Technical Tip: Useful CLI commands in FortiNAC-OS for troubleshooting

ebilcari · ‎12-12-2023

Description

This article provides some useful commands introduced in the new version of FortiNAC running FortiNAC-OS.

These are new commands that are used frequently and were not present in the previous versions of FortiNAC running CentOS.

Scope

FortiNAC.

Solution

CLI timeout:

The new version of FortiNAC will have a default console idle timeout of 45 minutes. This is more than enough for normal procedures but during troubleshooting sessions when the logs/captures need to be checked in the background or saved to a file, this can cause problems:

config system global
set admin-idle-timeout 99 <----- A value in minutes between 1-480, that will log the admin out after this time.

end

Allowing services on the port level:

The services must be added in port configuration, as FortiNAC services will otherwise not listen to or respond to the requests. The list contains:

dhcp DHCP (UDP ports 67, 68, 546, 547) [Portal and Management]

dns DNS (TCP/UDP port 53) [Portal]

fsso FSSO (TCP port 8000) [Management]

http HTTP (TCP port 80) [Portal]

http-adminui Admin UI HTTP (TCP port 8080) [Management]

https HTTPS (TCP port 443) [Portal]

https-adminui Admin UI HTTPS (TCP port 8443) [Management]

nac-agent FortiNAC Agent (TCP port 4568) [Portal]

nac-ipc NAC IPC (TCP ports 1050, 5555, 30000-64000) [Management]

netflow NetFlow (UDP port 2055) [Management]

ping Ping (ICMP) [Management]

radius RADIUS (TCP/UDP port 1812) [Management]

radius-acct RADIUS Accounting (TCP/UDP port 1813) [Management]

radius-local Local RADIUS (TCP/UDP port 1645) [Management]

radius-local-radsec Local RADIUS RadSec (TCP/UDP port 2083) [Management]

snmp SNMP (UDP ports 161 and 162) [Management]

ssh SSH (TCP port 22) [Management]

syslog Syslog (UDP port 53) [Management]

Usually, these are some of the services that have to be enabled on the Management (port1) and Portal (port2) interface, for example:

config system interface
edit port1
set allowaccess ping ssh snmp dhcp syslog https-adminui nac-agent radius-local
next
edit port2
set allowaccess https ping http dns dhcp nac-agent
next

end

Changing credentials or creating another test account for CLI access (only):

config system admin

edit admin2

set password s0mesecurepasswörd

end

Checking master logs without entering the shell:

diagnose tail output.master -F
total processed = 0
#######################################################################
yams.Yams INFO :: 2023-12-07 15:23:32:370 :: #478 :: MasterLoader Max Memory (KBytes) 1,962,496 Free Memory (KBytes) 1,751,766 Threads: 509 Up Time: 24 Days 4 Hours 10 Minutes 39 Seconds Time Zone: CET (UTC+0100)
yams.SSOManager INFO :: 2023-12-07 15:23:48:068 :: #389 :: SSOManager.syncMessagesWithAdapters checking 0 SSO devices
yams.Yams INFO :: 2023-12-07 15:24:02:369 :: #478 :: MasterLoader Max Memory (KBytes) 1,962,496 Free Memory (KBytes) 1,731,350 Threads: 509 Up Time: 24 Days 4 Hours 11 Minutes 9 Seconds Time Zone: CET (UTC+0100)

Enabling/disabling debugs:

diagnose debug plugin disable SnmpV1

Running a packet capture:

execute tcpdump -i port2 host 10.1.3.11 and port 53
dropped privs to admin
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on port2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:37:41.646717 IP win10-ffm.eb.eu.56052 > fortinac.eb.eu.domain: 1+ PTR? 50.2.1.10.in-addr.arpa. (40)
15:37:41.657806 IP win10-ffm.eb.eu.56053 > fortinac.eb.eu.domain: 2+ A? fortinet.com.eb.eu. (36)
15:37:41.678251 IP win10-ffm.eb.eu.56054 > fortinac.eb.eu.domain: 3+ AAAA? fortinet.com.eb.eu. (36)

If more information is needed, add the '-v' for RADIUS attributes. For example:

execute tcpdump -i port1 host 10.1.2.1 and port 1812 -v
dropped privs to admin
tcpdump: listening on port1, link-type EN10MB (Ethernet), snapshot length 262144 bytes

15:33:17.803174 IP (tos 0x0, ttl 64, id 48689, offset 0, flags [none], proto UDP (17), length 82)
_gateway.20493 > fortinac.eb.eu.radius: RADIUS, length: 54
Access-Request (1), id: 0x04, Authenticator: 3a5d0aa86a9a3da8b8d4142e59186ee9
NAS-Identifier Attribute (32), length: 4, Value: FW
User-Name Attribute (1), length: 12, Value: gimi@eb.eu
User-Password Attribute (2), length: 18, Value:
15:33:17.856751 IP (tos 0x0, ttl 64, id 44117, offset 0, flags [none], proto UDP (17), length 48)
fortinac.eb.eu.radius > _gateway.20493: RADIUS, length: 20
Access-Accept (2), id: 0x04, Authenticator: 96375d501bcdb07542ccb14d32fd5c0c

If the output needs to be saved in a file:

execute tcpdump -i port1 host 10.0.0.2 and port 514 -v -w /home/admin/log.pcap
dropped privs to admin
tcpdump: listening on port1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Got 0
Got 1
Got 2

Exporting/Importing files:

There are three available tools to be used for this function: TFTP, FTP, and SCP. The easiest way to set up a new file transfer server, similar to any network device is the use of an external TFTP server.

For common file transfers like backup and restore there are dedicated commands that can be used without entering the shell like:

fnacf # execute backup config tftp backup-04 eb.eu

fnacf # execute restore ...

For another type of files like certificates, log files or packet captures it is needed to first enter the shell, the directory where the administrator has full rights is: /home/admin.

Importing a file into FortiNAC (a root CA certificate in this case):

fnacf # execute enter-shell
fnacf:~$ pwd
/home/admin
fnacf:~$ tftp -gr ca.eb.eu.crt eb.eu
fnacf:~$ ll
4 -rwxr-xr-x 1 admin admin 1667 Feb 4 10:24 ca.eb.eu.crt*

4 -rw-r--r-- 1 admin admin 352 Dec 7 15:58 log.pcap

in case when a SCP server is used the command is:

fortinac:~$ scp admin@eb.eu:/ca.eb.eu.crt .

admin@www.eb.eu's password:

ca.eb.eu.crt 100% 1667 137.6KB/s 00:00

Exporting files from FortiNAC (different examples):

fortinac:~$ tftp -pr log.pcap eb.eu

--

fnacf:~$ cd /bsc/backups/database/

fnacf:/bsc/backups/database$ tftp -pr FortiNAC_DataBase_BackUp_2024_02_04_00_01_46_fnacf.gz eb.eu

--

fortinac:~$ scp text.txt admin@www.eb.eu:/

admin@www.eb.eu's password:

text.txt 100% 7 1.0KB/s 00:00

Advanced commands that are available after entering shell:

execute enter-shell
fortinac:~$ device -ip 10.1.2.1 <- In the shell mode, some usual/old FortiNAC commands can be run.
************************* FW [10.1.2.1] *************************
Landscape = 92023029761 00:15:6D:00:00:01
Pollable = true, Poll interval = 10 Minutes
Type = 1.3.6.1.4.1.12356.101.1.80005
Group = 1.3.6.1.4.1.12356
MAC = null
Protocol = SnmpV1
Description = The FW
IP = 10.1.2.1

Useful information for FortiNAC-VM and licensing:

get system status
Version: FortiNAC-HyperV v7.2.4,build0094,231026 (GA)
Serial-Number: FNVM....
License Status: Valid

get hardware status
Model Name: FortiNAC-HyperV
UUID: 78c.....
MAC: 00:15:6D:00:00:01
CPU: Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz
Number of CPU Cores: 4
RAM: 16384 MB
Hard Disk: 1929 MB /data, 100204 MB /storage

get system license
EFFECTIVE:
serial = FNVM....
type = NetworkControlApplicationServer
level = PRO
count = 100000
expiration = 365 days
expired = false
mac = 00:15:6D:00:00:01
uuid = 78c.... <----- Should match the same information as the output of hardware status to be valid.

Modifying configuration files using the 'vi' editor:

Sometimes is needed to manually change the configuration file using the 'vi' editor. The editor is accessible after entering shell mode. To get a more friendly user interface the '-N' flag is needed, for example:

vi -N /bsc/campusMgr/bin/.networkConfig

The letter 'i' can be used to enter insert mode which allows file editing. After the changes, the 'Esc' button is used to exit insert mode. The ':q!' or ':wq' can be used accordingly to abort or save the changes.

Note:

The Backspace button may not always work, moving the cursor to the left and using the Delete button can help in this case.

Related articles:

Technical Tip: Run tcpdump in FNAC-F and save capture as a file.

Technical Tip: FileTransfer with TFTP for FortiNAC-F.