Description
This article explains how to resolve cases where new devices with the Persistent Agent installed have all configurations completed but the agent still cannot connect (particularly on newly purchased devices, dongles, or VMs).
Scope
FortiNAC, Persistent Agent.
Solution
The most helpful information can be seen from FortiNAC Nessus logs after enabling this debug:
nacdebug -name PersistentAgent true
logs
tf output.nessus
Partial output of the Nessus logs:
yams.PersistentAgent FINER :: 2023-02-03 17:25:16:881 :: #41 :: Invalid OUI: 00:76:6F:6C:23:01
yams.PersistentAgent FINER :: 2023-02-03 17:25:16:881 :: #41 :: validateHost() called with empty agentMacs, returning empty
yams.PersistentAgent FINER :: 2023-02-03 17:25:16:881 :: #41 :: PersistentAgent.parseMachine() - invoking verifyClients
yams.PersistentAgent FINER :: 2023-02-03 17:25:16:882 :: #41 :: verifyClients 10.1.3.11 is not a remote IP
Check that specific OUI from FortiNAC CLI:
validmac -mac '00:76:6F:6C:23:01'
00:76:7F:6C:23:01 Invalid
Solution 1: Update the OUI database by running 'Auto-Definition Synchronizer'. The database should be automatically populated with the latest Vendor OUIs.
Solution 2: Manually create an OUI:
In the Administration GUI, navigate to System -> Settings -> Identification -> Vendor OUIs.
In the Vendor OUI field, enter the first three octets of the device’s Physical Address in hexadecimal format (for example, 00:76:6F). Put a Vendor Name and Vendor Alias, then OK.
Check from CLI if the MAC address is now identified:
validmac -mac '00:76:6F:6C:23:01'
VendorCode:
Vendor OUI = 00:76:6F
Vendor Name = Lab
Vendor Alias = Lab
Description =
Role = NAC-Default
Registration Type = null(0)
User Registration Type = null(9999)
From the logs, it will show that it starts communicating:
yams.PersistentAgent FINER :: 2023-02-03 17:29:16:578 :: #43 :: getRemoteUser(10.1.3.11 ) = null
yams.PersistentAgent FINER :: 2023-02-03 17:29:16:578 :: #43 :: validateHost() chose iface 00:76:6F:6C:23:01 10.1.3.11 as primary
yams.PersistentAgent FINER :: 2023-02-03 17:29:16:578 :: #43 :: validateHost() selected host based on num adapters == 1 and not rogue, hostID: 24
yams.PersistentAgent FINER :: 2023-02-03 17:29:16:578 :: #43 :: validateHost() hostAds = [00:76:6F:6C:23:01]
yams.PersistentAgent FINER :: 2023-02-03 17:29:16:578 :: #43 :: validateHost() myAds = [00:76:6F:6C:23:01]
yams.PersistentAgent FINER :: 2023-02-03 17:29:16:578 :: #43 :: validateHost() hostOS = Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC] agentOS = Windows 10 Pro 6.3 21H2 10.0.19044.2364
yams.PersistentAgent FINER :: 2023-02-03 17:29:16:578 :: #43 :: validateHost() selected host based on myAds and hostAds. Exiting loop, hostID: 24
yams.PersistentAgent FINER :: 2023-02-03 17:29:16:578 :: #43 :: validateHost() found a host: 24
yams.PersistentAgent FINER :: 2023-02-03 17:29:16:579 :: #43 :: validateHost() returning [ MAC : 00:76:6F:6C:23:01
The GUI will show that the PA is now connected:
Related articles:
Technical Tip: Troubleshooting the Persistent agent.
Troubleshooting Tip: New vendor OUI missing from the database
Technical Tip: A simple network example of deploying Persistent Agent in FortiNAC
