FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Article Id 249832
Description

This article describes how to troubleshoot when a client is not being provisioned with the correct network access for Palo Alto VPN integrations.

 

This article assumes the following:

- Syslog from Palo Alto is being processed correctly.

- Agent communication is working between VPN client and FortiNAC.

 

For integration details see Palo Alto Networks Integration reference manual.

Scope FortiNAC v9.4.2 and greater
Solution

1) Verify the correct Network Access policy matches.

'Right-click' on the host in the host view and select Policy Details.

If the policy does not match under the Network Access tab or is blank, see the related KB article:

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Troubleshooting-policies/ta-p/197123

 

2) If the correct policy matches, verify the correct tag/group sent to Palo Alto. 

 

Enable debugs (written to /bsc/campusMgr/master_loader/output.master):

 

nacdebug –name RemoteAccess true
nacdebug –name PaloAlto true


tf output.master | grep -i "<client MAC address>"

 

Example:

 

tf output.master | grep -i "00:21:70:D1:92:77"

 

3) Have the client connect.

 

4) Review output.master for messages below.

 

Example 1:


Client MAC address = 00:21:70:D1:92:77
Matching network access policy configuration:
Selected Groups = Registered Hosts
Firewall Tags = Registered

 

yams.fortinet.fsso FINE :: 2019-04-03 08:30:44:395 :: Sending logon information
yams.fortinet.fsso FINE :: 2019-04-03 08:30:44:395 :: >>>
(/192.168.5.53:17084) [tag=LOGON_INFO(132) type=COMPOSITE(6)
value=[[tag=SEQ(1) type=INT(3) value=3], [tag=LOGON_INFO_FLAG(96)
type=INT(3) value=0], [tag=LOGON_INFO_REF_POINT(97) type=INT(3) value=0],
[tag=LOGON_ITEM(80) type=COMPOSITE(6) value=[[tag=LOGON_ITEM_FLAG(81)
type=INT(3) value=1], [tag=LOGON_ITEM_STATE(88) type=INT(3) value=0],
[tag=LOGON_ITEM_MONITORTYPE(89) type=INT(3) value=1], [tag=LOGON_ITEM_IP(82)
type=INT(3) value=-1407448573], [tag=LOGON_ITEM_USER(85) type=ASCII(5)
value=00:21:70:D1:92:77], [tag=LOGON_ITEM_GROUP(86) type=ASCII(5)
value=REGISTERED+REGISTERED HOSTS]]]]]

 

Example 2:


Client VPN IP: 172.16.196.10
Client MAC address = 24:77:03:07:E6:18
Matching network access policy configuration:
Firewall Tags = VPN-Authorized

 

yams.SSOManager FINER :: 2021-11-11 15:50:08:801 :: SSOManager.remMessageFromQueue message removed UserIDMessage[logon, mac=24:77:03:07:E6:18, ip=172.16.196.10, user=test, tags=[VPN-Authorized]] for key 24:77:03:07:E6:18

 

5) Verify address ranges defined for VPN management match between the appliance and Palo Alto. 

  

6) Once troubleshooting is complete, disable debugging:


nacdebug –name RemoteAccess false
nacdebug –name PaloAlto false

Contributors