FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Article Id 190112

Description

 

This article describes the case when the Persistent Agent Cert Check fails on a host that has a valid certificate.

The appliance evaluates the host certificate and verifies the timestamp within five minutes of receipt by the server. If the software clock is off by more than 5 minutes, a host can fail the certificate validation.


Scope

 
Version: 8.3 and above and Persistent Agent 3.5 and above.


Solution

 

Troubleshooting.

  1. In the appliance CLI, turn on the Debug to verify the certificate validation and determine the cause. 

    nacdebug –name AgentServer true
    nacdebug –name PersistentAgent true

  2. Rescan the affected host to trigger the certificate validation.

  3. Turn off Debug:

    nacdebug –name AgentServer false
    nacdebug –name PersistentAgent false

  4. Review /bsc/logs/output.nessus and look for the lines similar to the following after the host has failed the certificate validation check:

    yams.PersistentAgent FINER :: 2020-07-16 18:52:32:275 :: Signature timestamp not within allowed time.  Time difference: 1327725
    yams.PersistentAgent FINER :: 2020-07-16 18:52:32:275 :: SIGNATURE NOT VERIFIED
 
Solution.
  1. Confirm the correct date and hardware clock on the appliance. For instructions on checking for time drift, see the related KB article below.
  2. Verify the time on the end station.

 

For more information, see the section Certificate Validation of the Administration Guide in the Fortinet Document Library.

 

Related Article:

Technical Note: Adjusting NTP for drift