
Created on
03-13-2022
11:37 PM
Edited on
05-21-2025
02:25 AM
By
Anthony_E
Description | This article describes how to solve one of the cases where PA does not communicate with the FortiNAC server. |
Scope | FortiNAC v8.8.x, v9.1.x, v9.2.x, 9.4.x, FortiNAC-F v7.2.x. v7.4.x, v7.6.x,Persistent Agent v5.3.x, v9.4.x, v7.6.x |
Solution |
In this case, indicators of this failure condition can be checked in the PA logs in the general.txt file.
The logs when the intermediate certificate is missing in FortiNAC would look like this:
2022-03-12 10:09:25 UTC :: SSL Certificate verification result: unable to get local issuer certificate
2022-03-12 10:09:25 UTC :: peer CommonName = fortinac.fortinet.lab
In this case, the root CA is installed correctly in the endpoint, and it trusts the PA server certificate, but the trust chain is not completed because of the missing intermediate certificate that comes with the server certificate.
This, in the end, will result in a distrusted condition, and the PA connection to the FortiNAC server will fail
Solution: In this case, the solution would be to upload again the server certificate alongside the intermediate certificate in one single step in the PA Target.
It is possible to add the intermediate certificate by simply selecting the 'Add Certificate' button. This will complete the certificate chain, and trust will be established among end stations and the FortiNAC server.
Note1. When the PA server certificate obtained from a CA comes along with an intermediate certificate. To check if the certificate has an intermediate certificate, it is necessary to check the path of the certificate in the certificate details itself.
Note2. There are cases when the server certificate comes directly from the root CA without passing through intermediate CA nodes. In this case, only the server certificate needs to be uploaded in FortiNAC, and the root certificate needs to be installed in the end stations.
Related documents: Guide: FortiNAC SSL Certificates Technical Tip: Troubleshooting the Persistent agent Troubleshooting Tip: Windows Persistent Agent logs |