Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎11-26-2018 04:31 PM

Article Id 195535

Technical Tip: Troubleshooting MDM registration issues

Description
Basic troubleshooting steps for MDM clients that are not registering in NAC.

Scope
Version: 8.x and above

Solution
1.  Verify the client is registered in the MDM. 
Host is not registered in MDM
Troubleshoot the MDM and client.  Contact MDM vendor for additional assistance.

Host is registered in MDM
Proceed with the following steps to determine why NAC is not registering the host.


2.  In the Administration UI, search for the MAC address of the affected device under Hosts > Host View (8.x) or Users & Hosts > Hosts (9.x).

Host record cannot be found or shows offline...
Suggests NAC is either not receiving or processing RADIUS from the wireless controller/Access Point to which the device connects.


Host record shows online but is not registered (displays as a "?")...

Affects all devices registering through MDM:

a. In the Administration UI, navigate to System > Settings > System Communication > MDM Services (8.x) or Network > Service Connectors (9.x)

b. Verify On Demand Registration is enabled in the MDM service connector.  This allows NAC to query the MDM and register the device based on the MDM's data.

c. Highlight the MDM, right-click and click Poll Now (8.x) or right-click on service connector and click Poll Now (9.x).  Note any errors that are generated.  This suggests communication issues between NAC and MDM.

d. Check the Polling interval, as it may need to be increased.  Depending upon the size of the MDM's database, the poll can take as long as 30 minutes to complete.  If another poll is initiated before the last one completes, FortiNAC may not complete updating. 



Affects only certain devices registering through MDM:

a. Verify device has MDM agent installed

b. Verify Use Configured MDM is selected under the Global Settings in System > Portal Configuration > Content Editor (8.x) or Portal > Portal Configuration > Content Editor (9.x).  The setting provides a means for isolated mobile devices to download the MDM agent.

Host record shows online and is registered but device remains isolated...
Disconnect device from the (wireless) network and reconnect.  If device successfully connects, it suggests an issue with NAC disconnecting the client in order to change network access.

Related Articles

Technical Note: Hosts imported from Airwatch is less than expected

Technical Tip: Airwatch MDM Agent fails to authenticate in isolation

Technical Tip: Certificate path error when polling Airwatch

Technical Tip: Airwatch poll fails with 429 error code

Technical Note: Registered Hosts in Airwatch are Rouges in Network Sentry

Technical Tip: AirWatch MDM poll fails when configured to retrieve application data

Technical Note: Gather logs for debugging and troubleshooting

Labels:
1403
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.