Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Eslite_HK
New Contributor

persistent agent unable to resolve correct nac controller ip in isolation network

fortinac version:7.2.0.0035

persisten agent verion: 9.4.0.93

use L3 isolation model, power on a rogue pc (with PA), the fortinac put the pc into an isolation network and assign dns server ip (fortinac eth1 ip) to the rouge pc, in this senario the persisten agent on rouge pc trying to communication to nac controller, first step should send the dns request to dns server (fortinac eth1 ip) trying to get the ip of nac controller, however nac dns response it's eth1 ip to rouge pc not eth0 ip, is there any missconfiguation? 

1 Solution
ebilcari
Staff
Staff

This is the expected behavior. While being in isolation the host communicate with FortiNAC using isolation networks (from eth1 interface).

Are you having problems with Agent communication? You can check the agent logs from the PC [C:\ProgramData\Bradford Networks\general.txt] for any reported problem.

 

Take a look at this article: https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Troubleshooting-the-Persistent-agent/ta-p/1...

 

or checking the logs from FortiNAC debugs:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Persistent-Agent-not-able-to-start-communic...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

4 REPLIES 4
ebilcari
Staff
Staff

This is the expected behavior. While being in isolation the host communicate with FortiNAC using isolation networks (from eth1 interface).

Are you having problems with Agent communication? You can check the agent logs from the PC [C:\ProgramData\Bradford Networks\general.txt] for any reported problem.

 

Take a look at this article: https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Troubleshooting-the-Persistent-agent/ta-p/1...

 

or checking the logs from FortiNAC debugs:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Persistent-Agent-not-able-to-start-communic...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Eslite_HK

thanks for your explianing, the PA logs without error.

bmeta
Staff
Staff

If host state is Rogue > And the system group membership is "Forced Registration(port)" > Then change VLAN to Registration
eth1 will provide DNS services to the host

Eslite_HK
New Contributor

thanks for your reply.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors