FortiNAC (Network Access Control) is a solution from Fortinet that provides enhanced visibility, control, and automated response for devices connecting to a network. It allows administrators to:

• Discover and classify devices on the network.

• Monitor device activity and enforce security policies.

• Automate onboarding and access control.

• Protect against unauthorized or rogue devices.

By integrating with network infrastructure devices (such as switches, wireless controllers, and firewalls), FortiNAC offers a centralized inventory view where administrators can see connected devices, their status, and the switch port they are using.

Issue: Devices Not Visible in FortiNAC Inventory (Port View).

In some deployments, it is observed that devices connected to Aruba CX series switches are not visible in the FortiNAC inventory view, particularly under the port details. This impacts the ability of FortiNAC to provide accurate visibility and enforce access policies.

The device is not visible in the port view of the FortiNAC inventory when connected to the Aruba CX series switch, even if the CLI, SNMP, and device profiling rules are configured and the Radius settings are configured correctly.

In certain cases, the device is visible for a few seconds before automatically disappearing from FortiNAC.

On the Aruba switch the device MAC address is visible.

SW# show mac-address-table 
MAC age-time            : 300 seconds
Number of MAC addresses : 20

MAC Address          VLAN     Type                      Port
--------------------------------------------------------------
8c:a6:82:XX:XX:XX    19      port-access-security      1/1/12
8c:1f:64:XX:XX:XX    19      port-access-security      1/1/14
38:c0:ea:XX:XX:XX    18      dynamic                   1/1/25
fc:9f:fd:XX:XX:XX    11      port-access-security      1/1/8
38:c0:ea:XX:XX:XX    11      dynamic                   1/1/25
04:03:12:XX:XX:XX    11      port-access-security      1/1/2

SW# show port-access clients <-----------------------

Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-------------------------------------------------------------------------------------------------------
  Port     MAC-Address    Onboarding Method  Status       Role     Device Type                     
-------------------------------------------------------------------------------------------------------
c 1/1/2    04:03:12:XX:XX:XX mac-auth       Success              RADIUS_121XXXXXXX
c 1/1/8    fc:9f:fd:XX:XX:XX mac-auth       Success              RADIUS_121XXXXXXX
c 1/1/10   00:20:6b:XX:XX:XX mac-auth       Success              RADIUS_100XXXXXXX
c 1/1/12   8c:a6:82:XX:XX:XX mac-auth       Success              RADIUS_90XXXXXXX

However, the MAC address of the connected device on Aruba AOS CX switches is not included in the FortiNAC L2 poll.

Solution:

• In order to resolve this issue, enable the 'Secure ports is enabled for the ports on this device(s)' option under Model configurations of the Aruba switch added in the FortiNAC inventory.

FortiNAC can read static MAC addresses rather than disregarding them when secure ports are enabled for the ports on this device(s).

This can also be accomplished by running the following command from FortiNAC's CLI.

FortiNAC-F.

execute enter-shell

device -ip <ipaddress> -setAttr -name ForwardTableStatic -value true

FortiNAC.

device -ip <ipaddress> -setAttr -name ForwardTableStatic -value true

Related documents:

Technical Tip: Enable 'Secure Port' settings when port security is configured in the modeled Switch 

Secure port/static port overview - FortiNAC 

Secure port/static port overview - FortiNAC-F