Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎09-28-2018 12:17 AM Edited on ‎10-04-2024 06:22 AM By Community Manager

Article Id 193987

Technical Tip: Persistent Agent Authentication/login prompt is not appearing.

Description

 

This article describes how to troubleshoot and configuratio checks needed when the login prompt does not appear after dowloading the Persistent Agent.
 
Scope

Persistent Agent, FortiNAC, FortiNAC-F.

Solution
 
The issue presented in such cases is that the Persistent Agent completes the download but the login prompt does not appear after 5 minutes.
This suggests communication between FortiNAC and the agent is incomplete. 

Below are some possible causes.

 

  1. Many or All Hosts Affected:
  •  Incorrect DNS name resolution due to configuration on FortiNAC.
  • As of Persistent Agent version 3.x and Dissolvable Agent version 3.1.x, SSL certificate validation must be able to complete in order for the agent to successfully start communication with FortiNAC. 
  • This requires the endstation to be able to reach certain sites on the internet.
    For common domains that need to be resolved for SSL Certificate validation, and instructions on how to add/remove domains in FortiNAC, see How To Add Allowed Domains to FortiNAC.
  • Issues with SSL Certificate in FortiNAC.  
  • Certificate not installed or expired. See SSL Certificates How To for installation and certificate renewal instructions.
  • Installed Certificate incomplete (missing intermediate certificate). See Identify Missing SSL Certificates via Administrative UI.   
  • Firewall blocking port 4568/4567 traffic.
  • Ensure TCP port 4568 and UDP port 4567 traffic is not being blocked by a firewall on the network.

 

  1. Small Number of Hosts Affected: Suggests something on the endstation is preventing the communication.
  •  Incorrect DNS name resolution.


Ensure there are not any static DNS server entries.  While within the registration/remediation/isolation VLAN,  FortiNAC must act as the DNS server.
Flush the DNS cache to ensure there are not any cached DNS entries.
Windows command in CMD:

 

ipconfig /flushdns


Mac OSX: Command can vary depending upon OS X version. 

 

  • Firewall blocking port 4568/4567 traffic on endstation

 

The agent automatically adds an exception to allow this traffic only through Windows firewall.  If the endstation has another program with a firewall feature enabled, this could be blocking the traffic.
Disable firewall feature on endstation or configure firewall to allow TCP 4568 and UDP 4567.

 

Related documents:

Persistent Agent Deployment and Configuration.

Labels:
1859
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.