| Description | This article describes how to solve one of the cases where PA does not communicate with FortiNAC server. |
| Scope | FortiNAC v8.8.x ,v9.1.x, v9.2.x, 9.4.x, FortiNAC-F v7.2.x. PA 5.3.x, Persistent agent v9.4.x |
| Solution |
In this case, indicators of this failure condition can be checked in the PA logs in the general.txt file.
The logs when the intermediate certificate is missing in FortiNAC would look like this:
2022-03-12 10:09:25 UTC :: SSL Certificate verification result: unable to get local issuer certificate
2022-03-12 10:09:25 UTC :: peer CommonName = fortinac.fortinet.lab
In this case, root CA is installed correctly in the endpoint, and it trusts the PA server certificate but the trust chain is not completed, because of the missing intermediate certificate that comes with the server certificate. This in the end will result in a distrusted condition and the PA connection the FortiNAC server will fail
Solution:
In this case, the solution would be to upload again the server certificate alongside the intermediate certificate in one single step in the PA Target.
It is possible to add the intermediate certificate by simply selecting the 'Add Certificate' button. This will complete the certificate chain and trust will be established among end stations and the FortiNAC server.
Note1. This article is about cases when the PA server certificate obtained from a CA comes along with an intermediate certificate. To check if the certificate has an intermediate certificate, it is necessary to check the path of the certificate in the certificate details itself.
Note2. There are cases when the server certificate comes directly from the root CA without passing through intermediate CA nodes. In this case, only the server certificate needs to be uploaded in FortiNAC and the root certificate to be installed in the end stations.
Related articles : |
