Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
bmeta
Staff
Staff

Created on ‎04-13-2021 11:55 PM Edited on ‎03-27-2024 05:00 AM By Community Manager

Article Id 197408

Troubleshooting Tip: VLAN changes on FortiNAC CLI

Description

 

This article describes how to troubleshoot VLAN change on the remote unit using FortiNAC CLI.

 

Scope

 

FortiNAC.

Solution

 

In this example there are addresses:

 

FortiNAC - 192.168.186.141
Switch - 192.168.186.146

 

Connect to FortiNAC using two SSH terminals. Open Terminal A and Terminal B.

Run the below commands in each terminal.

Terminal A.

 

FortiNAC FNVMCA
root@fnac:/root
> DumpBridgePerformance -ip 192.168.186.146 true
Enabling

FortiNAC FNVMCA
root@fnac:/root
> nacdebug -name IPAddressToMac true

Setting IPAddressToMac debug to true:

FortiNAC FNVMCA
root@fnac:/root
> nacdebug -name SnmpV1 true

Setting SnmpV1 debug to true:

 

FortiNAC FNVMCA
root@fnac:/root
> UpdateClients -ip 192.168.186.146
Updating the following devices.
SW1.domain.local 192.168.186.146
Done updating the clients.

Terminal B.

VLAN before the change:

 

FortiNAC FNVMCA
root@fnac:/bsc/logs
> tail -F output.master
.....
yams.BridgeManager INFO :: 2021-04-09 11:51:36:899 :: ********************192.168.186.146-SW1.domain.local********************
2021-04-09 11:51:36:894
        PollThread-poll1
        Remediation VLAN Switching enabled = true
        MAC Filtering enabled = false
        Don't Allow Rogues = false
        Member of PHYSICAL_ADDRESS_FILTERING = false
        Persistent Agent Vlan Delay = 0
        SW1.domain.local Gi1/3    
                Remediation VLAN 111
                Dead End VLAN 112
                Authentication VLAN
                Registration VLAN 110
                Default VLAN 1     
                Current VLAN 1     


Change VLAN first and run UpdateClients -ip 192.168.186.146 (same as step 4 in Terminal A).
VLAN after the change:

 

.....
yams.BridgeManager INFO :: 2021-04-09 11:59:38:064 :: ********************192.168.186.146-SW1.domain.local********************
2021-04-09 11:59:38:053
PollThread-trap2
Remediation VLAN Switching enabled = true
MAC Filtering enabled = false
Don't Allow Rogues = false
Member of PHYSICAL_ADDRESS_FILTERING = false
Persistent Agent Vlan Delay = 0
SW1.domain.local Gi1/3     
Remediation VLAN 111
Dead End VLAN 112
Authentication VLAN
Registration VLAN 110
Default VLAN 1
Current VLAN 5 

 

Disable all debug after troubleshooting:

 

> DumpBridgePerformance -ip x.x.x.x
Disabling debug .....

> nacdebug -name IPAddressToMac
Setting IPAddressToMac debug to false

> nacdebug -name SnmpV1
Setting SnmpV1 debug to false

 

Crosscheck which debug is still enabled - these do not automatically disable:


> nacdebug -true


If there is any output, then use the following disable debug command:


> nacdebug -name <Debug_Name> false

Anyway, all enabled debugs are disabled after Fortinac restart.

1434
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.