Help
FortiNAC
FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎09-23-2022 02:24 PM Edited on ‎10-03-2022 07:56 AM By Anonymous

Technical Tip: Access Secondary Server Configuration Wizard with shared IP (9.2 and greater)

Description

This article describes the behavior where the Secondary Server is not accessible via port 8443 unless a failover occurs.  The behavior occurs with appliances configured for High Availability with a Shared IP /Virtual IP address.

 

Note: For appliances running version 9.1 and lower, see KB article 197197.

 

The Secondary Server's admin UI web service must be started manually in order to access Configuration Wizard.  In some cases, additional modifications may be needed depending upon how the /etc/hosts file is configured.  Secondary Server appliances where 'nac' appears on the shared IP entry will not be accessible by default.

 

Example:

> cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
<...>
<shared IP> <shared FQDN> <shared short name> nac <---
<secondary eth0 IP> <secondary FQDN> <secondary short name>
Scope Version: 9.2.3 and greater
Solution

1) Login to the Secondary Server CLI as root and modify /etc/hosts.

 

2) Move the 'nac' entry from the shared IP entry to the Secondary server IP entry. This will enable the secondary server IP address to be accessible.

Example


> cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
<...>
<shared IP> <shared FQDN> <shared short name>
<secondary eth0 IP> <secondary FQDN> <secondary short name> nac <---


3) Restart the web service. Type


systemctl start nac-secondary-admingui

 

4) Access the Secondary Server Configuration Wizard using the following URL

 

https://<Secondary Server name or IP>:8443

 

5) Navigate to System - > Config wizard.

 

6) After configuration Wizard is run and changes are complete, stop the web service.


systemctl stop nac-secondary-admingui

 

Important: If the service is not stopped, UI won't be accessible on fail-over.

 

7) Once Configuration Wizard is run, the /etc/hosts file will be auto-corrected.

Example


> cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
<...>
<shared IP> <shared FQDN> <shared short name> nac <---
<secondary eth0 IP> <secondary FQDN> <secondary short name>

 

Labels:
413
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.