Technical Tip: How to enable TLS 1.3 for Persistent Agent in FortiNAC

Since Persistent Agent v7.6.0 requires TLS 1.3, it is mandatory to enable TLS 1.3 and appropriate ciphers in FortiNAC when Persistent Agent v7.6.0 is in use.

To detect what TLS version the client is sending, capture the client traffic via Wireshark and look at the 'Client Hello' packet (tls.handshake.type == 1), then look at the 'Supported Versions' extension. Example for illustration:

Go to System -> Settings -> Persistent Agent -> Transport Configuration and 'right-click' on the 'TLS Service Configuration' that is already in use by the Persistent Agent service.

Uncheck 'Automatically Update Chophers And Protocols on Upgrade', select the 'TLS Protocols' dropdown box, and select TLS 1.3.

Select the 'Ciphers' dropdown box and select the required Ciphers for TLS 1.3. If any former version of the Persistent Agent is also in use, select Ciphers for TLS 1.2 to avoid any SSL/TLS handshake issues with any Persistent Agent versions.

Go to System -> Certificate Management -> Select Persistent Agent, and restart the Persistent Agent Service.