FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Anonymous
Not applicable
Article Id 206753
Description This article describes how to solve one of the cases where PA does not communicate with the FortiNAC server.
Scope FortiNAC v8.8.x, v9.1.x, v9.2.x, 9.4.x, FortiNAC-F v7.2.x. v7.4.x, v7.6.x,Persistent Agent v5.3.x, v9.4.x, v7.6.x
Solution

In this case, indicators of this failure condition can be checked in the PA logs in the general.txt file.

 

The logs when the intermediate certificate is missing in FortiNAC would look like this:

 

2022-03-12 10:09:25 UTC :: SSL Certificate verification result: unable to get local issuer certificate
2022-03-12 10:09:25 UTC :: peer fingerprint: e8:63:0b:de:14:2a:89:b1:e5:57:9c:36:0b:c2:24:c2:94:37:73:b4


Certificate:

2022-03-12 10:09:25 UTC :: peer CommonName = fortinac.fortinet.lab
2022-03-12 10:09:25 UTC :: SAN: fortinac.fortinet.lab
2022-03-12 10:09:25 UTC :: Checking Peer name fortinac.fortinet.lab against Common or Subject-alternative-name entry fortinac.fortinet.lab
2022-03-12 10:09:25 UTC :: Peer name "fortinac.fortinet.lab" matches "fortinac.fortinet.lab"
2022-03-12 10:09:25 UTC :: Refusing to connect to trust_DISTRUSTED fortinac.fortinet.lab|fortinac.fortinet.lab|e8:63:0b:de:14:2a:89:b1:e5:57:9c:36:0b:c2:24:c2:94:37:73:b4
2022-03-12 10:09:25 UTC :: Connection failed! 1

 

In this case, the root CA is installed correctly in the endpoint, and it trusts the PA server certificate, but the trust chain is not completed because of the missing intermediate certificate that comes with the server certificate.

 

This, in the end, will result in a distrusted condition, and the PA connection to the FortiNAC server will fail 

 

Solution:

In this case, the solution would be to upload again the server certificate alongside the

intermediate certificate in one single step in the PA Target.

 

It is possible to add the intermediate certificate by simply selecting the 'Add Certificate' button. This will complete the certificate chain, and trust will be established among end stations and the FortiNAC server.

 

ethomollari_0-1647103256280.png

 

Note1.

When the PA server certificate obtained from a CA comes along with an intermediate certificate. To check if the certificate has an intermediate certificate, it is necessary to check the path of the certificate in the certificate details itself.

 

Note2.

There are cases when the server certificate comes directly from the root CA without passing through intermediate CA nodes. In this case, only the server certificate needs to be uploaded in FortiNAC, and the root certificate needs to be installed in the end stations.

 

Related documents:

Guide: FortiNAC SSL Certificates

Persistent Agent

Technical Tip: Troubleshooting the Persistent agent

Troubleshooting Tip: Windows Persistent Agent logs
Technical Tip: Manually install and configure 'Persistent Agent' on Windows OS.

Contributors