Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
barisben
New Contributor

Created on ‎01-19-2025 11:07 PM

Issue with Device Profiling Rule on FortiNAC 9.4.8

Hey,

 

I have device profiling rules one is for APs and the others are for Cameras and Printers with the Vendor OUI. When I plugged in an AP on Switch FortiNAC tagging it to AP_Role but the others does not work although it appears in the Hosts. Same configs for both of them. What could be the problem? It can detect AP but can't detect the others.

Labels:
368
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎01-20-2025 01:41 AM

Hi Barisben

By default the hosts/devices are not automatically registered when profiled. On the other hand, APs are not considered by FNAC like hosts, but like network devices like switches and routers.

Do you see the cameras and printers properly detected under the Endpoint Fingerprints view?

AEK
AEK
346
barisben
New Contributor
In response to AEK

Created on ‎02-12-2025 03:45 AM Edited on ‎02-12-2025 04:10 AM

AP is just an example. I can't see the devices under the Endpoint Fingerprints.

 

This is the settings;

Screenshot_8.pngScreenshot_9.png

 

This is the output of the request. 

 

(75857) Received Access-Request Id 0 from 10.8.4.4:36823 to 10.6.7.18:1812 length 170
(75857)   User-Name = "00206bebff3f"
(75857)   Calling-Station-Id = "00-20-6B-EB-FF-3F"
(75857)   Service-Type = Call-Check
(75857)   NAS-Port-Id = "1/1/9"
(75857)   NAS-Port = 9
(75857)   NAS-Port-Type = Ethernet
(75857)   CHAP-Challenge = 0xa5a884f68449c7503f40aaa5af04cb58
(75857)   CHAP-Password = 0x00a7e27b5330c658533207fb66fbdc2b13
(75857)   Message-Authenticator = 0x607dd4f74c3a77eb8b543b9037666ef6
(75857)   Called-Station-Id = "EC-50-AA-2C-6B-80"
(75857)   NAS-Identifier = "TR0107SW03"
(75857)   NAS-IP-Address = 10.8.4.4
(75857) # Executing section authorize from file /etc/raddb/radiusd.conf
(75857)   authorize {
(75857)     if (!EAP-Message) {
(75857)     if (!EAP-Message)  -> TRUE
(75857)     if (!EAP-Message)  {
(75857)       update reply {
(75857)         Message-Authenticator := 0x00
(75857)       } # update reply = noop
(75857)     } # if (!EAP-Message)  = noop
(75857)     policy filter_username {
(75857)       if (&User-Name) {
(75857)       if (&User-Name)  -> TRUE
(75857)       if (&User-Name)  {
(75857)         if (&User-Name =~ / /) {
(75857)         if (&User-Name =~ / /)  -> FALSE
(75857)         if (&User-Name =~ /@[^@]*@/ ) {
(75857)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(75857)         if (&User-Name =~ /\.\./ ) {
(75857)         if (&User-Name =~ /\.\./ )  -> FALSE
(75857)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(75857)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(75857)         if (&User-Name =~ /\.$/)  {
(75857)         if (&User-Name =~ /\.$/)   -> FALSE
(75857)         if (&User-Name =~ /@\./)  {
(75857)         if (&User-Name =~ /@\./)   -> FALSE
(75857)       } # if (&User-Name)  = noop
(75857)     } # policy filter_username = noop
(75857)     [preprocess] = ok
(75857) suffix: Checking for suffix after "@"
(75857) suffix: No '@' in User-Name = "00206bebff3f", looking up realm NULL
(75857) suffix: No such realm "NULL"
(75857)     [suffix] = noop
(75857) ntdomain: Checking for prefix before "\"
(75857) ntdomain: No '\' in User-Name = "00206bebff3f", looking up realm NULL
(75857) ntdomain: No such realm "NULL"
(75857)     [ntdomain] = noop
(75857)     [mschap] = noop
(75857)     if (!EAP-Message) {
(75857)     if (!EAP-Message)  -> TRUE
(75857)     if (!EAP-Message)  {
rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle for 2399002 seconds
rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for 2399002 seconds
rlm_rest (rest): Closing connection (2): Hit idle_timeout, was idle for 2399002 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (3): Hit idle_timeout, was idle for 2399002 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (4): Hit idle_timeout, was idle for 2399002 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_rest (rest): Opening additional connection (5), 1 of 32 pending slots used
rlm_rest (rest): Connecting to "http://127.0.0.1:8081/api/v2/radius"
rlm_rest (rest): Reserved connection (5)
(75857) rest: Expanding URI components
(75857) rest: EXPAND http://127.0.0.1:8081
(75857) rest:    --> http://127.0.0.1:8081
(75857) rest: EXPAND /api/v2/radius/authorize
(75857) rest:    --> /api/v2/radius/authorize
(75857) rest: Sending HTTP POST to "http://127.0.0.1:8081/api/v2/radius/authorize"
(75857) rest: Encoding attribute "User-Name"
(75857) rest: Encoding attribute "CHAP-Password"
(75857) rest: Encoding attribute "NAS-IP-Address"
(75857) rest: Encoding attribute "NAS-Port"
(75857) rest: Encoding attribute "Service-Type"
(75857) rest: Encoding attribute "Called-Station-Id"
(75857) rest: Encoding attribute "Calling-Station-Id"
(75857) rest: Encoding attribute "NAS-Identifier"
(75857) rest: Encoding attribute "CHAP-Challenge"
(75857) rest: Encoding attribute "NAS-Port-Type"
(75857) rest: Encoding attribute "Event-Timestamp"
(75857) rest: Encoding attribute "Message-Authenticator"
(75857) rest: Encoding attribute "NAS-Port-Id"
(75857) rest: Processing response header
(75857) rest:   Status : 200 ()
(75857) rest:   Type   : json (application/json)
(75857) rest: Parsing attribute "Cleartext-Password"
(75857) rest: EXPAND 00206bebff3f
(75857) rest:    --> 00206bebff3f
(75857) rest: Cleartext-Password := "00206bebff3f"
rlm_rest (rest): Released connection (5)
Need 2 more connections to reach min connections (3)
rlm_rest (rest): Opening additional connection (6), 1 of 31 pending slots used
rlm_rest (rest): Connecting to "http://127.0.0.1:8081/api/v2/radius"
(75857)       [rest] = updated
(75857)       if (ok || updated ) {
(75857)       if (ok || updated )  -> TRUE
(75857)       if (ok || updated )  {
(75857)         if ( &request:CHAP-Password ){
(75857)         if ( &request:CHAP-Password ) -> TRUE
(75857)         if ( &request:CHAP-Password ) {
(75857)           update control {
(75857)             EXPAND %{reply:Cleartext-Password}
(75857)                --> 00206bebff3f
(75857)             Cleartext-Password := 00206bebff3f
(75857)           } # update control = noop
(75857)         } # if ( &request:CHAP-Password ) = noop
(75857)         ... skipping else: Preceding "if" was taken
(75857)       } # if (ok || updated )  = noop
(75857)     } # if (!EAP-Message)  = updated
(75857)     ... skipping else: Preceding "if" was taken
(75857) chap:   &control:Auth-Type := CHAP
(75857)     [chap] = ok
(75857)   } # authorize = ok
(75857) Found Auth-Type = CHAP
(75857) # Executing group from file /etc/raddb/radiusd.conf
(75857)   Auth-Type CHAP {
(75857) chap: Comparing with "known good" Cleartext-Password
(75857) chap: CHAP user "00206bebff3f" authenticated successfully
(75857)     [chap] = ok
(75857)   } # Auth-Type CHAP = ok
(75857) # Executing section post-auth from file /etc/raddb/radiusd.conf
(75857)   post-auth {
(75857)     update control {
(75857)       EXPAND X-NAS-IPv4: %{Packet-SRC-IP-Address}
(75857)          --> X-NAS-IPv4: 10.8.4.4
(75857)       &REST-HTTP-Header += X-NAS-IPv4: 10.8.4.4
(75857)       EXPAND X-NAS-IPv6: %{Packet-SRC-IPv6-Address}
(75857)          --> X-NAS-IPv6:
(75857)       &REST-HTTP-Header += X-NAS-IPv6:
(75857)     } # update control = noop
(75857)     if (!EAP-Type || (EAP-Type != "TTLS" && EAP-Type != "PEAP")) {
(75857)     if (!EAP-Type || (EAP-Type != "TTLS" && EAP-Type != "PEAP"))  -> TRUE
(75857)     if (!EAP-Type || (EAP-Type != "TTLS" && EAP-Type != "PEAP"))  {
(75857)       update request {
(75857)         No attributes updated for RHS &reply:User-Name
(75857)       } # update request = noop
rlm_rest (rest): Reserved connection (5)
(75857) rest: Expanding URI components
(75857) rest: EXPAND http://127.0.0.1:8081
(75857) rest:    --> http://127.0.0.1:8081
(75857) rest: EXPAND /api/v2/radius/post-auth
(75857) rest:    --> /api/v2/radius/post-auth
(75857) rest: Sending HTTP POST to "http://127.0.0.1:8081/api/v2/radius/post-auth"
(75857) rest: Encoding attribute "User-Name"
(75857) rest: Encoding attribute "CHAP-Password"
(75857) rest: Encoding attribute "NAS-IP-Address"
(75857) rest: Encoding attribute "NAS-Port"
(75857) rest: Encoding attribute "Service-Type"
(75857) rest: Encoding attribute "Called-Station-Id"
(75857) rest: Encoding attribute "Calling-Station-Id"
(75857) rest: Encoding attribute "NAS-Identifier"
(75857) rest: Encoding attribute "CHAP-Challenge"
(75857) rest: Encoding attribute "NAS-Port-Type"
(75857) rest: Encoding attribute "Event-Timestamp"
(75857) rest: Encoding attribute "Message-Authenticator"
(75857) rest: Encoding attribute "NAS-Port-Id"
(75857) rest: Processing response header
(75857) rest:   Status : 200 ()
(75857) rest:   Type   : json (application/json)
(75857) rest: Parsing attribute "Tunnel-Type"
(75857) rest: EXPAND VLAN
(75857) rest:    --> VLAN
(75857) rest: Tunnel-Type := VLAN
(75857) rest: Parsing attribute "Tunnel-Private-Group-Id"
(75857) rest: EXPAND 115
(75857) rest:    --> 115
(75857) rest: Tunnel-Private-Group-Id := "115"
(75857) rest: Parsing attribute "Tunnel-Medium-Type"
(75857) rest: EXPAND IEEE-802
(75857) rest:    --> IEEE-802
(75857) rest: Tunnel-Medium-Type := IEEE-802
rlm_rest (rest): Released connection (5)
(75857)       [rest] = updated
(75857)       if ( reply:Module-Return-Code == "0" ){
(75857)       EXPAND reply:Module-Return-Code
(75857)          --> updated
(75857)       if ( reply:Module-Return-Code == "0" ) -> FALSE
(75857)     } # if (!EAP-Type || (EAP-Type != "TTLS" && EAP-Type != "PEAP"))  = updated
(75857)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(75857)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(75857)     update {
(75857)       No attributes updated for RHS &session-state:
(75857)     } # update = noop
(75857)     [exec] = noop
(75857)     policy remove_reply_message_if_eap {
(75857)       if (&reply:EAP-Message && &reply:Reply-Message) {
(75857)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(75857)       else {
(75857)         [noop] = noop
(75857)       } # else = noop
(75857)     } # policy remove_reply_message_if_eap = noop
(75857)   } # post-auth = updated
(75857) Login OK: [00206bebff3f] (from client 10.8.4.4 port 9 cli 00-20-6B-EB-FF-3F)
(75857) Sent Access-Accept Id 0 from 10.6.7.18:1812 to 10.8.4.4:36823 length 0
(75857)   Message-Authenticator = 0x00
(75857)   Tunnel-Type = VLAN
(75857)   Tunnel-Private-Group-Id = "115"
(75857)   Tunnel-Medium-Type = IEEE-802
(75857) Finished request

 

 

I can see it in the Host tab but somehow it does not match with the DPR.

Screenshot_10.png

210
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎02-12-2025 06:47 AM

Hi Barisben

Now I understand more your concern.

I see the rule looks fine and should work as expected.

Try to recreate a new one from scratch with the same Vendor OUI and put it at the top, and then click Run the execute the profiling rules, just to see if it changes something.

AEK
AEK
184
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.