Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff & Editor
Staff & Editor

Created on ‎09-24-2024 05:36 AM Edited on ‎09-24-2024 05:37 AM By Community Manager

Article Id 343745

Troubleshooting Tip: Wireless connected hosts are not matching Location Based Policies

Description  This article describes how to investigate cases where FortiNAC policies are not matching wireless connected hosts when the Location is used as matching criteria.
Scope FortiNAC-F, FortiNAC
Solution

In Wireless scenarios, FortiNAC will learn about hosts through the RADIUS protocol. When using the Location as filter for policy matching it is possible to use the Device (AP) or SSID or both. Further options are possible to exclude specific locations.

In cases where the policy does not match a wireless-connected host, check the following:

 

 

  1. Device/port group contains correct Device/SSID as member:
  • Verify that the specific AP is added to a Device group. Go to System -> Groups and create a new Group with 'Member Type' = Device and add the AP in the group by moving it to the right as a member.

 

Figure 1. AP added as member of the Device group to be used as location filter.Figure 1. AP added as member of the Device group to be used as location filter.

 

  • Verify that the specific SSID is added to the Port Group. Create a Port Group in System -> Groups with 'Member Type' = Port. go to Network -> Inventory -> SSIDs, 'right-click' the needed SSID, and select Group Membership.

 

Figure 2. SSID added as member of "SSID_Site1" port group that will be used as location filter.Figure 2. SSID added as member of "SSID_Site1" port group that will be used as location filter.

 

  • Add Location in the 'Where' filter in the User/Host profile. Go to Policy & Objects -> User/host Profiles -> Create a new entry with Location as matching criteria and add the Device Group containing the AP device or a Port Group containing the SSID.

 

Figure 3. Specifying the Device/port Groups to be used as location filter.Figure 3. Specifying the Device/port Groups to be used as location filter.

 

  1. Check if FortiNAC is receiving the Location attributes from the RADIUS Access-Requests. FortiNAC will learn about Device and SSID information from the Attributes in the RADIUS Access-Request received upon initial connection from the wireless connected hosts. The attribute is 'Called-Station-Id"'.

 

Example logs from Authenticated user connecting to 'NACLAB1-corp' ssid:

 

yams.RadiusAccess.AE:AD:48:29:C0:7F FINE :: 2024-09-24 11:34:38:271 :: #650 :: Edge device found for calledStationId [70-4C-A5-XX-XX-XX:NACLAB1-corp]: ManagedElem: FP421ETFXXXXXXX (172.16.17.2 / 70:4C:A5:B1:83:C8) [ID=486]
yams.DeviceInterface FINER :: 2024-09-24 11:34:38:277 :: #650 :: DeviceServer.parseSSID for device IP 10.10.10.1 and val 70-4C-A5-XX-XX-XX:NACLAB1-corp and nasIdentifier 172.16.17.2/5246-NACLAB1-corp
yams INFO :: 2024-09-24 11:34:38:277 :: #650 :: http-nio-127.0.0.1-8081-exec-12 Fortigate.parseSSID converted nasIdentifier 172.16.17.2/5246-NACLAB1-corp to ssidIfaceName NACLAB1-corp

yams INFO :: 2024-09-24 11:34:38:277 :: #650 :: http-nio-127.0.0.1-8081-exec-12 Fortigate.parseSSID looking for WLAN with name NACLAB1-corp and ssidIfaceName NACLAB1-corp
yams INFO :: 2024-09-24 11:34:38:277 :: #650 :: http-nio-127.0.0.1-8081-exec-12 Fortigate.findSSID looking for NACLAB1-corp(ssidIfaceName:NACLAB1-corp)
yams INFO :: 2024-09-24 11:34:38:277 :: #650 :: http-nio-127.0.0.1-8081-exec-12 Fortigate.findSSID putting SSID iface root:NACLAB1-corp (488) with SSIDName NACLAB1-corp on cache
yams.RadiusAccess.AE:AD:48:29:C0:7F FINE :: 2024-09-24 11:34:38:277 :: #650 :: Found SSID ManagedElem: fortiGateLab.fortilab.local:SSID root:NACLAB1-corp (null:0) [ID=488] in request packet, dot1x = true
yams.RadiusAccess.AE:AD:48:29:C0:7F FINE :: 2024-09-24 11:34:39:918 :: #2017 :: Edge device found for calledStationId [70-4C-A5-XX-XX-XX:NACLAB1-corp]: ManagedElem: FP421ETFXXXXXXX (172.16.17.2 / 70:4C:A5:B1:83:C8) [ID=486]
yams.DeviceInterface FINER :: 2024-09-24 11:34:39:922 :: #2017 :: DeviceServer.parseSSID for device IP 10.10.10.1 and val 70-4C-A5-XX-XX-XX:NACLAB1-corp and nasIdentifier 172.16.17.2/5246-NACLAB1-corp
yams INFO :: 2024-09-24 11:34:39:922 :: #2017 :: http-nio-127.0.0.1-8081-exec-22 Fortigate.parseSSID converted nasIdentifier 172.16.17.2/5246-NACLAB1-corp to ssidIfaceName NACLAB1-corp

yams INFO :: 2024-09-24 11:34:39:922 :: #2017 :: http-nio-127.0.0.1-8081-exec-22 Fortigate.parseSSID looking for WLAN with name NACLAB1-corp and ssidIfaceName NACLAB1-corp
yams.RadiusAccess.AE:AD:48:29:C0:7F FINE :: 2024-09-24 11:34:39:922 :: #2017 :: Found SSID ManagedElem: fortiGateLab.fortilab.local:SSID root:NACLAB1-corp (null:0) [ID=488] in request packet, dot1x = true
yams.RadiusAccess.AE:AD:48:29:C0:7F CONFIG :: 2024-09-24 11:34:40:078 :: #1182 :: -- Called-Station-Id = [70-4C-A5-XX-XX-XX:NACLAB1-corp] (RadAttr Type=string)
yams.RadiusAccess.AE:AD:48:29:C0:7F CONFIG :: 2024-09-24 11:34:40:078 :: #1182 :: -- Fortinet-SSID = [NACLAB1-corp] (RadAttr Type=string)
yams.RadiusAccess.AE:AD:48:29:C0:7F CONFIG :: 2024-09-24 11:34:40:078 :: #1182 :: -- NAS-Identifier = [172.16.17.2/5246-NACLAB1-corp] (RadAttr Type=string)
yams.RadiusAccess.AE:AD:48:29:C0:7F CONFIG :: 2024-09-24 11:34:40:078 :: #1182 :: -- User-Name = [srogers] (RadAttr Type=string)
yams.RadiusAccess.AE:AD:48:29:C0:7F FINE :: 2024-09-24 11:34:40:091 :: #1182 :: Register Client: srogers
yams.FingerprintServer FINER :: 2024-09-24 11:34:40:092 :: #668 :: unsorted by source rank = [Fingerprint [dbid=1343, source=RADIUS Auth Request, physAddress=AE:AD:48:XX:XX:XX, ipAddress=null, hostName=null, entityTag=null, os=null, createTime=2024-09-24 11:34:40.0, lastHeardTime=2024-09-24 11:34:40.0, attributes={WLAN-AKM-Suite=1027073, EAP-Type-Name=MSCHAPV2,PEAP, Hint=8cdf01fc-a28a-4577-9b3c-accea40e3b31, NAS-IP-Address=10.10.10.1, NAS-Identifier=172.16.17.2/5246-NACLAB1-corp, Event-Timestamp=Sep 24 2024 11:34:40 CEST, Fortinet-AP-Name=FP421ETFXXXXXXX, NAS-Port-Type=19, Acct-Multi-Session-Id=8D1AF1426178C566, FreeRADIUS-Proxied-To=127.0.0.1, User-Name=srogers, Calling-Station-Id=AE-AD-48-XX-XX-XX, EAP-Type=26,25, FortiNAC-Nas-Src-Ip=10.10.10.1, Called-Station-Id=70-4C-A5-XX-XX-XX:NACLAB1-corp, Virtual-Server=DefaultConfig, NAS-Port=1, Service-Type=2, WLAN-Group-Cipher=1027076, WLAN-Pairwise-Cipher=1027076, EAP-Message=0x026400061a03, Framed-MTU=1400, State=0x87a3100786c70a69f281f2fd064390d1, Acct-Session-Id=66EC2CCF0000000B, Connect-Info=CONNECT 0/0Mbps(Tx/Rx) 11AC, Fortinet-SSID=NACLAB1-corp}]]

 

The same details can be checked in FortiNAC GUI in Endpoint Fingerprints view. Once FortiNAC receives the Access-Request it builds a profile where it is possible to see the parsed attributes for the RADIUS used as source method. 

Filter by using the MAC address in the 'Physical Address' column and then 'right-click' and select 'Show Attributes'.

This will present an 'Attribute Details' view on the right.

 

 

Figure 4. Checking AP and SSID information in Endpoint Fingeprints for the incoming RADIUS access-request.Figure 4. Checking AP and SSID information in Endpoint Fingeprints for the incoming RADIUS access-request.

 

Related DOCUMENTS:

SSID Configuration

Technical Tip: Comprehensive guide for a simple FortiNAC deployment

Technical Tip: Track rogue/host profiling data through Endpoint Fingerprints.

Technical Tip: Investigate Policy/Access Enforcement events for Wireless connecting endpoints

Technical Tip: A simple deployment including FortiGate/FortiAP (self-registered guest)
629
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.