Description
This article describes that Upon installation of the Persistent Agent, the following message displays on the endstation: 'The computer name in the certificate, bradfordnetworks.com, does not match the name of the target computer, <NAC server name>. Unable to connect.'
This message will appear when FortiNAC does not have a valid SSL Certificate installed for the Persistent Agent target.
The general process the Persistent Agent uses to communicate is as follows:
- Determine the identity of the NAC Server or Application Server to which the agent should connect. This information can be provided to the agent in one of three ways:
- Agent server communication while in Captive Portal using DNS SRV records.
- Registry key configuration via software push.
- SRV Records on corporate production DNS server.
- Attempt to establish communication to the server over SSL/TLS using TCP port 4568*. This communication requires SSL certificates installed on FortiNAC.
- Once SSL/TLS communication is established, either UDP port 4567 or TCP 4568** is used for most all other agent/server communication.
*If the Security Registry Key setting on the endstations installing the agent is disabled, SSL certificates are not required.
** Agent v5.x and later with NAC 8.2 and later uses TCP 4568 only
Scope
FortiNAC, Persistent Agent v3.x and higher.
Solution
Option 1: Install or renew the SSL Certificate in NAC for the Persistent Agent target. Refer to Cookbook Recipe Installing SSL Certificates.
Option 2: Disable the Security Registry Key setting on the endstations installing the agent. This can only be done via software push. Refer to Cookbook Recipe Distributing Agent and Registry Settings.
For additional information, refer to the related articles below.
Related articles:
Technical Note: Persistent Agent message stating names do not match
Technical Note: Persistent Agent communication ports
