Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎10-01-2018 12:16 AM Edited on ‎09-25-2023 03:36 AM By Moderator

Article Id 193795

Troubleshooting Tip: Policy not matching with access values defined in user/host profile

Description

 
This article describes how to solve an issue where the policy does not match with access values defined in auser/host Profile. The user/host profile has access values defined as part of the criteria.
 
Scope
 
FortiNAC.


Solution

 

To check the matching policy without waiting for the end user to raise an issue or perform testing after each change is made in FortiNAC configuration, use the test tool that can be accessed in Hosts. Right-click on the desired host and select 'Policy Details'. Below is an example of a host not matching any user/host profile:

 

profile.PNG

 
Create or check the user/host profile that is expected to match for this host:
 
uhp.PNG

 

Make sure to check all the tabs and the configurations are correct.

There are also other matching criteria that can be configured directly in the profile, such as location, user/host group, time, or information extracted from RADIUS attributes.

After making the correct changes, the result should include a Logical network and the desired VLAN ID or name will be shown:

 

hitting.PNG

 

If the correct policy is used but there is no VLAN shown (VLAN name or VLAN ID), make sure that the VLAN is tied with the logical network that is used in the Network access policy.

 

  1. Navigate to Network Devices -> Topology.
  2. Right-click on the device and select Model Configuration.
ln.png

To debug from the CLI, run the following:

 

nacdebug -name PolicyHelper true

 

Example output:

 

yams.PolicyHelper FINER :: 2023-09-25 11:59:21:767 :: #955 :: HostRecord.getEPCPolicy() HostRecord DBID: 132 calling HostRecord.getAbstractPolicy()
HostRecord.getAbstractPolicy() HostRecord DBID: 132 Using User:
UserRecord:
Landscape = 91754594318 00:15:5D:00:00:0E
ID = 10
Role = AD-NetworkUserRole
Type = Administrative
Admin Profile DBID = 3
Directory Policy =
DN = CN=gimi,OU=Usr,DC=eb,DC=eu
Position = Shef IT
Email Address = gimi@eb.eu
First Name = gimi
...
Setting adapters from host record.
HostRecord.getAbstractPolicy() HostRecord DBID: 132 Using HostRecord
Host Record:
Landscape = 91754594318 00:15:5D:00:00:0E
ID = 132
hostName = WIN-10-USB
owner = beni
policy = null
os = Windows 10 Pro 6.3 21H2 10.0.19044.3086
hardwareType = VMware, Inc. VMware20,1 None
application = Anti-Virus :: Microsoft Windows Defender,Anti-Virus :: Microsoft Windows Defender Engine Updates,Anti-Virus :: Microsoft Windows Defender Signatures,Anti-Virus :: Windows Defender Real-time Protection Check,Operating-System :: ...

Labels:
334
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.