Skip to main content
Eslite_HK
Eslite_HK
New Member
February 9, 2023
Solved

persistent agent unable to resolve correct nac controller ip in isolation network

  • February 9, 2023
  • 3 replies
  • 3307 views

fortinac version:7.2.0.0035

persisten agent verion: 9.4.0.93

use L3 isolation model, power on a rogue pc (with PA), the fortinac put the pc into an isolation network and assign dns server ip (fortinac eth1 ip) to the rouge pc, in this senario the persisten agent on rouge pc trying to communication to nac controller, first step should send the dns request to dns server (fortinac eth1 ip) trying to get the ip of nac controller, however nac dns response it's eth1 ip to rouge pc not eth0 ip, is there any missconfiguation? 

Best answer by ebilcari

This is the expected behavior. While being in isolation the host communicate with FortiNAC using isolation networks (from eth1 interface).

Are you having problems with Agent communication? You can check the agent logs from the PC [C:\ProgramData\Bradford Networks\general.txt] for any reported problem.

 

Take a look at this article: https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Troubleshooting-the-Persistent-agent/ta-p/196869

 

or checking the logs from FortiNAC debugs:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Persistent-Agent-not-able-to-start-communication/ta-p/244962

3 replies

ebilcari
Staff
ebilcariAnswer
Staff
February 9, 2023

This is the expected behavior. While being in isolation the host communicate with FortiNAC using isolation networks (from eth1 interface).

Are you having problems with Agent communication? You can check the agent logs from the PC [C:\ProgramData\Bradford Networks\general.txt] for any reported problem.

 

Take a look at this article: https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Troubleshooting-the-Persistent-agent/ta-p/196869

 

or checking the logs from FortiNAC debugs:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Persistent-Agent-not-able-to-start-communication/ta-p/244962

Emirjon
    Eslite_HK
    Eslite_HKAuthor
    New Member
    February 13, 2023

    thanks for your explianing, the PA logs without error.

    bmeta
    Staff & Editor
    bmeta
    Staff & Editor
    February 9, 2023

    If host state is Rogue > And the system group membership is "Forced Registration(port)" > Then change VLAN to Registration
    eth1 will provide DNS services to the host

      Eslite_HK
      Eslite_HKAuthor
      New Member
      February 13, 2023

      thanks for your reply.

      Terms & ConditionsAccessibility statement