This articles describes how to troubleshoot SSO TAG information and communication between FortiNAC and FortiGate.
In order to implement this scenario Fortinet provides the following documentation which describes how this works and the needed requirements:
SSO is the passive authentication method by which users can transparently authenticate to FortiGate.
FortiNAC acts as a Collector Agent: It collects and compiles information about user logons.
The flow when a host connects to the network is as follows:
- Host is connected to the network.
- Switch sends MAC Notification trap to FortiNAC.
- The host is evaluated against the existing Network Access Policies.
- Correct access policy is matched with configuration containing TAG on logical network.
- SSO Logon message is sent to FortiGate with TAG information.
*** Network access policies will not match when host has following status:
- Host is NOT Registered (appearing as Rogue in FortiNAC).
- Host is registered but Offline.
*** Host status has precedence over network access policies.
***Groups/Tag information must be included in the Network Access policy configuration.
*** When the host status changes (Registered, Authenticated, Unauthenticated, At-Risk, Safe, - Disabled or Rogue), then FortiNAC will re-evaluate the network access policies.
*** When the host disconnects from the network then FortiNAC will update the FortiGate with a SSO logoff message and stop the SSO session. The network access policies which were previously applied will be removed.
***L3 polling is required for the FortiGate model configuration in FortiNAC since SSO is an IP based type of authentication. FortiNAC will need to frequently L3 poll the FortiGate.
*** FortiNAC will communicate with FortiGate every 15 Minutes. This applies to versions 8.8.11, 9.1.5, 9.2.2 and greater.
Debugs and Troubleshooting.
In order to troubleshoot SSO communication between FortiGate and FortiNAC the following debugs will need to be inspected from both sides:
***FortiGate CLI session:
# diag debug reset
# diag debug console timestamp enable
# diag debug app authd -1
# diag debug enable
***FortiNAC CLI Session:
CampusMgrDebug -name BridgeManager true
CampusMgrDebug -name PolicyHelper true
CampusMgrDebug -name SSOManager true
CampusMgrDebug -name Fortinet true
CLI output on FortiNAC session will show similar events:
1) SSO TAGs Information send to FortiGate will look like below events:
yams.SSOManager INFO :: 2022-02-11 15:48:51:488 :: SSOManager.sendMessage sending message to X.X.X.X for client YY:YY:YY:XX:XX:XX, MSG=UserIDMessage[logon, mac=YY:YY:YY:XX:XX:XX, ip=192.168.1.1, user=FortiLAB, tags=[LAB-USER]]
2) SSO logoff events for disconnecting hosts:
yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager client removed:192.168.1.1 34343 YY:YY:YY:XX:XX:XX and port YYY
yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager.logoffAdapter for YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager.logoffAdapter has messages on 0 UserAgents
3) SSO IP validation events:
yams.SSOManager FINER :: 2022-06-06 08:20:36:103 :: #76 :: SSOManager client updated:192.168.1.1 YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:20:36:104 :: #76 :: SSOManager.validateAdapterIP checking IP for client YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:20:36:104 :: #76 :: SSOManager.getIPByMAC() ending, mac = YY:YY:YY:XX:XX:XX retval = null
Working with TAC Support.
Issue a ticket to TAC support by recreating the issue and providing the information below:
- Host MAC and IP address.
- Timestamp when issue was recreated.
After the issue is recreated collect the debug logs as stated in the KB article below: