Description

This article provides an overview of how FortiNAC integrates with Cisco ASA VPN and what debugs are needed for troubleshooting.

Scope

Cisco ASA, FortiNAC.

Solution

FortiNAC controls access to the remote user’s device connecting over the VPN by leveraging Network-Object groups that restrict and allow access to any Host IP addresses specified by the administrator.

The configuration consists of two Network-Object groups.

FortiNAC mainly focuses on moving a Host IP address from one Network-Object group to another, depending on the Compliance status achieved through Endpoint Compliance policies.

Network-Object groups can contain groups of IP addresses, Hostnames, or other objects.

This would allow us to include specific objects in groups and then apply these groups to ACLs to restrict or allow traffic depending on need.

In this case, FortiNAC will add or remove Host IP addresses by leveraging the SSH protocol to login to the ASA appliance and perform necessary changes depending on the host status.

How this works:

1. The host connects through the VPN client.
2. By default, the Host IP address should be part of the Network-Object group that restricts access.
3. The host is initially isolated and ASA sends a syslog message to FortiNAC indicating a new connection has been established.
4. Troubleshoot Syslog.
5. The user must access the Captive portal in isolation and download the Persistent agent (unless the agent is already installed).
6. The agent runs and provides FortiNAC with Host Adapter information. (At this point, the Host will be visible in FortiNAC's host view.)
7.  Endpoint compliance will check the Host status and verify it is healthy.
8. If the host status is okay, FortiNAC will log in to the Cisco ASA device to remove the IP address from the Network Object Group defined in the Model configuration (RestrictVPN group created) and will add the HostIP to the Unrestricted NSOpenGroup network object group.

Other Concepts:

Tunnel Group:

• Tunnel groups are where authentication is defined. (Local authentication is defined by default.)
• Attributes are applied to tunnel groups depending on the type of VPN being configured.

Tunnel Group policies:

• Used to apply attributes to a user or a group of users.
• Through policies, these define the options for the VPN client app to use, such as DNS and ACLs.

Troubleshooting:

1. To verify which CLI commands FortiNAC is pushing to ASA, enable the following debug logs in the FortiNAC CLI:

logs

nacdebug -name CiscoASA true

nacdebug -name TelnetServer true

nacdebug -name RemoteAccess true

tf output.master

The CLI output will show events related to the host status and commands that FortiNAC is applying through SSH.

2. FortiNAC has a list of predefined Cisco commands it can apply through SSH to control VPN sessions:

# config t exit show arp

show running-config all tunnel-group | grep general-attributes

show running-config group-policy | grep internal

show vpn-sessiondb detail full remote | grep Session ID show vpn-sessiondb

detail full svc | grep Session ID terminal pager 0

network-object host

no network-object host object-group network

vpn-sessiondb logoff ipaddress noconfirm

Depending on the issue encountered, it may be useful to use 'grep' in FortiNAC for the specific commands to verify what commands FortiNAC is actually sending to ASA.

The following example checks if Host IP addresses are being removed or added:

tf output.master | egrep -i "removeRestriction|network-object"

To disable debugging:

nacdebug -name <debug_Name> false

3. Issues with FortiNAC unable to IP objects from Object Groups.

Description of problem:

Cisco ASA has a limitation where Object groups require at least one object (IP) to be available. It does not allow the Object-group to remain empty. This could cause a problem when FortiNAC tries to SSH and remove the last object remaining. In this case, there would be no control applied to that host.

Logs example:

yams INFO :: 2024-06-05 09:11:23:412 :: #103 :: Thread:PollThread - RETVAL returned = show run object-group id NSOpenGroup
object-group network NSOpenGroup
description NSOpenGroup_Group
network-object host 172.16.50.20 <----- FortiNAC lists the objects of the group and we see only one remaining entry.

TEST-ASA-2/pri/act(config-network-object-group)#
yams INFO :: 2024-06-05 08:41:19:883 :: #438 :: Thread:CiscoASA-29-thread-1 - SET =no network-object host 172.16.50.20
yams INFO :: 2024-06-05 08:41:19:883 :: #438 :: Thread:CiscoASA-29-thread-1 - Command WAIT_FOR = #
yams INFO :: 2024-06-05 08:41:20:018 :: #438 :: Thread:CiscoASA-29-thread-1 - Command WAIT_FOR returned:
no network-object host 172.16.50.20 <-----FortiNAC tries to remove host from object-group.
Removing obj from object-group not allowed;
object-group (NSOpenGroup), being used in access-list or threat-detection or NAT, would become empty

Solution:

In such cases the solution is to add in both NSOpenGroup and the object-group used for restriction a dummy IP address from an unused subnet that is not defined in any VPN scopes or subnets. THis way FortiNAC will not apply any control on that IP and it will be left as last object in the object-group resulting in no errors when performing changes on Valid Hosts.

Related article:

Troubleshooting Tip: Troubleshooting syslog for Cisco ASA VPN integration