(FNC-CA) FortiNAC Commands

Use the following KB article to gather the appropriate logs using the debugs below.

Gather logs for debugging and troubleshooting

Note: Debugs disable automatically upon restart of FortiNAC control and management processes.

Function	Syntax	Log File
FortiNAC Server (Proxy RADIUS)	nacdebug –name RadiusManager true	/bsc/logs/output.master
FortiNAC Server (Local RADIUS)*	nacdebug –name RadiusAccess true	/bsc/logs/output.master
RADIUS Service (Local RADIUS)	radiusd -X -l /var/log/radius/radius.log Stop logging: Ctrl-C	/var/log/radius/radius.log
L2 related activity	nacdebug –name BridgeManager true	/bsc/logs/output.master
FortiGate wired port and Managed (FortiLink) FortiSwitch specific	nacdebug –name Fortinet true	/bsc/logs/output.master
FortiNAC Network association to each FortiGate	nacdebug –name DeviceInterface true	/bsc/logs/output.master
SSO activity**	nacdebug –name SSOManager true	/bsc/logs/output.master
Disable debug	nacdebug –name <debug name> false	N/A

*Enables logging for a given MAC Address:
nacdebug -logger 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55' -level FINEST

To disable:
nacdebug -logger 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55'

**SSO communication:

Logon and logoff messages are written to /bsc/logs/output.master in the FortiNAC CLI by default without debug enabled.

Logon Sample message:

FortiGate IP: 10.0.0.1

Client IP address: 10.0.0.10

Client MAC address = 00:09:B0:DA:40:C9

SSO Tag = Production

yams.SSOManager INFO :: 2021-02-23 07:33:25:003 :: SSOManager.sendMessage sending message to 10.0.0.1 for client 00:09:B0:DA:40:C9

com.bsc.plugin.manager.SSOManager$DeviceMessage[logon, mac=00:09:B0:DA:40:C9, ip=10.0.0.10, tags=[Production]]Other Tools

Send a RADIUS Disconnect:

SendCoA -ip <devip> -mac <clientmac> -dis

Example:

SendCoA -ip 10.1.0.25 -mac 00:1B:77:11:CE:2F -dis

Manual SSO resync (versions 8.8.11 and greater)

SSOTool -r -ip <FortiGate IP>