Description
This article provides an overview of how FortiNAC integrates with Cisco ASA VPN and what debugs are needed for troubleshooting.
Scope
Cisco ASA, FortiNAC.
Solution
FortiNAC controls access to the remote user’s device connecting over the VPN by leveraging Network-Object groups that restrict and allow access to any Host IP addresses specified by the administrator.
The configuration consists of two Network-Object groups.
FortiNAC mainly focuses on moving a Host IP address from one Network-Object group to another, depending on the Compliance status achieved through Endpoint Compliance policies.
Network-Object groups can contain groups of IP addresses, Hostnames, or other objects.
This would allow us to include specific objects in groups and then apply these groups to ACLs to restrict or allow traffic depending on need.
In this case, FortiNAC will add or remove Host IP addresses by leveraging the SSH protocol to login to the ASA appliance and perform necessary changes depending on the host status.
How this works:
1) The host connects through the VPN client.
2) By default, the Host IP address should be part of the Network-Object group that restricts access.
3) The host is initially isolated and ASA sends a syslog message to FortiNAC indicating a new connection has been established.
To troubleshoot Syslog, refer to the following article:
https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Troubleshooting-syslog-for-Cisco-ASA-....
4) The user must access the Captive portal in isolation and download the Persistent agent (unless the agent is already installed).
5) The agent runs and provides FortiNAC with Host Adapter information. (At this point, the Host will be visible in FortiNAC's host view.)
6) Endpoint compliance will check the Host status and verify it is healthy.
7) If the host status is okay, FortiNAC will log in to the Cisco ASA device to remove the IP address from the Network Object Group defined in the Model configuration (RestrictVPN group created) and will add the HostIP to the Unrestricted NSOpenGroup network object group.
Other Concepts:
Tunnel Group:
- Tunnel groups are where authentication is defined. (Local authentication is defined by default.)
- Attributes are applied to tunnel groups depending on the type of VPN being configured.
Tunnel Group policies:
- Used to apply attributes to a user or a group of users.
- Through policies, these define the options for the VPN client app to use, such as DNS and ACLs.
Troubleshooting:
1) To verify which CLI commands FortiNAC is pushing to ASA, enable the following debug logs in the FortiNAC CLI:
# logs
nacdebug -name CiscoASA true
nacdebug -name TelnetServer true
nacdebug -name RemoteAccess true
tf output.master
The CLI output will show events related to the host status and commands that FortiNAC is applying through SSH.
2) FortiNAC has a list of predefined Cisco commands it can apply through SSH to control VPN sessions:
# config t exit show arp
show running-config all tunnel-group | grep general-attributes
show running-config group-policy | grep internal
show vpn-sessiondb detail full remote | grep Session ID show vpn-sessiondb
detail full svc | grep Session ID terminal pager 0
network-object host
no network-object host object-group network
vpn-sessiondb logoff ipaddress noconfirm
Depending on the issue encountered, it may be useful to use 'grep' in FortiNAC for the specific commands to verify what commands FortiNAC is actually sending to ASA.
The following example checks if Host IP addresses are being removed or added:
# tf output.master | egrep -i "removeRestriction|network-object"
To disable debugging:
# nacdebug -name <debug_Name> false
Related documents:
https://docs.fortinet.com/document/fortinac/9.4.0/cisco-asa-vpn-integratino
https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Troubleshooting-syslog-for-Cisco-ASA-...
