Staff

Troubleshooting Tip: Unable to access the production network after registration

Forum|Forum|6 years ago
January 24, 2020
0 replies
1582 views

Description

This article describes how to resolve a scenario where an endpoint is successfully registered through the Captive Portal but the browser message indicates the network configuration is being changed, or a scenario where the endpoint is successfully registered via some other method (e.g. Persistent Agent or manually).

However, after several minutes, they are still unable to access the production network. Symptoms may include the IP address not changing from the registration IP to the appropriate production IP when it is supposed to.

Scope

FortiNAC.

Solution

In the Administration UI, verify the value assigned:

Wired: Navigate to Network Devices > Topology. Review the Current VLAN value under the Ports tab for the affected switch port.
Wireless: Navigate to Hosts > Adapter View and review the Access Value for the affected MAC address.

Current VLAN/Access Value is correct: Review the switch/controller/Access Point configuration.

Switch/controller/Access Point configuration is correct: The system changed the VLAN/role correctly and the issue is network related.

Switch/controller/Access Point configuration is incorrect: The configuration changed failed. This could be due to a communication failure between the system and the switch/controller/Access Point.

Validate credentials in Model Configuration. If failing SNMP or CLI credentials, refer to related KB article below.
Wired: To further troubleshoot VLAN on switch not changing, see related KB article below.
Wireless: For details on troubleshooting wireless clients not connecting, see related KB article below.

Current VLAN/Access Value is the isolation VLAN: Troubleshoot why the VLAN/role is not changing to the production network.

Wired: For steps to troubleshooting VLAN switching on wired devices, see the related article below.
Wireless: Have the client disconnect from the wireless and reconnect..

Client is able to access the proper network upon reconnect: The client is not getting disconnected automatically when host registers. Verify the system and the wireless controller/Access Point are configured correctly. Refer to the appropriate integration guide in the Fortinet Document Library for details.

Client is unable to access the proper network upon reconnect:

Verify the Host record matches the correct Network Access Policy. For troubleshooting policies, see the related article below.
If matching the correct policy, a tcpdump or further troubleshooting using debugging may be required to confirm the RADIUS exchange between the system, the controller/Access Point and RADIUS server (if 802.1x). For details on troubleshooting wireless clients not connecting, see related KB article below.

Related articles:

Technical Tip: Not switching VLANs on wired switch to production network

Technical Tip: Port changes in Port View but VLAN does not change in switch

Technical Tip: Unable to switch VLANs on Aruba wireless ArubaOS 6.5

Technical Tip: Host Not Automatically Switching VLANs on Ruckus SmartDirector

Troubleshooting Tip: RADIUS wired and wireless clients not connecting

Technical Tip: Troubleshooting policies

Technical Tip: Troubleshooting CLI credential failure

Technical Tip: Troubleshooting SNMP communication issues