Description
This article describes how to solve an issue when the Dissolvable Agent receives the message 'Unable to obtain configuration from server'.
Scope
FortiNAC.
Version: Dissolvable Agent 3.1.x and above.
Solution
The Dissolvable Agent (DA) leverages the SSL Certificate installed on the Captive Portal for agent server communication. As such, the DA needs internet access in order to validate the SSL Certificate. The protocols used for certificate validation are OSCP and CRL. These protocols use port 80 and 443 for communication.
Ensure the requirements for successful SSL Certificate validation are in place:
- Third-Party SSL Certificate is installed for the Portal and has not expired (System -> Settings -> Certificate Management). If the certificate is not installed or has expired, install a new certificate.
- SSL Certificate for Portal is active (System -> Settings -> Portal SSL). SSL Mode should display a Valid SSL Certificate.
- All intermediate and root certificates are installed. For instructions on identifying any missing certificates, see the related KB article below.
- Sites used for OCSP and CRL validation are resolvable. For instructions on troubleshooting domain resolution, see the related KB article below.
- Ports 80 and 443 are allowed access to the internet from the isolation networks. To validate, while in isolation, try browsing to an HTTP and an HTTPS site from the Allowed Domains List (System -> Settings -> Allowed Domains) (example: avg.com & avast.com).
- Verify the end station has the correct Trusted Root Certification Authorities. See the related KB article below for instructions.
Related Articles:
Technical Tip: Verify trusted Certificate Authorities on Windows or Mac OSX
Technical Tip: Troubleshooting domain resolution in the captive portal
Technical Tip: Identify missing SSL certificates via administration UI
