Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hatibi
Staff & Editor
Staff & Editor

Created on ‎06-24-2022 03:25 AM Edited on ‎07-25-2025 05:13 AM By Community Manager

Article Id 215695

Troubleshooting Tip: FortiNAC and FortiGate FSSO ZTA TAG troubleshooting

Description

 

This articles describes how to troubleshoot FSSO TAG information and communication between FortiNAC and FortiGate.

 

Scope

 

FortiGate, FortiNAC, FSSO.

 

Solution

 

In order to implement this scenario Fortinet provides the following documentation which describes how this works and the needed requirements:

 

Fortinet Security Fabric/FSSO Integration Guide

 

FSSO is the passive IP-based authentication method by which users can transparently authenticate to FortiGate.

 

FortiNAC acts as a Collector Agent: it collects and compiles information about user logons.

 

The flow when a host connects to the network is as follows:

  • Host is connected to the network.
  • Switch sends MAC Notification trap to FortiNAC.
  • The host is evaluated against the existing Network Access Policies.
  • Correct access policy is matched with a configuration containing TAG on the logical network.
  • FSSO Logon message is sent to FortiGate with TAG information.

 

Important Considerations:

Network access policies will not(!) match when the host has the following status:

  • Host is NOT Registered (appearing as Rogue in FortiNAC).
  • Host is registered but offline.

 

Other:

  • Host status has precedence over network access policies.
  • Groups/Tag information must be included in the Network Access policy configuration.
  • When the host status changes (Registered, Authenticated, Unauthenticated, At-Risk, Safe, - Disabled or Rogue), then FortiNAC will re-evaluate the network access policies.
  • When the host disconnects from the network then FortiNAC will update the FortiGate with an SSO logoff message and stop the SSO session. The network access policies which were previously applied will be removed.
  • L3 polling is required for the FortiGate model configuration in FortiNAC since SSO is an IP-based type of authentication. FortiNAC will need to frequently L3 poll the FortiGate.
  • FortiNAC will communicate with FortiGate every 15 Minutes. This applies to versions 8.8.11, 9.1.5, 9.2.2, and greater.

 

Configuration Validation.

 

Validate FortiNAC configuration and Host status.

 

Host adapter showing online in Adapter view.

This is seen by the Green Icon Adapter:

 

Sx11_3-1678456089408.png

 

 

Host has IP showing on FortiNAC host view.

A valid IP address from the production network should be seen.

 

Sx11_4-1678456220779.png

 

Host is matching a policy with the Logical network where TAG is defined in the Model configuration.

Go to Hosts -> Select the affected host and then select -> Policy details.

 

Sx11_1-1678456484609.png

 

Subnet is manually specified in SSO addresses in the model config.

All subnets where it is expected a Host to be part should be included in the SSO addresses in the FortiNAC model configuration:

 

Go to Network Inventory -> Select the FortiGate device -> Virtualized Devices -> Edit Model config for that device.

 

Sx11_0-1678455467404.png

 

Here, it is possible to edit the SSO addresses and add New Subnets to the list:

 

Sx11_1-1678455646427.png

 

So in this case any Host with an IP in those Subnets/ranges will be assigned an FSSO Tag.

 

Additional information about SSO addresses is provided here: Addresses

 

FortiGate is added in L3 polling group:

Select the FortiGate device model in the Inventory view and select 'Group Membership'.

Make sure the L3 (IP -> MAC) is enabled.

 

Sx11_2-1678455816752.png

 

Troubleshooting.

 

To troubleshoot SSO communication between FortiGate and FortiNAC the following debugs will need to be inspected from both sides:

 

FortiGate CLI session:

 

diagnose debug reset

diagnose debug console timestamp enablediag debug app authd -1

diagnose debug enable

 

Display the FSSO logons from CLI.

 

diagnose debug authd fsso list

diagnose debug authd fsso list | grep < Affected user IP >

 

FortiNAC CLI Session:

 

logs

CampusMgrDebug -name BridgeManager true

CampusMgrDebug -name PolicyHelper true

CampusMgrDebug -name SSOManager true

CampusMgrDebug -name Fortinet true

CampusMgrDebug -name DeviceInterface true

tf output.master

 

CLI output on the FortiNAC session will show similar events:

SSO TAGs Information send to FortiGate will look like below events:

 

yams.SSOManager INFO :: 2022-02-11 15:48:51:488 :: SSOManager.sendMessage sending message to X.X.X.X for client YY:YY:YY:XX:XX:XX, MSG=UserIDMessage[logon, mac=YY:YY:YY:XX:XX:XX, ip=192.168.1.1, user=FortiLAB, tags=[LAB-USER]]

 

SSO logoff events for disconnecting hosts:

 

yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager client removed:192.168.1.1 34343 YY:YY:YY:XX:XX:XX and port YYY
yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager.logoffAdapter for YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:21:08:523 :: #76 :: SSOManager.logoffAdapter has messages on 0 UserAgents

 

c) SSO IP validation events:

 

yams.SSOManager FINER :: 2022-06-06 08:20:36:103 :: #76 :: SSOManager client updated:192.168.1.1 YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:20:36:104 :: #76 :: SSOManager.validateAdapterIP checking IP for client YY:YY:YY:XX:XX:XX
yams.SSOManager FINER :: 2022-06-06 08:20:36:104 :: #76 :: SSOManager.getIPByMAC() ending, mac = YY:YY:YY:XX:XX:XX retval = null

 

Read FortiGate and FortiNAC SSO lists:

Run the following on FortiNAC CLI:

 

ssotool -ip <FGT_IP>

 

This command will dump the SSO sessions currently active.

 

***In FortiGate one can manually perform FSSO login actions in CLI as below:

 

diagnose debug authd fsso clear-logons       -> deletes cached login status

diagnose debug authd fsso refresh-groups   -> Refresh group mapping

diagnose debug authd fsso refresh-logons   -> Resynch login database

 

 

Expanding SSO scope in FortiNAC CLI when using a multi-VDOM environment and forcing SSO TAGs to be sent to another L3 device when the VLAN is not terminating on FortiGate.

 

globaloptiontool -name sso.expand.scope -set true

 

Note:

When the above option is enabled, when a host matches a Network Access Policy that has an SSO Tag, FortiNAC will also send the SSO Tag to the device that the host matches NAP, even though the VLAN is not terminating on the Device.

 

To disable the option, do:

 

globaloptiontool -name sso.expand.scope -set false

 

For VPN connecting hosts, verify the following from FortiNAC CLI:

 

remoteaccess -dump

 

  • The output will show all of the networks associated with FortiGates/vdoms.
  • he IP's in that list 'remoteaccess -dump' means, when FortiNAC sees a connection event, will send an FSSO tag to the associated FortiGate.

 

Documents and Articles related to FSSO TAG configuration:

 

Technical Tip: Configuring and troubleshooting Firewall TAGs

Endpoint connector - FortiNAC 6.2.1

FortiNAC tag dynamic address

FortiNAC

 

Working with TAC Support.

 

Issue a ticket to TAC support by recreating the issue and providing the information below:

  • Host MAC and IP address.
  • Timestamp when issue was recreated.

 

After the issue is recreated, collect the debug logs as stated in the KB article below:

Technical Tip: How to get a debug log report from FortiNAC-CA or FortiNAC-Manager

 

4018
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.