FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hawada1
Staff
Staff
Article Id 212372
Description This article describes how to troubleshoot DHCP Fingerprint Profiling that tries to match the Operating System in Device Profiling Rules.
Scope FortiNAC.
Solution

If using the default Windows (DHCP) DPC rule that validates DHCP Fingerprinting Type = windows is used.

 

Hawada1_0-1652793819266.png

 

  1. Make sure to configure Primary and Secondary FortiNAC eth0 IP as an ip-helper on the Layer 3 device.

    In the case of the Control and Application servers separately, the Application server management eth0 IP should be configured as an IP helper.
    The management interface only listens and does not respond to DHCP requests.

  2. 'tcpdump -nnvvSXi eth0 port 67 or 68'must receive DHCP discover, request or inform packets.

  3. The command below will show the device if it was fingerprinted by FortiNAC and the OS was detected with additional DHCP parameters.


dumpdeviceidentities -mac xx:xx:xx:xx:xx:xx <-----
should be the host MAC address.


Output example:

 

xx:xx:xx:xx:xx:xx(HP COMPUTER INC.) DHCPv4 1(DHCPv4 REQUEST) Windows Windows 10 LAPTOP-LAB MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252 53,61,50,12,81,60,55,82.

 

Troubleshooting Commands:

 

Profiler evaluation details (prints to /bsc/logs/output.nessus):

 

nacdebug -name ActiveFingerprint true

 

DPC Server processes (prints to /bsc/logs/output.master):

 

nacdebug -name DpcRuleServer true


This should show the DHCP parameters FORTINAC receives from DHCP discover, request, or inform packets:

 

dumpdeviceidentities -mac XX:XX:XX:XX:XX:XX
XX:XX:XX:XX:XX:XX(HP COMPUTER INC.) DHCPv4 1(DHCPv4 REQUEST) Windows Windows 10 LAPTOP-LAB MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252 53,61,50,12,81,60,55,82

client -mac XX:XX:XX:XX:XX:XX


In another window SSH session run the below:


tf /bsc/logs/output.nessus | egrep -i “XX:XX:XX:XX:XX:XX|XX-XX-XX-XX-XX-XX|XXXXXXXXXXXX”


Disable Debugging:

 

nacdebug -name DpcRuleServer

nacdebug -name ActiveFingerprint

 

Related document:

Technical Note: DHCP Fingerprint Profiling Rule does not match upon initial connection