Description
This articles describes how to troubleshoot FSSO TAG information and communication between FortiNAC and FortiGate.
Scope
FortiGate, FortiNAC, FSSO.
Solution
In order to implement this scenario Fortinet provides the following documentation which describes how this works and the needed requirements:
https://docs.fortinet.com/document/fortinac/9.2.0/fortinet-security-fabric-fsso-integration-guide
FSSO is the passive IP-based authentication method by which users can transparently authenticate to FortiGate.
FortiNAC acts as a Collector Agent: it collects and compiles information about user logons.
The flow when a host connects to the network is as follows:
- Host is connected to the network.
- Switch sends MAC Notification trap to FortiNAC.
- The host is evaluated against the existing Network Access Policies.
- Correct access policy is matched with a configuration containing TAG on the logical network.
- FSSO Logon message is sent to FortiGate with TAG information.
Important Considerations:
*** Network access policies will not(!) match when host has following status:
- Host is NOT Registered (appearing as Rogue in FortiNAC).
- Host is registered but Offline.
Other:
- Host status has precedence over network access policies.
- Groups/Tag information must be included in the Network Access policy configuration.
- When the host status changes (Registered, Authenticated, Unauthenticated, At-Risk, Safe, - Disabled or Rogue), then FortiNAC will re-evaluate the network access policies.
- When the host disconnects from the network then FortiNAC will update the FortiGate with an SSO logoff message and stop the SSO session. The network access policies which were previously applied will be removed.
- L3 polling is required for the FortiGate model configuration in FortiNAC since SSO is an IP-based type of authentication. FortiNAC will need to frequently L3 poll the FortiGate.
- FortiNAC will communicate with FortiGate every 15 Minutes. This applies to versions 8.8.11, 9.1.5, 9.2.2, and greater.
Configuration Validation.
1) Validate FortiNAC configuration and Host status.
a) Host adapter showing online in Adapter view.
This is seen by the Green Icon Adapter:
b) Host has IP showing on FortiNAC host view.
A valid IP address from the production network should be seen.
c) Host is matching a policy with the Logical network where TAG is defined in the Model configuration.
Go to Hosts -> Select the affected host and then select -> Policy details.
d) Subnet is manually specified in SSO addresses in the model config.
All subnets where it is expected a Host to be part should be included in the SSO addresses in the FortiNAC model configuration:
Go to Network Inventory -> Select the FortiGate device -> Virtualized Devices -> Edit Model config for that device.
Here, it is possible to edit the SSO addresses and add New Subnets to the list:
So in this case any Host with an IP in those Subnets/ranges will be assigned an FSSO Tag.
Additional information about SSO addresses is provided here:
https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/613192/addresses
e) FortiGate is added in L3 polling group
Select the FortiGate device model in the Inventory view and select 'Group Membership'.
Make sure the L3 (IP -> MAC) is enabled.
Troubleshooting.
1) In order to troubleshoot SSO communication between FortiGate and FortiNAC the following debugs will need to be inspected from both sides:
a) FortiGate CLI session:
# diag debug reset
# diag debug console timestamp enable
# diag debug app authd -1
# diag debug enable
***Display the FSSO logons from CLI.
# diagnose debug authd fsso list
# diag debug authd fsso list | grep < Affected user IP >
b) FortiNAC CLI Session:
logs
CampusMgrDebug -name BridgeManager true
CampusMgrDebug -name PolicyHelper true
CampusMgrDebug -name SSOManager true
CampusMgrDebug -name Fortinet true
CampusMgrDebug -name DeviceInterface true
tf output.master
2) CLI output on the FortiNAC session will show similar events:
a) SSO TAGs Information send to FortiGate will look like below events:
yams.SSOManager INFO :: 2022-02-11 15:48:51:488 :: SSOManager.sendMessage sending message to X.X.X.X for client YY:YY:YY:XX:XX:XX, MSG=UserIDMessage[logon, mac=YY:YY:YY:XX:XX:XX, ip=192.168.1.1, user=FortiLAB, tags=[LAB-USER]]
b) SSO logoff events for disconnecting hosts:
yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager client removed:192.168.1.1 34343 YY:YY:YY:XX:XX:XX and port YYY
yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager.logoffAdapter for YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager.logoffAdapter has messages on 0 UserAgents
c) SSO IP validation events:
yams.SSOManager FINER :: 2022-06-06 08:20:36:103 :: #76 :: SSOManager client updated:192.168.1.1 YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:20:36:104 :: #76 :: SSOManager.validateAdapterIP checking IP for client YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:20:36:104 :: #76 :: SSOManager.getIPByMAC() ending, mac = YY:YY:YY:XX:XX:XX retval = null
3. Read FortiGate and FortiNAC SSO lists:
***Run the following on FortiNAC CLI:
ssotool -ip <FGT_IP>
***This command will dump the SSO sessions currently active.
***In FortiGate one can manually perform FSSO login actions in CLI as below:
# diagnose debug authd fsso clear-logons -> deletes cached login status
# diagnose debug authd fsso refresh-groups -> Refresh group mapping
# diagnose debug authd fsso refresh-logons -> Resynch login database
4) Expanding SSO scope in FortiNAC CLI when using a multi-VDOM environment.
globaloptiontool -name sso.expand.scope -set true
5) Force SSO TAGs to be sent to another L3 device when the VLAN is not terminating on FortiGate.
device -ip <L3Device_IP> -setAttr -name ForceSSO -value true
*** NOTE: This option will make it possible that other TAGs related to subnets of other remote devices to be forcefully forwarded to the currently specified <L3Device_IP>. So for example, if having two FortiGates located in remote locations and the ForceSSO attribute is specified for another device, all the TAGs from all FSSO-enabled devices will be sent to the device with ForcSSO enabled. In many cases, this is not needed.
***To delete the option do:
device -ip <L3Device_IP> -delAttr -name ForceSSO
6. For VPN connecting hosts, verify the following from FortiNAC CLI:
remoteaccess -dump
- The output will show all of the networks associated with FortiGates/vdoms.
- The IP's in that list 'remoteaccess -dump' means, when FortiNAC sees a connection event, will send an FSSO tag to the associated FortiGate.
Documents and Articles related to FSSO TAG configuration:
https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/264311/fortinac
Working with TAC Support.
Issue a ticket to TAC support by recreating the issue and providing the information below:
- Host MAC and IP address.
- Timestamp when issue was recreated.
After the issue is recreated collect the debug logs as stated in the KB article below:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-How-to-Use-grab-log-snapshot/ta-p/190755
