Troubleshooting
If experiencing problems with the VPN device and users managed by FortiNAC, check the following:
-
Proper route(s) are defined to send traffic to FortiNAC from the VPN device. This may include running the setupAdvancedRoute tool to create policy-based routes.
-
The remote IP assigned to the VPN session comes from the correct VPN pool on the FortiGate and the address scope is correctly defined for the VPN context on the FortiNAC appliance.
-
SNMP and CLI credentials are configured correctly on both FortiNAC and the VPN device to facilitate device discovery and FortiNAC/FortiGate communication.
-
The FortiNAC Server or Control Server should always be able to communicate with the FortiGate via FSSO to set and remove tags/groups as appropriate.
-
Firewall policies and routes are defined to allow users on both restricted and non-restricted networks to access the FortiNAC VPN interface.
-
Endpoint compliance and Network access control policies are configured correctly on the FortiGate to match the VPN sessions being managed.
-
Logical Network to tag/group mappings are configured correctly on the FortiGate model in FortiNAC to cause the correct values to be sent to the FortiGate when the session is authorized.
-
Syslog messages are configured to be sent to FortiNAC. Log messages with ids of 0101039947 and 0101039948 (SSL), or 0101037129 and 0101037134 (IPSec) must be sent to FortiNAC.