Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎09-28-2018 07:23 AM

Article Id 191785

Technical Note: Troubleshooting domain resolution for agent communication

Description
The agent is unable to communicate with NAC while in isolation.

Solution
The NAC Server/Application Server has built-in SRV records for agent communication for agents in isolation.  Verify NAC answers the following query (this can be done in the NAC Server/Application Server CLI):  

dig @isolation SRV  _bradfordagent._yourdomain.com

Example (where Application hostname is acorn.bradfordnetworks.com):
dig @isolation SRV  _bradfordagent._udp.nwu.ac.za


Expected results (where 192.168.23.2 is the eth1 interface) :

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> @isolation SRV _bradfordagent._udp.bradfordnetworks-

isol.com
; (1 server found)
;; global options: +cmd
;; Got Answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37618
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_bradfordagent._udp.bradfordnetworks-isol.com. IN SRV

;; ANSWER SECTION:
_bradfordagent._udp.bradfordnetworks-isol.com. 15 IN SRV 0 0 4567 acorn.bradfordnetworks.com.

;; AUTHORITY SECTION:
bradfordnetworks-isol.com. 15   IN      NS      isol.bradfordnetworks-isol.com.

;; ADDITIONAL SECTION:
isol.bradfordnetworks-isol.com. 15 IN   A       192.168.23.2

;; Query time: 1 msec
;; SERVER: 192.168.23.2#53(192.168.23.2)
;; WHEN: Tue Jun 13 07:59:52 EDT 2017
;; MSG SIZE  rcvd: 155



Solution:  If no answer returns, verify the content of the following files are correct:

/var/named/chroot/etc/domain.zone.isol

Example:

$TTL 15s

bradfordnetworks-isol.com.              IN SOA isol.bradfordnetworks-isol.com.

root.isol.bradfordnetworks-isol.com. (
                        1
                        10800
                        3600
                        604800
                       86400
                        )
               IN NS      isol.bradfordnetworks-isol.com.
               IN TXT     "Isolation Domain"

$ORIGIN bradfordnetworks-isol.com.
 

b._dns-sd._udp  PTR @
lb._dns-sd._udp  PTR  @

_networksentry._tcp  PTR AgentConfig._networksentry._tcp

;Insert agent line here

; Needs to be here for BN_OTHER_HOSTNAME
AgentConfig._networksentry._tcp SRV 0 0 443 acorn.bradfordnetworks.com.
                                TXT path=/registration/agent/config
 
_networksentry._tcp             SRV 0 0 443 acorn.bradfordnetworks.com.
                                TXT path=/registration/agent/config

_bradfordagent._udp             SRV 0 0 4567 acorn.bradfordnetworks.com.
_bradfordagent._tcp             SRV 0 0 4568 acorn.bradfordnetworks.com.


*.bradfordnetworks-isol.com.            IN      A   192.168.23.2
;*.bradfordnetworks-isol.com.            IN      AAAA   BN_ISOL_6IP

 

 

/var/named/chroot/etc/named.conf
 
The following entry ensures that the FQDN of the server is resolved to the local host (even if it's in zones.common):

// zone added for DNS SRV lookup
zone "acorn.bradfordnetworks.com" {
type forward;
forwarders { 127.0.0.6; };
};


The following entry is the master zone for the search domain provided through DHCP in isolation:
 
// ISOL zone added for DNS SRV lookup
zone "bradfordnetworks-isol.com" {
type master;
file "domain.zone.isol";
};




Labels:
854
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.