Debugging

(FNC-CA) FortiNAC Commands

Use the following KB article to gather the appropriate logs using the debugs below.

Gather logs for debugging and troubleshooting

Note: Debugs disable automatically upon restart of FortiNAC control and management processes.

Function	Syntax	Log File
FortiNAC Server (Proxy RADIUS)	`nacdebug –name RadiusManager true`	/bsc/logs/output.master
FortiNAC Server (Local RADIUS)*	`nacdebug –name RadiusAccess true`	/bsc/logs/output.master
RADIUS Service (Local RADIUS)	`radiusd -X -l /var/log/radius/radius.log` Stop logging: Ctrl-C	/var/log/radius/radius.log
L2 related activity	`nacdebug –name BridgeManager true`	/bsc/logs/output.master
Vendor specific debugging	`nacdebug –name Meraki true`	/bsc/logs/output.master
Disable debug	`nacdebug –name <debug name> false`	N/A

*Logging for a given MAC Address:
nacdebug -logger 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55' -level FINEST

Disable:

nacdebug -logger 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55'

Other Tools

Send a RADIUS Disconnect:

SendCoA -ip <devip> -mac <clientmac> -dis

Example:

SendCoA -ip 10.1.0.25 -mac 00:1B:77:11:CE:2F -dis

(FNC-CAX) Commands

Use the following KB article to gather the appropriate logs using the debugs below.

Gather logs for debugging and troubleshooting

Note: Debugs disable automatically upon restart of FortiNAC control and management processes.

Function	Syntax		Log File
FortiNAC Server (Proxy RADIUS)	`diagnose debug plugin enable RadiusManager`		/bsc/logs/output.master
FortiNAC Server (Local RADIUS)*	`diagnose debug plugin enable Radius Access`	/bsc/logs/output.master
L2 related activity	`diagnose debug plugin enable BridgeManager`		/bsc/logs/output.master
Vendor specific debug	`diagnose debug plugin enable Meraki`	/bsc/logs/output.master
Disable debug	`diagnose debug plugin disable <plugin name>`		N/A

Note: If not using VLANs, will always return policy value “NativePolicy” in RADIUS response. Otherwise, a VLAN value is returned.

*Enables logging for a given MAC Address:
diagnose debug logger set finest 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55'

To disable:
diagnose debug logger unset 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55'

Other Tools

Send a RADIUS Disconnect:

execute enter-shell

SendCoA -ip <devip> -mac <clientmac> -dis

Example:

SendCoA -ip 10.1.0.25 -mac 00:1B:77:11:CE:2F -dis

Debugging

(FNC-CA) FortiNAC Commands

Use the following KB article to gather the appropriate logs using the debugs below.

Gather logs for debugging and troubleshooting

Note: Debugs disable automatically upon restart of FortiNAC control and management processes.

Function	Syntax	Log File
FortiNAC Server (Proxy RADIUS)	`nacdebug –name RadiusManager true`	/bsc/logs/output.master
FortiNAC Server (Local RADIUS)*	`nacdebug –name RadiusAccess true`	/bsc/logs/output.master
RADIUS Service (Local RADIUS)	`radiusd -X -l /var/log/radius/radius.log` Stop logging: Ctrl-C	/var/log/radius/radius.log
L2 related activity	`nacdebug –name BridgeManager true`	/bsc/logs/output.master
Vendor specific debugging	`nacdebug –name Meraki true`	/bsc/logs/output.master
Disable debug	`nacdebug –name <debug name> false`	N/A

*Logging for a given MAC Address:
nacdebug -logger 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55' -level FINEST

Disable:

nacdebug -logger 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55'

Other Tools

Send a RADIUS Disconnect:

SendCoA -ip <devip> -mac <clientmac> -dis

Example:

SendCoA -ip 10.1.0.25 -mac 00:1B:77:11:CE:2F -dis

(FNC-CAX) Commands

Use the following KB article to gather the appropriate logs using the debugs below.

Gather logs for debugging and troubleshooting

Note: Debugs disable automatically upon restart of FortiNAC control and management processes.

Function	Syntax		Log File
FortiNAC Server (Proxy RADIUS)	`diagnose debug plugin enable RadiusManager`		/bsc/logs/output.master
FortiNAC Server (Local RADIUS)*	`diagnose debug plugin enable Radius Access`	/bsc/logs/output.master
L2 related activity	`diagnose debug plugin enable BridgeManager`		/bsc/logs/output.master
Vendor specific debug	`diagnose debug plugin enable Meraki`	/bsc/logs/output.master
Disable debug	`diagnose debug plugin disable <plugin name>`		N/A

Note: If not using VLANs, will always return policy value “NativePolicy” in RADIUS response. Otherwise, a VLAN value is returned.

*Enables logging for a given MAC Address:
diagnose debug logger set finest 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55'

To disable:
diagnose debug logger unset 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55'

Other Tools

Send a RADIUS Disconnect:

execute enter-shell

SendCoA -ip <devip> -mac <clientmac> -dis

Example:

SendCoA -ip 10.1.0.25 -mac 00:1B:77:11:CE:2F -dis

Cisco Meraki MR Access Points Integration

Debugging

Debugging

(FNC-CA) FortiNAC Commands

Other Tools

(FNC-CAX) Commands

Other Tools

Debugging

(FNC-CA) FortiNAC Commands

Other Tools

(FNC-CAX) Commands

Other Tools