Policy details.

 

Sx11_1-1678456484609.png

 

Subnet is manually specified in SSO addresses in the model config.

All subnets where a host is expected to be part of should be included in the SSO addresses in the FortiNAC model configuration:

 

Go to Network Inventory -> Select the FortiGate device -> Virtualized Devices -> Edit Model config for that device.

 

Sx11_0-1678455467404.png

 

Here, it is possible to edit the SSO addresses and add New Subnets to the list:

 

Sx11_1-1678455646427.png

 

So in this case, any Host with an IP in those Subnets/ranges will be assigned an FSSO Tag.

 

Additional information about SSO addresses is provided here: Addresses.

 

FortiGate is added in L3 polling group:

Select the FortiGate device model in the Inventory view and select 'Group Membership'.

Make sure the L3 (IP -> MAC) is enabled.

 

Sx11_2-1678455816752.png

 

Troubleshooting.

To troubleshoot SSO communication between FortiGate and FortiNAC, the following debugs will need to be inspected from both sides:

 

FortiGate CLI session:

 

diagnose debug reset

diagnose debug console timestamp enable
diagnose debug app authd -1

diagnose debug enable

 

Display the FSSO logons from CLI.

 

diagnose debug authd fsso list

diagnose debug authd fsso list | grep < Affected user IP >

 

FortiNAC CLI Session:

 

logs

nacdebug -name BridgeManager true

nacdebug -name PolicyHelper true

nacdebug -name SSOManager true

nacdebug -name Fortinet true

nacdebug -name DeviceInterface true

tf output.master

 

CLI output on the FortiNAC session will show similar events:

SSO TAGs Information sent to FortiGate will look like the following events:

 

yams.SSOManager INFO :: 2022-02-11 15:48:51:488 :: SSOManager.sendMessage sending message to X.X.X.X for client YY:YY:YY:XX:XX:XX, MSG=UserIDMessage[logon, mac=YY:YY:YY:XX:XX:XX, ip=192.168.1.1, user=FortiLAB, tags=[LAB-USER]]

 

SSO logoff events for disconnecting hosts:

 

yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager client removed:192.168.1.1 34343 YY:YY:YY:XX:XX:XX and port YYY
yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager.logoffAdapter for YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager.logoffAdapter has messages on 0 UserAgents

 

SSO IP validation events:

 

yams.SSOManager FINER :: 2022-06-06 08:20:36:103 :: #76 :: SSOManager client updated:192.168.1.1 YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:20:36:104 :: #76 :: SSOManager.validateAdapterIP checking IP for client YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:20:36:104 :: #76 :: SSOManager.getIPByMAC() ending, mac = YY:YY:YY:XX:XX:XX retval = null

 

Read FortiGate and FortiNAC SSO lists:

Run the following on FortiNAC CLI:

 

ssotool -ip <FGT_IP>

 

This command will dump the SSO sessions currently active.

 

In FortiGate, it is possible to manually perform FSSO login actions in CLI as below:

 

diagnose debug authd fsso clear-logons       -> Deletes cached login status.

diagnose debug authd fsso refresh-groups   -> Refresh group mapping.

diagnose debug authd fsso refresh-logons   -> Resynch login database.

 

Expanding SSO scope in FortiNAC CLI when using a multi-VDOM environment and forcing SSO TAGs to be sent to another L3 device when the VLAN is not terminating on FortiGate.

 

globaloptiontool -name sso.expand.scope -set true

 

Note:

When the above option is enabled, when a host matches a Network Access Policy that has an SSO Tag, FortiNAC will also send the SSO Tag to the device that the host matches NAP, even though the VLAN is not terminating on the Device.

 

To disable the option, do:

 

globaloptiontool -name sso.expand.scope -set false

 

For VPN connecting hosts, verify the following from FortiNAC CLI:

 

remoteaccess -dump

 

  • The output will show all of the networks associated with FortiGates/vdoms.
  • he IP's in that list 'remoteaccess -dump' means that when FortiNAC sees a connection event, it will send an FSSO tag to the associated FortiGate.

 

Documents and articles related to FSSO TAG configuration:

Technical Tip: Configuring and troubleshooting Firewall TAGs

Endpoint connector 6.2.1

FortiNAC tag dynamic address

FortiNAC

 

Working with TAC Support.

Issue a ticket to TAC support by recreating the issue and providing the information below:

  • Host MAC and IP address.
  • Timestamp when the issue was recreated.

 

After the issue is recreated, collect the debug logs as stated in the KB article below:

Technical Tip: How to get a debug log report from FortiNAC-CA or FortiNAC-Manager

    Terms & ConditionsAccessibility statement