Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎07-22-2021 05:33 AM Edited on ‎06-16-2023 01:33 AM By Moderator

Article Id 192245

Troubleshooting Tip: Certificates not included in license keys

Description

 

This article explains an issue where FortiNAC license keys do not contain the necessary certificates.

 

Scope

 

FortiNAC versions released prior to 2020.

 

Solution

 

License keys with certificates were introduced on January 1st 2020.

It is possible for older appliances to be running on a license key generated prior to 2020 and not include certificates.

 

Appliances that do not have keys with certificates have the following limitations:

Certain features will not be available, including:

  • FortiGuard IoT for Device Profiling Rule.  
  • Security Fabric communication (see Security Fabric Connection). 
  • FSSO via REST API with FortiGate v7.x.
  • Communication between FortiNAC servers (versions 7.2.2, 9.4.3, 9.2.8, 9.1.10 and greater)
Verify a key has certificates on a virtual appliance:
 

To verify a license key has certificates on a virtual appliance, log in to the appliance CLI as the root user and run the following command:

 

licensetool -key APPLIANCE


Example with certificates:

 

licensetool -key APPLIANCE
APPLIANCE:
serial = FNVMCATMxxxxxxxx
type = NetworkControlApplicationServer
level = PRO
count = 0
expiration = 0
expired = false

mac = xx:xx:xx:xx:xx:xx
uuid = xxxxx-xxx-xxx-xxx-xxxxxxxx

certificates = [xxxxxxxxxxxxxxxxxxx]

Example without certificates:
 
licensetool -key APPLIANCE

APPLIANCE:
serial = FNVMCAxxxxxxxx

type = NetworkControlApplicationServer

level = PLUS
count = 10000
expiration = 0

expired = false
mac = xx:xx:xx:xx:xx:xx
uuid = xxxxx-xxx-xxx-xxx-xxxxxxxx
certificates = []
 
In the second example, the 'certificates' array has no values. This means the license key has no certificates.

Verify a key has certificates on a physical appliance:
 
To verify a license key has certificates on a physical appliance, log in to the appliance CLI as the root user and run the following command:
 
licensetool -key FILE -file /bsc/campusMgr/.licenseKeyHW

Example contents of a key file with certificates:

serial = FN5HCATRxxxxxxxx
type = NetworkControlApplicationServer
level = BASE
count = 0
expiration = 0
expired = false
mac =xx:xx:xx:xx:xx:xx
uuid = 00000000-0000-0000-0000-000000000000
certificates = [xxxxxxxxxxxxxxxxxxx]
 
The solution for missing certificates varies depending on the appliance:
 
Virtual appliances:
  • Manager or Control/Application Server (FNC-M-VM or FNC-CA-VM):
  • Customers with a FortiCare account and appliance support coverage can download a new key containing certificates from the Customer Support Portal at http://support.fortinet.com.

Important:

  • Ensure the correct UUID and eth0 MAC address of the appliance is reflected in the product record. For details on how to obtain this information and download the new keys, see the Update Keys Due to UUID/MAC Change section in the License Upgrade Guide.
  • Select Get the License File next to FortiNAC Control/App VM Server License. Do not use the Network Sentry key file, as certificates will not be included.
  • PODs managed by a Manager: It's necessary to download a new key file for each appliance with missing certificates within their key. Certificates are not distributed from the Manager.
  • Separate Control and Application Servers (FNC-C-VM & FNC-A-VM).
    • FortiNAC server communication workaround:  See Importing License Key Certificates in the FortiNAC Manager Guide.
    • FortiNAC appliance SKUs for the separate Control and Application servers reached  end of order (EOO) in 2019. FortiCare cannot generate license keys containing certificates for these older products. For a listing of all EOO products, see https://support.fortinet.com/Information/ProductLifeCycle.aspx
    • Customers must contact Sales to arrange for a transition from the older appliances to the combined Control and Application VM server (FNC-CA-VM) to use the newer license keys.

 

Hardware appliances:

  • FortiNAC server communication workaround:  See Importing License Key Certificates in the FortiNAC Manager Guide.
  • Manager or Control/Application Server (FNC-M or FNC-CA) 
    • Certificates are installed and shipped with the appliance. If certificates are missing from /bsc/campusMgr/.licenseKeyHW, the unit must be returned through the RMA process. Read more here.
    • Separate Control and Application Servers (FNC-C & FNC-A)
    • FortiNAC appliance SKUs for the separate Control and Application servers reached end of order (EOO) in 2019.
    • FortiCare cannot generate license keys containing certificates for these older products. For a listing of all EOO products, see https://support.fortinet.com/Information/ProductLifeCycle.aspx
    • Customers must contact Sales to arrange for a transition from the older appliances to the combined Control and Application Server to use the newer license keys.
Labels:
2344
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.