Staff

Troubleshooting Tip: How to troubleshoot EasyConnect

Forum|Forum|7 years ago
September 28, 2018
0 replies
1482 views

Description

This article describes how to troubleshoot when the Host is not moving to a new SSID using EasyConnect.
Summary of what happens when an EasyConnect Policy is applied:

The rogue host connects to an Open SSID.
The rogue host goes through the registration process in the Captive Portal.
Depending upon the device, the Endpoint Compliance Policy matches and pushes an agent.
EasyConnect Policy matches, and Supplicant Configuration is applied (defines secure SSID, encryption & cipher).
The agent attempts to move to the secure SSID.

EasyConnect Supplicant installation requirements:

Windows or Mac OS X: Dissolvable or Persistent Agent
Android: Android mobile agent
iOS: Downloads supplicant from captive portal. Ensure an old iOS mobile agent is NOT installed. Otherwise, supplicant configuration cannot be applied.

For EasyConnect functionality details, refer to Online Help or Administration and Operation topic Policies.

Scope

FortiNAC v8.x.

Solution

Define the symptom:

Review the endpoint compliance and EasyConnect policy configuration (what agent should they get and what SSID should they move to?)

When they register...

What policy do they match for endpoint compliance?
Are they getting an agent?
What policy do they match for EasyConnect?
Does the end station get a supplicant configuration applied? If not, check the characters in the password. Refer to this KB article.
Are they getting moved to the secure SSID?
What OS displays for the host in the Host View? Is it correct?

Additional information that may need to be collected: