Dear Team,
We have FortiNAC using as local RADIUS for our Cisco Switch. We have Endpoint Access Policy with using RADIUS RFC Vlan for changing User VLAN based on Access Policy. We have Endpoint Compliance to move user to Non-Compliant VLAN and mark at Risk but when user are changed to Host/Profile (Non-Compliant). Policy detail shown that Host Matched VLAN "Non-Compliant VLAN" but FNAC is not change the port VLAN and Also it is not send RADIUS to Reauthentication User to Non-Compliant VLAN.
It is working only when Host reconnect by itself. It should not be correct flow of how NAC's endpoint compliance work.
Note: Switchport membership is Role Based and Remediation.I have do PCAP and i don't see any traffic sending out from FNAC with any RADIUS or RADIUS CoA port.
Thank You
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The same as mine. It always mark host Offline when host is still online and their Persistent Agent is active. I should have other way to ensure that host is offline but i'm not sure
Hello Lyyiheang,
so your host in this case is marked with "+" and should be moved into Remediation VLAN.
Is the host appearing as Online in FortiNAC host view when it matches the new policy?
Is Polling enabled and working as expected?
When the host posture changes and there is a new policy match, FortiNAC will see a need for VLAN change and build the CoA attributes. This normally is done from Polling but in some cases you can also leverage Radius Accounting requests to build the attributes.
FortiNAC will not respond to Radius accounting requests but it can use the attributes to build the CoA.
Can you try to define FortiNAC as a Radius Accounting server in your Cisco switch and check if it then sends the CoA?
Regards
Dear @Hatibi ,
My host is at risk (+) and It matched to new non-compliant policy. For Polling, If you refer to L2 or RADIUS, I can say it is enabled and working.
For RADIUS Accounting, It is configured and i also see accounting traffic.
Thank You
From your previous response you note that: "It always mark host Offline when host is still online and their Persistent Agent is active."
If host is offline then FNAC will not be able to act on the host.
If polling is ok then make sure that the Agent is able to communicate from Remediation network.
You need to make sure that the Host appears online once it moves to remediation.
Actual host is not offline, Port is still up. User still active and PA is still communicating. How FNAC mark host Offline and stop changing it VLAN?
Host is marked offline in case FNAC is unable to read its MAC/location from the switch/SSID it is connected.
Additionally in cases where the Agent is also used, it might be reporting the host as offline due to loss of communication. In that case you need to check agent communication from Host to FNAC on port TCP 4568.
This article describes host showing offline:
If FNAC does not detect a need for VLAN change it will not send CoA to change authorization.
Following article might help in checking VLAN changes:
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.