FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff
Article Id 197123

Description

 

This article explains why the expected behavior for a particular host based on a policy (e.g. Captive Portal, Endpoint Compliance, Network Access, etc) is not occurring. 
 
Examples include:
- Host not presented with the correct Portal page.
- Host not assigned the correct VLAN.
- Host unexpectedly prompted to download an agent.
 

This suggests the host does not fulfill the criteria for the desired policy.  Policies are comprised of two components:

- User/Host profile: The set of criteria the host record must fulfill in order for the policy to apply.

- Configuration:  The action executed when the User/Host Profile matches.


Scope


Version:  8.x, 9.x.

Solution

 

Note:  These troubleshooting steps apply to all policy types (Network Access, Authentication, Supplicant EasyConnect, Endpoint Compliance, or Portal).

 

For location-based Network Access policies see KB article 195587

 

1)  Determine which, if any, policy the host record matches. In the Administration UI, navigate to
8.x:  Hosts ->  Host View
9.x:  Users & Hosts -> Hosts
 
and search for the affected host.
 
2)  Verify the host shows online (green adapter).  Host must be online for accurate results.  If host is not online when it should be, troubleshoot this behavior first.  Once host correctly shows online, proceed to step 3.
 
3)  Right click on the host record and select Policy Details. There will be a tab for each policy type.
 
4)  Select the policy tab of interest and review the contents.
 
Tab Lists Correct Policy

Network Access policies: if affected host is connected to a switch port, verify the port is part of the Role-Based Access port group.

Tab is Blank

This indicates the host does not match any of the existing policies for that type.  To understand why the host did not match, the User/Host Profile for the desired policy must be reviewed.
 
1)  Navigate to
8.x:  Policy > Policy Configuration  
9.x:  Policy & Objects
 
2)  Select the applicable policy type (Portal, Network Access, etc).
 
3)  Select the User/Host Profile for that policy to review the criteria.
 
If the criteria is incorrect, modify as necessary.

If criteria is correct, review the host record and its associated user record (if user record criteria was included) to determine what criteria was missing.

 

Tab Lists Incorrect Policy

To understand why the wrong policy was matched, the User/Host Profile and policy ranking must be reviewed for both policies.

1)  Navigate to
8.x:  Policy > Policy Configuration  
9.x:  Policy & Objects
 
2) Select the applicable policy type (Portal, Network Access, etc). This will display all the policies of that type in ranked order.


3) Note the ranking order:  the host is evaluated against the policies in order of rank, starting with 1 (top rank).  The first policy that matches will apply, and therefore, policies with more restrictive criteria should be ranked at the top.     

 
4) Review the criteria listed in the User/Host Profiles of both policies.  


Possible scenarios:

- Criteria for one or both policies is incorrect.  Modify as necessary.

- Matching policy is ranked above the desired policy. Example:
Rank 5: Matching Policy
Rank 9: Desired Policy

The matching policy contains less restrictive criteria.  Adjust ranking such that the desired policy is listed higher up in ranking, taking into consideration the surrounding policies.  If unsure what the new ranking should be, contact support for assistance.

- Matching policy is ranked below the desired policy. Example:
Rank 5: Desired Policy
Rank 9: Matching Policy

Host did not match the desired policy.  Review the host record and its associated user record (if user record criteria was included) to determine what criteria was missing.
 

Related Articles

Technical Tip: Configuring a Network Access Policy