Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎09-23-2022 02:24 PM Edited on ‎02-16-2024 06:12 AM By Moderator

Article Id 224636

Technical Tip: Access Secondary Server Configuration Wizard with shared IP (9.4 and greater)

Description

This article describes the behavior where the Secondary Server is not accessible via port 8443 unless a failover occurs.  The behavior occurs with appliances configured for High Availability with a Shared IP /Virtual IP address.

 

Note: For appliances running version 9.2 and lower, see KB article 197197.

 

The Secondary Server's admin UI web service must be started manually to access Configuration Wizard.  In some cases, additional modifications may be needed depending on how the /etc/hosts file is configured. Secondary Server appliances where 'nac' appears on the shared IP entry will not be accessible by default.

 

Example:

 

> cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
<...>
<shared IP> <shared FQDN> <shared short name> nac <---
<secondary eth0 IP> <secondary FQDN> <secondary short name>
Scope Version: 9.4.0 and greater.
Solution
  1. Log in to the Secondary Server CLI as root and modify /etc/hosts.

  2. Move the 'nac' entry from the shared IP entry to the Secondary server IP entry. This will enable the secondary server IP address to be accessible.


Example:


> cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
<...>
<shared IP> <shared FQDN> <shared short name>
<secondary eth0 IP> <secondary FQDN> <secondary short name> nac  <---

 

  1. Restart the web service. Type:


    systemctl start nac-secondary-admingui

     

     

  2. Access the Secondary Server Configuration Wizard using the following URL:

     

    https://<Secondary Server name or IP>:8443

     

     

  3. Navigate to System -> Config wizard.

     

     

  4. After configuration Wizard is running and changes are complete, stop the web service.


    systemctl stop nac-secondary-admingui

     

    Important: If the service is not stopped, UI will not be accessible on fail-over.

     

     

  5. Once Configuration Wizard is running, the /etc/hosts file will be auto-corrected.

    Example:


    > cat /etc/hosts
    127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
    <...>
    <shared IP> <shared FQDN> <shared short name> nac <---
    <secondary eth0 IP> <secondary FQDN> <secondary short name>
Labels:
1412
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.