Troubleshooting Tip: Wireless connected hosts are not matching Location Based Policies

Hatibi · ‎09-24-2024

Description

This article describes how to investigate cases where FortiNAC policies do not match wireless-connected hosts when the Location is used as matching criteria.

Scope

FortiNAC-F, FortiNAC.

Solution

In Wireless scenarios, FortiNAC will learn about hosts through the RADIUS protocol. When using the Location as a filter for policy matching, it is possible to use the Device (AP) or SSID, or both. Further options are possible to exclude specific locations.

In cases where the policy does not match a wireless-connected host, check the following:

Device/port group contains the correct Device/SSID as a member:

Verify that the specific AP is added to a Device group. Go to System -> Groups and create a new Group with 'Member Type' = Device and add the AP to the group by moving it to the right as a member.

Figure 1. AP added as member of the Device group to be used as location filter.

Verify that the specific SSID is added to the Port Group. Create a Port Group in System -> Groups with 'Member Type' = Port. Go to Network -> Inventory -> SSIDs, 'right-click' the needed SSID, and select Group Membership.

Figure 2. SSID added as member of "SSID_Site1" port group that will be used as location filter.

Add Location in the 'Where' filter in the User/Host profile. Go to Policy & Objects -> User/host Profiles -> Create a new entry with Location as matching criteria and add the Device Group containing the AP device or a Port Group containing the SSID.

Figure 3. Specifying the Device/port Groups to be used as location filter.

Another method to achieve the same is to use the Radius 'Called-Station-Id' attribute from the 'Endpoint Fingerprints' and use it as a criterion in User/Host Profiles under Policy & Objects.

Go to Users & Hosts -> Endpoint Fingerprints and select a sample host that uses RADIUS authentication. Find the Radius Fingerprint, and 'right-click' on it and select 'Show Attributes'.

Radius Fingerprint.png

Once the Called-Station-Id is located, go to Policy & Objects -> Select User/Host Profiles -> Create new or edit an existing one.

Radius Attribute - UHP.png

FortiNAC will learn about Device and SSID information from the Attributes in the RADIUS Access-Request received upon initial connection from the wireless connected hosts. The attribute is 'Called-Station-Id'.

Example logs from an authenticated user connecting to 'NACLAB1-corp' SSID:

yams.RadiusAccess.AE:AD:48:29:C0:7F FINE :: 2024-09-24 11:34:38:271 :: #650 :: Edge device found for calledStationId [70-4C-A5-XX-XX-XX:NACLAB1-corp]: ManagedElem: FP421ETFXXXXXXX (172.16.17.2 / 70:4C:A5:B1:83:C8) [ID=486]
yams.DeviceInterface FINER :: 2024-09-24 11:34:38:277 :: #650 :: DeviceServer.parseSSID for device IP 10.10.10.1 and val 70-4C-A5-XX-XX-XX:NACLAB1-corp and nasIdentifier 172.16.17.2/5246-NACLAB1-corp
yams INFO :: 2024-09-24 11:34:38:277 :: #650 :: http-nio-127.0.0.1-8081-exec-12 Fortigate.parseSSID converted nasIdentifier 172.16.17.2/5246-NACLAB1-corp to ssidIfaceName NACLAB1-corp

yams INFO :: 2024-09-24 11:34:38:277 :: #650 :: http-nio-127.0.0.1-8081-exec-12 Fortigate.parseSSID looking for WLAN with name NACLAB1-corp and ssidIfaceName NACLAB1-corp
yams INFO :: 2024-09-24 11:34:38:277 :: #650 :: http-nio-127.0.0.1-8081-exec-12 Fortigate.findSSID looking for NACLAB1-corp(ssidIfaceName:NACLAB1-corp)
yams INFO :: 2024-09-24 11:34:38:277 :: #650 :: http-nio-127.0.0.1-8081-exec-12 Fortigate.findSSID putting SSID iface root:NACLAB1-corp (488) with SSIDName NACLAB1-corp on cache
yams.RadiusAccess.AE:AD:48:29:C0:7F FINE :: 2024-09-24 11:34:38:277 :: #650 :: Found SSID ManagedElem: fortiGateLab.fortilab.local:SSID root:NACLAB1-corp (null:0) [ID=488] in request packet, dot1x = true
yams.RadiusAccess.AE:AD:48:29:C0:7F FINE :: 2024-09-24 11:34:39:918 :: #2017 :: Edge device found for calledStationId [70-4C-A5-XX-XX-XX:NACLAB1-corp]: ManagedElem: FP421ETFXXXXXXX (172.16.17.2 / 70:4C:A5:B1:83:C8) [ID=486]
yams.DeviceInterface FINER :: 2024-09-24 11:34:39:922 :: #2017 :: DeviceServer.parseSSID for device IP 10.10.10.1 and val 70-4C-A5-XX-XX-XX:NACLAB1-corp and nasIdentifier 172.16.17.2/5246-NACLAB1-corp
yams INFO :: 2024-09-24 11:34:39:922 :: #2017 :: http-nio-127.0.0.1-8081-exec-22 Fortigate.parseSSID converted nasIdentifier 172.16.17.2/5246-NACLAB1-corp to ssidIfaceName NACLAB1-corp

yams INFO :: 2024-09-24 11:34:39:922 :: #2017 :: http-nio-127.0.0.1-8081-exec-22 Fortigate.parseSSID looking for WLAN with name NACLAB1-corp and ssidIfaceName NACLAB1-corp
yams.RadiusAccess.AE:AD:48:29:C0:7F FINE :: 2024-09-24 11:34:39:922 :: #2017 :: Found SSID ManagedElem: fortiGateLab.fortilab.local:SSID root:NACLAB1-corp (null:0) [ID=488] in request packet, dot1x = true
yams.RadiusAccess.AE:AD:48:29:C0:7F CONFIG :: 2024-09-24 11:34:40:078 :: #1182 :: -- Called-Station-Id = [70-4C-A5-XX-XX-XX:NACLAB1-corp] (RadAttr Type=string)
yams.RadiusAccess.AE:AD:48:29:C0:7F CONFIG :: 2024-09-24 11:34:40:078 :: #1182 :: -- Fortinet-SSID = [NACLAB1-corp] (RadAttr Type=string)
yams.RadiusAccess.AE:AD:48:29:C0:7F CONFIG :: 2024-09-24 11:34:40:078 :: #1182 :: -- NAS-Identifier = [172.16.17.2/5246-NACLAB1-corp] (RadAttr Type=string)
yams.RadiusAccess.AE:AD:48:29:C0:7F CONFIG :: 2024-09-24 11:34:40:078 :: #1182 :: -- User-Name = [srogers] (RadAttr Type=string)
yams.RadiusAccess.AE:AD:48:29:C0:7F FINE :: 2024-09-24 11:34:40:091 :: #1182 :: Register Client: srogers
yams.FingerprintServer FINER :: 2024-09-24 11:34:40:092 :: #668 :: unsorted by source rank = [Fingerprint [dbid=1343, source=RADIUS Auth Request, physAddress=AE:AD:48:XX:XX:XX, ipAddress=null, hostName=null, entityTag=null, os=null, createTime=2024-09-24 11:34:40.0, lastHeardTime=2024-09-24 11:34:40.0, attributes={WLAN-AKM-Suite=1027073, EAP-Type-Name=MSCHAPV2,PEAP, Hint=8cdf01fc-a28a-4577-9b3c-accea40e3b31, NAS-IP-Address=10.10.10.1, NAS-Identifier=172.16.17.2/5246-NACLAB1-corp, Event-Timestamp=Sep 24 2024 11:34:40 CEST, Fortinet-AP-Name=FP421ETFXXXXXXX, NAS-Port-Type=19, Acct-Multi-Session-Id=8D1AF1426178C566, FreeRADIUS-Proxied-To=127.0.0.1, User-Name=srogers, Calling-Station-Id=AE-AD-48-XX-XX-XX, EAP-Type=26,25, FortiNAC-Nas-Src-Ip=10.10.10.1, Called-Station-Id=70-4C-A5-XX-XX-XX:NACLAB1-corp, Virtual-Server=DefaultConfig, NAS-Port=1, Service-Type=2, WLAN-Group-Cipher=1027076, WLAN-Pairwise-Cipher=1027076, EAP-Message=0x026400061a03, Framed-MTU=1400, State=0x87a3100786c70a69f281f2fd064390d1, Acct-Session-Id=66EC2CCF0000000B, Connect-Info=CONNECT 0/0Mbps(Tx/Rx) 11AC, Fortinet-SSID=NACLAB1-corp}]]

The same details can be checked in FortiNAC GUI in this article: Technical Tip: Track rogue/host profiling data through Endpoint. Once FortiNAC receives the Access-Request, it builds a profile where it is possible to see the parsed attributes for the RADIUS used as the source method.

Filter by using the MAC address in the 'Physical Address' column and then 'right-click' and select 'Show Attributes'.

This will present an 'Attribute Details' view on the right.

Figure 4. Checking AP and SSID information in Endpoint Fingeprints for the incoming RADIUS access-request.

Related documents:

SSID Configuration

Technical Tip: Comprehensive guide for a simple FortiNAC deployment

Technical Tip: Track rogue/host profiling data through Endpoint Fingerprints.

Technical Tip: Investigate Policy/Access Enforcement events for Wireless connecting endpoints

Technical Tip: A simple deployment including FortiGate/FortiAP (self-registered guest)

Troubleshooting Tip: Wireless connected hosts are not matching Location Based Policies

You are leaving our website