| Description |
This article describes how to use the CLI tool 'RemoteAccess' to determine if a VPN IP address is considered to be managed.
These IP addresses are used by FortiNAC to keep track of Active VPN clients and IP addresses that may become active.
FortiNAC uses syslog messages sent from the VPN concentrator to determine when a VPN tunnel has been established or terminated.
If the IP address contained within the syslog message is not considered 'Managed', the Syslog message is ignored.
If the IP address contained in the syslog message is considered 'Managed' this results in the creation of a ProbeObject, this object is stored in memory to keep track of the active VPN session until the session is terminated.
The remoteAccess CLI tool can be used for all supported VPN integrations including, Fortigate VPN, Cisco ASA VPN, and Palo Alto VPN.
|
| Solution |
- Login to the FortiNAC CLI.
- Enter the shell, type:
execute enter-shell
-
From the shell use the the remote access tool CLI tool to print all managed VPN addresses.
remoteaccess -dump
Example output:
> remoteaccess -dump
Dumping managed IP list:
[172.16.195.189, 172.16.195.187, 172.16.195.188, 172.16.195.185, 172.16.195.186, 172.16.195.183, 172.16.195.184, 172.16.195.181, 172.16.195.182, 172.16.195.180, 172.16.195.178, 172.16.195.179, 172.16.195.176, 172.16.195.177, 172.16.195.174, 172.16.195.175, 172.16.195.172, 172.16.195.173, 172.16.195.170, 172.16.195.171, 172.16.195.198, 172.16.195.199, 172.16.195.196, 172.16.195.197, 172.16.198.98, 172.16.195.194, 172.16.198.99, 172.16.195.195, 172.16.198.96, 172.16.195.192, 172.16.198.97, 172.16.195.193, 172.16.198.94, 172.16.195.190, 172.16.198.95, 172.16.195.191, 172.16.195.15, 172.16.195.16, 172.16.195.17, 172.16.195.18, 172.16.195.11, 172.16.195.12, 172.16.195.13, 172.16.195.14, 172.16.198.115, 172.16.198.236, 172.16.198.116, 172.16.198.237, 172.16.198.117, 172.16.198.238, 172.16.198.118]
The output above indicates all of the IP addresses that are inactive but are to be managed by FortiNAC. If the output does not include the expected IP addresses that should be managed by FortiNAC. Review the configuration to determine the cause for the missing managed IP addresses.
FortiGate VPN: Addresses are defined within the VDOM config. Managed addresses should be defined in the 'VPN Addresses' Section.
Cisco ASA: FortiNAC will read all IP addresses in both the NSOpenGroup and Restricted group to generate a list of managed address objects. FortiNAC reads these values via CLI.
Note:
The Restricted Group value is set in the 'right-click' model configuration option on the ASA in the inventory view.
Palo Alto: Addresses are defined within the model configuration. Managed addresses should be defined in the 'VPN Addresses' Section.
Note:
After modifying any address objects requires a re-sync interface of the network device to populate the new 'RemoteAccess' Objects.
- From the shell use the the remoteAccess tool CLI tool to print the status of a single active VPN client:
Syntax:
remoteAccess -remoteIP <VPN-Client-IP>
Example:
RemoteAccess –remoteIP 172.21.252.2
IP Address = 172.21.252.2 <- IP address of the VPN client sent via syslog:
MAC Address = E0:D0:45:A5:B1:35 <- IP To MAC resolution is Provided by the Agent.
Device Id = 2183 <- Database ID of the network device in FortiNAC.
Interface Id = 2262 <- Database ID of the port in FortiNAC.
User Name = nacnac <- Username used to authenticate to VPN, sent via syslog.
Session Id = 1461701929 <- Session ID sent via syslog.
Time Captured = Thu Apr 11 13:38:02 EST 2024 <- Time the syslog message was sent.
InetAddress = null
The output shown above is an example of an active VPN client.
|
