FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Review the agent logs in notepad and look for the following after the certificate exchange is completed:
2024-04-16 15:03:58 UTC :: Peer name "nacnac.corp.fortinet.com" matches "nacnac.corp.fortinet.com" 2024-04-16 15:03:58 UTC :: check_cert_chain error is 3 2024-04-16 15:03:58 UTC :: SslStreamTransport::sslSendThread calling take() 2024-04-16 15:03:59 UTC :: Sent Conn-Request 2024-04-16 15:03:59 UTC :: Expanded SslStreamTransport recvBuf to 64 bytes 2024-04-16 15:03:59 UTC :: Expanded SslStreamTransport recvBuf to 128 bytes 2024-04-16 15:03:59 UTC :: constructFromBufer verb = Conn-Deny 2024-04-16 15:03:59 UTC :: handleReceivedPacket() -- received this packet: Conn-Deny END of packet 2024-04-16 15:03:59 UTC :: Sending ACK for 7976428 2024-04-16 15:03:59 UTC :: Received CONN_DENY 2024-04-16 15:03:59 UTC :: after connFinished wait done
This indicates the agent has successfully connected to a FortiNAC server and completed the certificate exchange. However, the server is refusing the connection. The server is denying the connection due to 'Require Connected Adapter' being enabled on the server and due to that server not seeing the physical adapter as online and connected to a network device managed by that server. If multiple servers are configured, this may be expected as the host is attempting to connect to a server in which the endpoint is not connecting to a managed network device at that location.
Determine why the endpoint is not seen as online and connected. Navigate to the network device being managed by FortiNAC and locate the port where the endpoint is connected to. If the host is not shown as online and connected, continue to troubleshoot poll failures.
