FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
scitlak
Staff
Staff
Article Id 368545
Description This article describes how to enable TLS 1.3 and the appropriate ciphers for Persistent Agent in FortiNAC.
Scope FortiNAC, FortiNAC-F.
Solution

Since Persistent Agent v7.6.0 requires TLS 1.3, it is mandatory to enable TLS 1.3 and appropriate ciphers in FortiNAC when Persistent Agent v7.6.0 is in use.


To detect what TLS version the client is sending, capture the client traffic via Wireshark and look at the 'Client Hello' packet (tls.handshake.type == 1), then look at the 'Supported Versions' extension. Example for illustration:


Client Hello Packet includes the supported TLS version.png

 

Go to System -> Settings -> Persistent Agent -> Transport Configuration and 'right-click' on the 'TLS Service Configuration' that is already in use by the Persistent Agent service.

 

Uncheck 'Automatically Update Chophers And Protocols on Upgrade', select the 'TLS Protocols' dropdown box, and select TLS 1.3.

 

06.01.2025_12.41.26_REC.png

 

Select the 'Ciphers' dropdown box and select the required Ciphers for TLS 1.3. If any former version of the Persistent Agent is also in use, select Ciphers for TLS 1.2 to avoid any SSL/TLS handshake issue with any Persistent Agent versions.

 

06.01.2025_13.10.21_REC.png

 

Go to System -> Certificate Management -> Select Persistent Agent, and restart the Persistent Agent Service.

 

06.01.2025_12.41.59_REC.png