Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎08-05-2022 01:33 PM Edited on ‎09-28-2022 08:25 AM By Anonymous

Article Id 219917

Troubleshooting Tip: Troubleshooting Fortinet SSO for FortiGate VPN

Description This article describes the steps to use to troubleshoot why a client may not be provisioned the correct network access for FortiGate VPN integrations.
Scope Version: 8.x, 9.x
Solution

1) Verify the correct Network Access policy matches. Right click on the host in the host view and select Policy Details

If policy does not match under the Network Access tab or is blank, see KB article 197123

 

2) If the correct policy matches, verify correct tag/group sent to the FortiGate using SSO. 

 

Enable debugs (written to /bsc/campusMgr/master_loader/output.master):


nacdebug –name SSOManager true
tf /bsc/campusMgr/master_loader/output.master | grep -i "<client MAC address>"

 

Example

tf /bsc/campusMgr/master_loader/output.master | grep -i "00:21:70:D1:92:77"

 

3) Have client connect.

 

4) Type Ctrl-C to stop tail.

 

5) Review /bsc/campusMgr/master_loader/output.master for messages below.

 

Example 1:


Client MAC address = 00:21:70:D1:92:77
Matching network access policy configuration:
Selected Groups = Registered Hosts
Firewall Tags = Registered

 

yams.fortinet.fsso FINE :: 2019-04-03 08:30:44:395 :: Sending logon information
yams.fortinet.fsso FINE :: 2019-04-03 08:30:44:395 :: >>>
(/192.168.5.53:17084) [tag=LOGON_INFO(132) type=COMPOSITE(6)
value=[[tag=SEQ(1) type=INT(3) value=3], [tag=LOGON_INFO_FLAG(96)
type=INT(3) value=0], [tag=LOGON_INFO_REF_POINT(97) type=INT(3) value=0],
[tag=LOGON_ITEM(80) type=COMPOSITE(6) value=[[tag=LOGON_ITEM_FLAG(81)
type=INT(3) value=1], [tag=LOGON_ITEM_STATE(88) type=INT(3) value=0],
[tag=LOGON_ITEM_MONITORTYPE(89) type=INT(3) value=1], [tag=LOGON_ITEM_IP(82)
type=INT(3) value=-1407448573], [tag=LOGON_ITEM_USER(85) type=ASCII(5)
value=00:21:70:D1:92:77], [tag=LOGON_ITEM_GROUP(86) type=ASCII(5)
value=REGISTERED+REGISTERED HOSTS]]]]]

 

Example 2:


Client VPN IP: 172.16.196.10
Client MAC address = 24:77:03:07:E6:18
Matching network access policy configuration:
Firewall Tags = VPN-Authorized

 

yams.SSOManager FINER :: 2021-11-11 15:50:08:801 :: SSOManager.remMessageFromQueue message removed UserIDMessage[logon, mac=24:77:03:07:E6:18, ip=172.16.196.10, user=test, tags=[VPN-Authorized]] for key 24:77:03:07:E6:18

 

6) Review address ranges defined for VPN management.

 

FortiNAC versions 9.2 and above
In the applicable VDOM’s Model Configuration, verify SSO Addresses and VPN addresses are populated with the correct address groups.

 

FortiNAC versions 9.1 and below
If SSO tags do not appear to be sent, verify that the FortiGate device model includes VPNManagedNetworks value:


device -ip <FortiGate IP> | grep -i vpn

 

Expected output:


Name = VPNManagedNetworks value = POOL_Name length = #

 

Example:


> device -ip 10.12.240.5 | grep -i vpn
Name = VPNManagedNetworks value = FGT-Core-SSL-VPN-Pool length = 21

 

If the VPNManagedNetworks value is not present in the device model, read the VLANs on the FortiGate.

 

From the CLI type:


UpdateVLANS –ip <FortiGate IP>

 

7) Once troubleshooting is complete, disable debugging:


nacdebug –name SSOManager false
1486
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.