NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
This article describes why in some cases, even though a local Root Certificate has been imported in Keychain and marked as 'Always Trusted', MacOS may consider this Root Certificate as untrusted. As a result, the TLS Handshake between Persistent Agent and FortiNAC may not be established.
In this case, even though a local Root Certificate has been imported in Keychain and marked as 'Always Trusted', it would be possible to see the following in Persistent Agent logs:
SSL_get_verify_result = 19 ... ... ...
Checking Peer name fortinac.lab.local against Common or Subject-alternative-name entry fortinac.lab.local Peer name "fortinac.lab.local" matches "fortinac.lab.local" Refusing to connect to trust_DISTRUSTED fortinac.lab.local|fortinac.lab.local|6f:b5:1a:98:96:81:e7:49:e9:2f:b9:d2:7e:91:ff:ab:90:d2:9a:8a Connection failed! 1
Scope
FortiNAC v9.x.y and FortiNAC-F v7.x.y.
Solution
Update the Persistent Agent to the latest version.
In affected MACOS, copy the root Certificate under directory /users/admin.
Execute the below command on MACOS CLI to import the root Certificate as trusted:
