Description
This article describes the causes behind an issue where entitlements are not applied after installing a subscription license key.
Symptoms:
- License Information Dashboard panel displays BASE level license.
- 'licensetool -key EFFECTIVE' CLI command displays BASE level license.
Scope
FortiNAC version 8.x, 9.x, F7.x.
Solution
Verify whether or not the appliance can successfully reach FortiCloud for entitlement information. Login to the appliance CLI as root and type the following depending on operating system:
CentOS:
entitlementstool -poll
FortiNAC-OS:
diagnose entitlements -poll
Note:
This command without the 'poll' option returns cached entitlement information.
The resulting output should display the appropriate entitlements.
Example output:
description supportLevelDescription expirationDate
__________________________ _______________________ ______________
Telephone Support 24x7 2027-04-08
FortiNAC VM FortiNAC Pro 2024-04-08
IoT Detection Web/Online 2027-04-08
Vulnerability Management Web/Online 2027-04-08
Firmware & General Updates Web/Online 2027-04-08
Enhanced Support 24x7 2027-04-08
COMP 24x7 2027-04-08
Effective Count=500
Effective Level=PRO
Polling returns with incorrect entitlements: Login to the Customer Portal and verifies License entitlements. For assistance, contact Customer Service.
No entitlements are displayed or the prompt is never returned: This suggests the appliance cannot communicate with FortiCloud.
- FortiNAC polls fds1.fortinet.com using TCP port 443. Ensure this port is allowed outbound to the internet from eth0. Refer to the Open Ports section of the Deployment Guide.
- Ensure the appliance can resolve the name fds1.fortinet.com.
- Verify entitlements are applied once the poll is successful. Type the following:
CentOS:
licensetool -key EFFECTIVE
FortiNAC-OS:
get system license -key EFFECTIVE
The entitlements should now display.
Results still show BASE level entitlements (Virtual Appliance):
Example output:
EFFECTIVE:
serial = FNVMCATMxxxxxxxxx
type = NetworkControlApplicationServer
level = BASE
count = 0
expiration = 0
expired = false
mac = <MAC address>
uuid = <UUID>
certificates = [xxxxxxxxxxxxxxxxxxx, xxxxxxxxxxxxxxxxxxxxx]
- Verify the key has certificates: The poll function uses the serial number to look up entitlements. To apply the entitlements, there is a certificate included in the key that must be present. Possible certificate related causes:
Certificate is missing:
Certificates in the Key are not complete:
- Example: certificates = [xxxxxxxxxxxxxxxxxxx, xxxxxxxxxxxxxxxx]. The certificate will not be validated and entitlements will not be applied.
- The license key content may have been truncated during license installation.
- Re-download the key from the customer portal and re-install using the Administration UI. For instructions, see License management in the Administration Guide.
If copying and pasting the key content, ensure all characters have been copied.
To avoid the risk of truncation, upload the text file itself.
Results still show BASE level entitlements (Hardware Appliance):
Possible cause: Applies for FortiNAC CentOS appliances only: The shipped key file is missing certificates.
To verify, use the following command:
CentOS:
licensetool -key FILE -file /bsc/campusMgr/.licenseKeyHW
Example of a key file missing certificates:
FILE:
serial = FN5HCATAxxxxxxxx
type = NetworkControlApplicationServer
level = BASE
count = 0
expiration = 0
expired = false
mac = xx:xx:xx:xx:xx:xx
uuid = 00000000-0000-0000-0000-000000000000
<- There should be a certificate line here.
Solution: If certificates are missing from the .licenseKeyHW file or if .licenseKeyHW is missing entirely, the FortiNAC unit must be RMA'ed.
Additional debugging.
- Enable debugging. Use the following commands:
CentOS:
nacdebug -name EntitlementServer true
nacdebug -logger yams.FCPClient -level FINEST
FortiNAC -OS:
diagnose debug logger set finest yams.FCPClient
- Poll for entitlements
CentOS:
entitlementstool -poll
FortiNAC-OS:
diagnose entitlements -debug
- Collect logs.
Version 8.x:
grab-log-snapshot
Versions 9.x/F7.x: Use the Download logs option in the UI. For instructions, see Download logs in the Administration Guide.
- Disable logging.
CentOS:
nacdebug -logger yams.FCPClient
nacdebug -name EntitlementServer false
FortiNAC-OS:
diagnose debug logger unset yams.FCPClient
- Open a support ticket and include the following:
- FortiNAC version:
- 8.x: Help -> About.
- 9.x/7.x: Dashboard (System Summary widget).
- Troubleshooting steps taken.
- Version 8.x: Resulting .gz file from step 3 (located in /tmp).
Related articles:
Technical Note: UI does not list serial number or license entitlements.
Technical Tip: Endpoint licensing and license upgrades.