Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff
Staff

Created on ‎08-22-2024 07:58 AM Edited on ‎09-24-2024 12:58 AM By Community Manager

Article Id 335211

Technical Tip: 'Invalid Physical Address' error in event logs preventing host registration

Description This articles describes why registration for a particular host fails when the error 'Invalid Physical Address' appears in event logs.
Scope FortiNAC-F, FortiNAC.
Solution

The error 'Invalid Physical Address' means that FortiNAC does not contain the Vendor OUI for the MAC address being processed in its database.

This acts as a security mechanism that does not allow Host registration and keeps the Host Isolated as a rogue when FortiNAC sees an unknown MAC.

 

Any kind of registration method will fail in these cases.

An example would be a Self-Registering Guest that is using an external adapter to connect to a network controlled by FortiNAC.

The Administrator will either see the Event log or receive an Alarm through the e-mail if this is configured.

 

Figure 1. Host registration failure triggered due to "Invalid Physical Address" event message.Figure 1. Host registration failure triggered due to "Invalid Physical Address" event message.

 

The vendor OUI records are continuously being updated by Fortinet as new IEEE device information becomes available. FortiNAC administrators can update the Vendor OUI databases of their FortiNAC appliances through a scheduled task called AutoDefinition Synchronization where the Device information is retrieved from Fortinet repositories. 

 

Figure 2. Auto-definition Synchronizer task in System>SchedulerFigure 2. Auto-definition Synchronizer task in System>Scheduler

 

To verify if a specific MAC address is considered valid by FortiNAC, it is possible to verify it from the CLI as follows:

 

execute enter-shell
validmac -mac 80:5E:C0:YY:YY:YY
VendorCode:
Vendor OUI = 80:5E:C0
Vendor Name = YEALINK(XIAMEN) NETWORK TECHNOLOGY CO.,LTD.
Vendor Alias =
Description =
Role =
Registration Type = null(0)
User Registration Type = null(9999)

naclab1:~$

 

In this case, there is a valid MAC address and FortiNAC will perform the registration process.

 

For an Invalid MAC address, the following output will appear:

 

validmac -mac 68:E4:3B:XX:XX:XX

68:E4:3B:XX:XX:XX Invalid

 

This can be a problem in cases where customers connect through the host with external adapters. To remedy this issue, manually add the Vendor OUI in the FortiNAC database. 

 

Figure 3. Adding new Vendor OUI in System>Settings>Identification>Vendor OUI.Figure 3. Adding new Vendor OUI in System>Settings>Identification>Vendor OUI.

 

In this case, the FortiNAC administrator can add a proper description for this Adapter type, vendor, and any additional information.

In addition to that: for each vendor OUI, manually specify the role to give the device associated with this Vendor OUI once it registers. However, roles assigned by the Device Profiler will override this setting.

 

The same Invalid OUI error will be present in the output.nessus logs when registration is performed by the Persistent Agent.

FortiNAC will report the adapter as offline and the agent will report disconnections.

 

Hosts that do not have any valid adapters detected will not be registered.

 

Example logs from the output.nessus:

 

output.nessus_4456.log.0.txt:yams.PersistentAgent FINER :: 2024-09-11 16:54:35:481 :: #40 :: Invalid OUI: 30:13:8B:XX:XX:XX
output.nessus_4456.log.0.txt:yams.PersistentAgent FINER :: 2024-09-11 16:54:35:482 :: #40 :: getClient found no adapter for mac E4:C7:67:XX:XX:XX
output.nessus_4456.log.0.txt:yams.PersistentAgent FINER :: 2024-09-11 16:54:35:482 :: #40 :: getRemoteUser(192.168.10.2 ) = null
output.nessus_4456.log.0.txt:yams.PersistentAgent FINER :: 2024-09-11 16:54:35:483 :: #40 :: validateHost() unable to determine agent host, working with primary EtherInterface = MAC : E4:C7:67:XX:XX:XX
output.nessus_4456.log.0.txt:yams.PersistentAgent FINER :: 2024-09-11 16:54:35:483 :: #40 :: getClient found no adapter for mac E4:C7:67:XX:XX:XX
output.nessus_4456.log.0.txt:yams.PersistentAgent FINER :: 2024-09-11 16:54:35:483 :: #40 :: validateHost() Didn't find adapter for MAC :E4:C7:67:XX:XX:XX
output.nessus_4456.log.0.txt: MAC : E4:C7:67:XX:XX:XX

output.nessus_4456.log.0.txt:yams.PersistentAgent.Default TCP FINE :: 2024-09-11 16:55:02:738 :: #40 :: Sending to /192.168.10.2: <?xml version="1.0" encoding="us-ascii"?><set><ping>900</ping><status><val>1</val><msg>null</msg></status><disconnectState><showIcon>false</showIcon><showMsg>false</showMsg><disconnectMsg>Your network access may be restricted. Persistent Agent is disconnected from FortiNAC.</disconnectMsg></disconnectState><timeSkew>60</timeSkew><usbdisk>false</usbdisk><VMDetection>NONE</VMDetection><expirationTime></expirationTime></set>
output.nessus_4456.log.0.txt: IP = 192.168.10.2 Port = 64873 Version = 9.4.4.105

 

 

Related documents:

Vendor OUIs - FortiNAC administration guide

Technical Tip: Host fails to register or multiple host records are created

942
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.