Troubleshooting Tip: MDM registration issues
Description
This article describes the steps needed to identify why MDM users are not registering in FortiNAC.
Scope
FortiNAC, FortiNAC-F.
Solution
- Verify the user is registered in the MDM.
Troubleshoot the MDM and user. Contact the MDM vendor for additional assistance.
- The host is registered in MDM but showing as Rogue in FortiNAC.In the Administration UI, search for the MAC address in Users & Hosts -> Hosts.
- Host records cannot be found or shown offline
- FortiNAC is either not receiving or processing RADIUS from the wireless controller/Access Point to which the device connects.
- L2 polling is not working.
- Host record shows online but is not registered (displays as a Rogue "?")
- All devices registering through MDM are affected.Go to Network -> Service Connectors.
- Verify On-Demand Registration is enabled in the MDM service connector. This allows FortiNAC to query the MDM and register the device based on the MDM's data.
- Highlight the MDM, 'right-click' on the service connector and select 'Poll Now'. Note any errors that are generated. This suggests communication issues between FortiNAC and MDM.
To investigate and check further details enable the following debugs in FortiNAC cli and verify output after selecting 'Poll Now':
FortiNAC (CentOS).
logs
nacdebug -name MdmManager true
Depending on the MDM vendor enable additionally one of the following:
nacdebug -name FortinetEMSServer true
nacdebug -name AirWatchServer true
nacdebug -name XenMobileServer true
nacdebug -name GoogleGSuiteServer true
nacdebug -name JamfServer true
nacdebug -name Maas360Server true
nacdebug -name MSInTuneServer true
nacdebug -name MobileIronServer true
nacdebug -name NozomiServer true
tf output.master
FortiNAC-F (NACOS).
diagnose debug plugin enable MdmManager
diagnose debug plugin enable FortinetEMSServer <-- Replace 'FortinetEMSServer' with any other plugin as above depending on MDM vendor.diagnose tail -F output.master
Disable debugging:
FortiNAC (CentOS).
logs
nacdebug -name MdmManager false <-- Set plugin to 'false' for all other enabled plugins.
FortiNAC-F (NACOS).
diagnose debug plugin disable MdmManager <-- Set plugin to 'disabled' for all other enabled plugins.
- Check the Polling interval, as it may need to be increased. Depending upon the size of the MDM's database, the poll can take as long as 30 minutes to complete. If another poll is initiated before the last one is completed, FortiNAC may not complete updating.
-
Only some devices registering through MDM are affected.
- Verify the host has the MDM agent installed.
- Verify Use Configured MDM is selected under the Global Settings in Portal -> Portal Configuration -> Content Editor. The setting provides a means for isolated mobile devices to download the MDM agent.
-
-
-
The host record shows online and is registered but the device remains isolated.
- Manually disconnect the host from SSID and reconnect it again. If the host successfully connects and gets the new VLAN access, it suggests an issue with FortiNAC disconnecting the client in order to change network access. Either FortiNAC is not sending a 'Disconnect Message' or 'CoA request' to change the network posture, or the NAS(WLC/Switch) is not acknowledging the request. Check the section 'Common Errors and Misconfigurations with CoA' in this article to identify the issue: Technical Tip: CoA Support in FortiNAC 7.4 and applying DACLs in FortiSwitch FortiLink scenario.
Related articles:
Technical Note: Hosts imported from Airwatch is less than expected
Technical Tip: Airwatch MDM Agent fails to authenticate in isolation
Technical Tip: Certificate path error when polling Airwatch
Technical Tip: Airwatch poll fails with 429 error code
Technical Tip: AirWatch MDM poll fails when configured to retrieve application data
Technical Note: Gather logs for debugging and troubleshooting