Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lyyiheang
New Contributor

Created on ‎07-27-2024 10:40 PM

Persistent Agent endpoint shown OFFLINE

Dear Team,

 

We have Endpoint authenticated via FortiNAC via RADIUS Local. Endpoint has Persistent Agent installed. Our purpose is to give endpoint access when their PC is compliant but we noticed that endpoint shown OFFLINE on FortiNAC after around 30-40 minutes. This offline cause endpoint compliance being failed. During that time, FNAC also mark switchport as Link Down, Not Connected while on Actual Switch , Port is still connected, Authorized by Radius, MAC Address Table shown on the switchport.

2024-07-27_09-19-39.png2024-07-28_12-39-16.png2024-07-28_12-38-58.png

 

Note: Endpoint has PA installed, Switch integrated with L2 Polling SNMP, RADIUS. 

 

Thank You

 

FortiNAC

Labels:
589
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to Lyyiheang

Created on ‎07-29-2024 08:40 AM

If not enforced than the Authentication policy details that you shared above should not have any effect.

It seems that the switch fails to report the MAC address as connected, so FNAC has to remove the host information and change the state as offline. Does FNAC has CLI access to the switch, have you recently checked the Validate Credentials?

When the issue happens/or now, you can r-click on the switch and select "Test Device Mapping", it should read the mac address table of this switch (looks like a Cisco switch).

On the results of "MAC Address Table ( L2 Poll )" try to find out the MAC address of the authenticated hosts or the one that is connected/authenticated but showing as Status offline.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

488
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎07-28-2024 02:28 AM

Hello

Which FNAC version?

The following checks may be useful:

  • Have you checked if the switch OS version is supported by your FNAC's version?
  • On FNAC, is the client host shown offline or its PA agent shown offline?
  • Check if PA certificate is still valid
  • Check if the communication on the PA agent port TCP 4568 is open between FNAC and clients
  • Does it happen when you disable RADIUS auth? Can you test it for one client?
  • As it happens, try force L2 polling for the switch and see if it solves the issue
AEK
AEK
562
0 Kudos
Lyyiheang
New Contributor
In response to AEK

Created on ‎07-28-2024 02:41 AM

Dear @AEK ,

 

My FNAC-F is running on version 7.4 latest built.

 

i would like to answer your question below:

 

  • On FNAC, is the client host shown offline or its PA agent shown offline?: Sorry, PA shown Green but endpoint host marked as Offline.
  • Check if PA certificate is still valid: Surely Valid
  • Check if the communication on the PA agent port TCP 4568 is open between FNAC and clients: I do Pcap on endpoint. I could see endpoint & FNAC still have communication exchange.
  • Does it happen when you disable RADIUS auth? Can you test it for one client?: It has the same issue
  • As it happens, try force L2 polling for the switch and see if it solves the issue: No Luck, it works only when i try to restart the port (Trigger authentication again)

Thank you

556
0 Kudos
ebilcari
Staff
Staff

Created on ‎07-29-2024 08:20 AM

Check your implementation and verify if the "Forced Authentication" in Port Group Membership is actually needed at port level, from FNAC GUI. There is a common misconception about it and usually this is not needed when the end hosts are authenticated via RADIUS. "Role Based Access" through Network Access policies will handle and help prepare the RADIUS responses.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
502
0 Kudos
Lyyiheang
New Contributor
In response to ebilcari

Created on ‎07-29-2024 08:24 AM

Dear @ebilcari ,

 

on Port Group Membership, there is only Role Based Access enable. Other option are not enable. Force Authentication also not enable.

498
0 Kudos
ebilcari
Staff
Staff
In response to Lyyiheang

Created on ‎07-29-2024 08:40 AM

If not enforced than the Authentication policy details that you shared above should not have any effect.

It seems that the switch fails to report the MAC address as connected, so FNAC has to remove the host information and change the state as offline. Does FNAC has CLI access to the switch, have you recently checked the Validate Credentials?

When the issue happens/or now, you can r-click on the switch and select "Test Device Mapping", it should read the mac address table of this switch (looks like a Cisco switch).

On the results of "MAC Address Table ( L2 Poll )" try to find out the MAC address of the authenticated hosts or the one that is connected/authenticated but showing as Status offline.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
489
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.