NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
This article describes the condition in which the Role Based Access group can cause sync errors from NCM and how to correct it.
Scope
FortiNAC.
Solution
Root Cause of the Issue: Earlier versions of FortiNAC NCM did not have the 'Role Based Access' group in its list of groups. This was added in the 9.2.x release. When upgrading from 9.1.x to 9.2.x or higher, this group gets added to the NCM and is synchronized down from the NCM to the CA servers as a global group.
However, in some use cases there where global groups on the CA were nested under the local Role-Based Access group before the upgrade, which was ok. But after an upgrade to 9.2.x or higher, it has been created a scenario where the Role Based access group on the NCM is labeled as global, but the sync fails due to the local instance having a group nested so it can never be converted from a local group to a global group. Solution: There are two possible solutions. The nested group(s) in the CA server's local instance of the Role Based Access group can be removed, or those same groups can be added to the Global instance of the Role Based Access group on the NCM, and this should allow sync to resume. After the sync, the local Role Based Access group should be converted to a Global group on the CA server as it is on the NCM.
