FortiNAC
FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Description This article describes the steps to use to troubleshoot why a client may not be provisioned the correct network access for Fortinet SSO integrations with the FortiGate.
Scope Version: 8.x, 9.x
Solution

1) Verify the correct Network Access policy matches. Right click on the host in the host view and select Policy Details

If policy does not match under the Network Access tab or is blank, see KB article 197123

 

2) If the correct policy matches, verify correct tag/group sent to the FortiGate using SSO. 

 

Enable debugs (written to /bsc/campusMgr/master_loader/output.master):


nacdebug –name SSOManager true
tf output.master | grep -i "<client MAC address>"

 

Example

tf output.master | grep -i "00:21:70:D1:92:77"

 

3) Have client connect.

 

4) Review output.master for messages below.

 

Example 1:


Client MAC address = 00:21:70:D1:92:77
Matching network access policy configuration:
Selected Groups = Registered Hosts
Firewall Tags = Registered

 

yams.fortinet.fsso FINE :: 2019-04-03 08:30:44:395 :: Sending logon information
yams.fortinet.fsso FINE :: 2019-04-03 08:30:44:395 :: >>>
(/192.168.5.53:17084) [tag=LOGON_INFO(132) type=COMPOSITE(6)
value=[[tag=SEQ(1) type=INT(3) value=3], [tag=LOGON_INFO_FLAG(96)
type=INT(3) value=0], [tag=LOGON_INFO_REF_POINT(97) type=INT(3) value=0],
[tag=LOGON_ITEM(80) type=COMPOSITE(6) value=[[tag=LOGON_ITEM_FLAG(81)
type=INT(3) value=1], [tag=LOGON_ITEM_STATE(88) type=INT(3) value=0],
[tag=LOGON_ITEM_MONITORTYPE(89) type=INT(3) value=1], [tag=LOGON_ITEM_IP(82)
type=INT(3) value=-1407448573], [tag=LOGON_ITEM_USER(85) type=ASCII(5)
value=00:21:70:D1:92:77], [tag=LOGON_ITEM_GROUP(86) type=ASCII(5)
value=REGISTERED+REGISTERED HOSTS]]]]]

 

Example 2:


Client VPN IP: 172.16.196.10
Client MAC address = 24:77:03:07:E6:18
Matching network access policy configuration:
Firewall Tags = VPN-Authorized

 

yams.SSOManager FINER :: 2021-11-11 15:50:08:801 :: SSOManager.remMessageFromQueue message removed UserIDMessage[logon, mac=24:77:03:07:E6:18, ip=172.16.196.10, user=test, tags=[VPN-Authorized]] for key 24:77:03:07:E6:18

 

5) Review address ranges defined for VPN management.

 

FortiNAC versions 9.2 and above
In the applicable VDOM’s Model Configuration, verify SSO Addresses and VPN addresses are populated with the correct address groups.

 

FortiNAC versions 9.1 and below
If SSO tags do not appear to be sent, verify that the FortiGate device model includes VPNManagedNetworks value:


device -ip <FortiGate IP> | grep -i vpn

 

Expected output:


Name = VPNManagedNetworks value = POOL_Name length = #

 

Example:


> device -ip 10.12.240.5 | grep -i vpn
Name = VPNManagedNetworks value = FGT-Core-SSL-VPN-Pool length = 21

 

If the VPNManagedNetworks value is not present in the device model, read the VLANs on the FortiGate.

 

From the CLI type:


UpdateVLANS –ip <FortiGate IP>

 

6) Once troubleshooting is complete, disable debugging:


nacdebug –name SSOManager false