Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Eslite_HK
New Contributor

Created on ‎02-08-2023 04:59 PM

persistent agent unable to resolve correct nac controller ip in isolation network

fortinac version:7.2.0.0035

persisten agent verion: 9.4.0.93

use L3 isolation model, power on a rogue pc (with PA), the fortinac put the pc into an isolation network and assign dns server ip (fortinac eth1 ip) to the rouge pc, in this senario the persisten agent on rouge pc trying to communication to nac controller, first step should send the dns request to dns server (fortinac eth1 ip) trying to get the ip of nac controller, however nac dns response it's eth1 ip to rouge pc not eth0 ip, is there any missconfiguation? 

Labels:
2033
0 Kudos
1 Solution
ebilcari
Staff
Staff

Created on ‎02-09-2023 02:58 AM Edited on ‎02-09-2023 03:00 AM

This is the expected behavior. While being in isolation the host communicate with FortiNAC using isolation networks (from eth1 interface).

Are you having problems with Agent communication? You can check the agent logs from the PC [C:\ProgramData\Bradford Networks\general.txt] for any reported problem.

 

Take a look at this article: https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Troubleshooting-the-Persistent-agent/ta-p/1...

 

or checking the logs from FortiNAC debugs:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Persistent-Agent-not-able-to-start-communic...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

2004
4 REPLIES 4
ebilcari
Staff
Staff

Created on ‎02-09-2023 02:58 AM Edited on ‎02-09-2023 03:00 AM

This is the expected behavior. While being in isolation the host communicate with FortiNAC using isolation networks (from eth1 interface).

Are you having problems with Agent communication? You can check the agent logs from the PC [C:\ProgramData\Bradford Networks\general.txt] for any reported problem.

 

Take a look at this article: https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Troubleshooting-the-Persistent-agent/ta-p/1...

 

or checking the logs from FortiNAC debugs:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Persistent-Agent-not-able-to-start-communic...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
2005
Eslite_HK
New Contributor
In response to ebilcari

Created on ‎02-12-2023 05:22 PM

thanks for your explianing, the PA logs without error.

1965
0 Kudos
bmeta
Staff
Staff

Created on ‎02-09-2023 02:58 AM

If host state is Rogue > And the system group membership is "Forced Registration(port)" > Then change VLAN to Registration
eth1 will provide DNS services to the host

2004
Eslite_HK
New Contributor

Created on ‎02-12-2023 05:23 PM

thanks for your reply.

1965
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.