FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Article Id 195535

Description

 

This article describes the steps needed to identify why MDM users are not registering in FortiNAC.

Scope

 

FortiNAC, FortiNAC-F.

Solution

 

  1. Verify the user is registered in the MDM. 
 
The host is not registered in MDM:

Troubleshoot the MDM and user. Contact the MDM vendor for additional assistance.

 

  1. The host is registered in MDM but showing as Rogue in FortiNAC.
     
    In the Administration UI, search for the MAC address in Users & Hosts -> Hosts.
     
     
    1. Host records cannot be found or shown offline
       
      • FortiNAC is either not receiving or processing RADIUS from the wireless controller/Access Point to which the device connects.
      • L2 polling is not working.
       
       
    2. Host record shows online but is not registered (displays as a Rogue "?")
       
      1. All devices registering through MDM are affected.
         
        Go to Network -> Service Connectors.
         
        • Verify On-Demand Registration is enabled in the MDM service connector.  This allows FortiNAC to query the MDM and register the device based on the MDM's data.
        • Highlight the MDM, 'right-click' on the service connector and select 'Poll Now'. Note any errors that are generated. This suggests communication issues between FortiNAC and MDM.

        To investigate and check further details enable the following debugs in FortiNAC cli and verify output after selecting 'Poll Now':

         

        FortiNAC (CentOS).

         

        logs

        nacdebug -name MdmManager true

         

        Depending on the MDM vendor enable additionally one of the following:

         

        nacdebug -name FortinetEMSServer true

        nacdebug -name AirWatchServer true

        nacdebug -name XenMobileServer true

        nacdebug -name GoogleGSuiteServer true

        nacdebug -name JamfServer true

        nacdebug -name Maas360Server true

        nacdebug -name MSInTuneServer true

        nacdebug -name MobileIronServer true

        nacdebug -name NozomiServer true

        tf output.master

         

        FortiNAC-F (NACOS).

         

        diagnose debug plugin enable MdmManager
        diagnose debug plugin enable FortinetEMSServer <-- Replace 'FortinetEMSServer' with any other plugin as above depending on MDM vendor.

        diagnose tail -F output.master

         

        Disable debugging:

         

        FortiNAC (CentOS).

         

        logs

        nacdebug -name MdmManager false     <-- Set plugin to 'false' for all other enabled plugins.

         

        FortiNAC-F (NACOS).

         

        diagnose debug plugin disable MdmManager  <-- Set plugin to 'disabled' for all other enabled plugins.

         

        • Check the Polling interval, as it may need to be increased. Depending upon the size of the MDM's database, the poll can take as long as 30 minutes to complete.  If another poll is initiated before the last one is completed, FortiNAC may not complete updating.

         

        1. Only some devices registering through MDM are affected.

           

          • Verify the host has the MDM agent installed.
          • Verify Use Configured MDM is selected under the Global Settings in Portal -> Portal Configuration -> Content Editor.  The setting provides a means for isolated mobile devices to download the MDM agent.

         

  1. The host record shows online and is registered but the device remains isolated.

     

    • Manually disconnect the host from SSID and reconnect it again. If the host successfully connects and gets the new VLAN access, it suggests an issue with FortiNAC disconnecting the client in order to change network access. Either FortiNAC is not sending a 'Disconnect Message' or 'CoA request' to change the network posture, or the NAS(WLC/Switch) is not acknowledging the request. Check the section 'Common Errors and Misconfigurations with CoA' in this article to identify the issue: Technical Tip: CoA Support in FortiNAC 7.4 and applying DACLs in FortiSwitch FortiLink scenario.

     

     

Related articles:

Technical Tip: Persistent Agent comparison to FortiClient EMS (MDM) for Network Access Control/Compl...

Technical Note: Hosts imported from Airwatch is less than expected

Technical Tip: Airwatch MDM Agent fails to authenticate in isolation

Technical Tip: Certificate path error when polling Airwatch

Technical Tip: Airwatch poll fails with 429 error code

Technical Tip: AirWatch MDM poll fails when configured to retrieve application data

Technical Note: Gather logs for debugging and troubleshooting