Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎09-28-2018 12:17 AM

Article Id 193987

Technical Note: Login Prompt Does Not Appear After Downloading Persistent Agent 3.x or Higher

Description
Login Prompt Does Not Appear After Downloading Persistent Agent 3.x or Higher

Scope
Version:  Agent 3.x and higher
Solution
Version:  Agent 3.x and higher

Issue:  Agent completes download but the login prompt does not appear after 5 minutes.

This suggests communication between Network Sentry and the agent is incomplete.  Below are some possible causes.

Many or All Hosts Affected

Potential Cause 1: Incorrect DNS name resolution due to configuration on Network Sentry.
As of Persistent Agent version 3.x and Dissolvable Agent version 3.1.x, SSL certificate validation must be able to complete in order for the agent to successfully start communication with Network Sentry.  This requires the endstation to be able to reach certain sites on the internet.
Solution:  For common domains that need to be resolved for SSL Certificate validation, and instructions on how to add/remove domains in Network Sentry, see How To Add Allowed Domains to Network Sentry.

Potential Cause 2: Issues with SSL Certificate in Network Sentry.  This could be any of the following:
- Certificate not installed or expired.
Solution: See SSL Certificates How To for installation and certificate renewal instructions.
- Installed Certificate incomplete (missing intermediate certificate).
Solution: See Identify Missing SSL Certificates via Administrative UI.

Potential Cause 3: Firewall blocking port 4568/4567 traffic.
Solution:  Ensure TCP port 4568 and UDP port 4567 traffic is not being blocked by a firewall on the network.


Small Number of Hosts Affected

Suggests something on the endstation is preventing the communication.

Potential Cause 1: Incorrect DNS name resolution.
Solution a: Ensure there aren't any static DNS server entries.  While within the registration/remediation/isolation VLAN,  Network Sentry must act as the DNS server.
Solution b: Flush the DNS cache to ensure there aren't any cached DNS entries.
Windows command: ipconfig /flushdns
Mac OSX: Command can vary depending upon OS X version.  One article to reference from Apple for DNS flush commands is the following:https://support.apple.com/en-us/HT202516

Potential Cause 2: Firewall blocking port 4568/4567 traffic on endstation:
The agent automatically adds an exception to allow this traffic only through Windows firewall.  If the endstation has another program with a firewall feature enabled, this could be blocking the traffic.
Solution: Disable firewall feature on endstation or configure firewall to allow TCP 4568 and UDP 4567.

Potential Cause 3:  Endstation Missing Root certificate to validate the issuing Certificate Authority (CA) of the certificate installed on Network Sentry.
Solution:  See Solution 1855 for instructions on how to view the list of trusted CA's on either Windows or Mac OSX.



Labels:
633
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.