Description
This article describes the CLI commands that can be used in FortiNAC-F to check element attributes when troubleshooting policies or to find additional attributes that can be used as matching criteria when creating new policies.
Scope
FortiNAC, FortiNAC-F.
Solution
When administrators create User/Host profiles for policy matching there are these following record types in the Who/what section:
- Adapter.
- Host.
- User.
- Application.
Each record has several attributes usable as criteria for policy matching. When a Host does not match the policy, compare the User/Host profile configuration with the actual attributes that FortiNAC has stored for the registered host is desired.
- Check Adapter attributes:
naclab1 # execute enter-shell
naclab1:~$ client -mac 00:0C:29:5A:2E:6B
Found 1 matches for client
, srogers - DESKTOP-J47UPA9
DBID = 154
MAC = 00:0C:29:5A:2E:6B
IP = 172.16.60.2
Medium = null
Description = null
Status = Connected
State = Initial
Type = DynamicClient
Ident = srogers
Grade = null
e-mail = null
UserID = srogers
ParentID = 498
Role = NAC-Default
Security Access Value = null
OS = Windows 10
Location = fortiGateLab.fortilab.local:root:S108EP5918010780:port3:S108EP5918010780
Client Not Authenticated = false
Client needs to authenticate = false
Logged On = true
At-Risk = false
Host role = NAC-Default
VpnClient = false
CLIENT ATTRIBUTES
ImageType windows
CLIENT EXTENDED ATTRIBUTES
Auth8021x 8
AuthType 2
ConnectAge 1718959566085
ConnectTime 1718959904113
CurrentVlanID 70
DPC_METHOD_SATISFIED 1
EdgeDevice 502
RadiusSourceIP 10.10.250.50
RFC5176AuthAttrs XXXX
RFC5176AuthTime 1718959874113
RFC5176ConfigElemId 427
SourceIP 10.10.250.50
Client has connected user: srogers, userID:srogers, dbid:7
- Check Host Attributes:
naclab1 # execute enter-shell
naclab1:~$ dumphostrecords -mac 00:0C:29:5A:2E:6B
Host Record:
Landscape = 91769544454 00:15:5D:E4:1F:06
ID = 154
hostName = DESKTOP-J47UPA9
owner = srogers
policy = null
os = Windows 10
hardwareType = null
application = null
notes = null
Creation Time = Fri Jun 21 10:46:13 CEST 2024
Expiration Date =
Inactivity = 1 Days
Inactivity Date =
Last Successful Poll = Fri Jun 21 10:50:23 CEST 2024
Status = Connected
loggedOnUserId = srogers
patchManagementVendor = null
patchManagementID = null
role = NAC-Default
serialNumber = null
type = 8
Directory policy value = null
Agent Version = null
Agent ID = null
Agent SN = null
Agent Tag = null
Agent Platform = null
Icon Type = windows
Managed By MDM = false
Compromised Status From MDM = false
Compliance Status From MDM = false
Data Protection Status From MDM = false
Passcode Status Status From MDM = false
Vulnerability Scan Status = -1
openPorts = null
Extra Info =
Attributes is empty
Adapter[0] = 00:0C:29:5A:2E:6B
In FortiNAC-F v7.4 and greater it is possible to validate both Host and adapter attributes which will include more detailed information than previous entries.
diagnose host list mac <mac>
Usage: diagnose host list [-adapters] [-format <format>] (all | dbid <dbid> | owner <owner> | mac <mac> | type <type> | host-name <host-name> | role <role>)
all Select all host records
dbid <dbid> Select host records by database id
owner <owner> Select host records by owner name
mac <mac> Select host records by MAC address
type <type> Select host records by type eg. 9, 6
host-name <host-name> Select host records by the host name of the host
role <role> Select host records by the role of a host
-format <format> Format must be one of: text, json, xml
-adapters Include adapters in the output
Example:
naclab1 # diagnose host list -adapters mac 00:15:5D:XX:XX:XX
============================================================================
Host Record:
Landscape = 91769544454 00:15:5D:XX:XX:XX
ID = 209
hostName = null
owner = null
policy = null
os = Windows Vista|2008|2016|Phone|7|8|8.1|10
hardwareType = null
application = null
notes = null
Creation Time = Fri Sep 27 15:15:26 CEST 2024
Expiration Date = Mon Oct 28 14:15:26 CET 2024
Inactivity = 1 Days
Inactivity Date =
Last Successful Poll = Fri Sep 27 15:15:26 CEST 2024
Status = Connected
loggedOnUserId = null
patchManagementVendor = null
patchManagementID = null
role = null
serialNumber = null
type = 9
Directory policy value = null
Agent Version = null
Agent ID = null
Agent SN = null
Agent Tag = null
Agent Platform = null
Icon Type = windows
Managed By MDM = false
Compromised Status From MDM = false
Compliance Status From MDM = false
Data Protection Status From MDM = false
Passcode Status Status From MDM = false
Vulnerability Scan Status = -1
openPorts = null
Extra Info =
Attributes is empty
Adapter[0] = 00:15:5D:XX:XX:XX
---1 ADAPTERS-----------------------
Dynamic Client:
ID = 209
HOST ID = 209
State = Initial
Type = RogueDynamicClient
Identification = null
IP = 10.20.20.3
physAddress = 00:15:5D:XX:XX:XX
Type = 9
Status = Connected
parent = 435
Last Successful Poll = 09/27/24 15:15:26
Creation Time = Fri Sep 27 15:15:26 CEST 2024
*Valid time = null
*Valid time offline = 0
Medium Type = null
Location = fortiGateLab.fortilab.local:port3
Container = Firewall
Access Value = null
Auth Type = -1
Outer EAP Type = -1
Inner EAP Type = -1
Attributes is empty
---ADAPTERS-----------------------
============================================================================
- Check User attributes:
naclab1 # execute enter-shell
naclab1:~$ DumpUserRecords -userid srogers
UserRecord:
Landscape = 91769544454 00:15:5D:E4:1F:06
ID = 7
Role = NAC-Default
Type = UserRecord
Admin Profile DBID = 0
Directory Policy = null
DN = CN=srogers,CN=Users,DC=forti,DC=lab
Position = null
Email Address = null
First Name = srogers
Last Name = null
User ID = srogers
notes = null
Creation Time = Fri May 17 11:40:41 CEST 2024
Expiration Date = Not Configured
Inactivity Days = Not Configured
Inactivity Date = Not Configured
Last Login Date = Fri Jun 21 10:50:23 CEST 2024
Status = Disconnected
Security Access Value = null
locale = en_US
Address = null
City = null
State = null
Zip = null
Country = US
Organization = null
Organizational Unit = null
Phone = null
Mobile Number = null
Mobile Provider = null
Propagate Hosts = true
Is API Admin = false
API Access Token = null
Trusted Hosts = null
Extra Info =
Attribute: Directory = 10.10.10.2
Attribute: MODEL_NAME = fortiDC
Attribute: AuthenticateType = LDAP
Attribute: msDS-PrincipalName = FORTI\srogers
In FortiNAC-F v7.4 and greater it is possible to validate user records with the following command in CLI:
diagnose user list user-id <user-id>
Usage: diagnose user list [-admin] [-policy] [device-id <device-id>] (all | dbid <dbid> | first <first> | last <last> | email <email> | user-id <user-id>)
all Select all user records
dbid <dbid> Select user records by database id
first <first> Select user records by first name
last <last> Select user records by last name
email <email> Select user records by email id
user-id <user-id> Select user records by user id
-admin Display admin user records
-policy Display policy for selected user
device-id <device-id> device id (used with -policy)
- Check Application Attributes: The application inventory can be verified under Users & Hosts -> Hosts and by 'right-clicking' the specific host and selecting 'Host Applications'. This will provide a list of the currently running Apps on the host that the administrator can also export in the required format. Application collection from FortiNAC requires that the host has the Persistent Agent installed or is managed by an MDM solution with the app collection feature enabled.
Administrators can use the provided output from each step to identify which criteria do not match the expected policy.
Related documents:
Technical Tip: Troubleshooting policies
Troubleshooting Tip: Policy not matching with access values defined in user/host profile
Technical Tip: User not matching policy requiring LDAP Group
Technical Note: Troubleshooting location based Network Access policies
