(FNC-CA) FortiNAC Commands
Use the following KB article to gather the appropriate logs using the debugs below.
Gather logs for debugging and troubleshooting
Note: Debugs disable automatically upon restart of FortiNAC control and management processes.
|
Function |
Syntax |
Log File |
|---|---|---|
|
FortiNAC Server (Proxy RADIUS) |
|
/bsc/logs/output.master |
|
FortiNAC Server (Local RADIUS)* |
|
/bsc/logs/output.master |
|
RADIUS Service (Local RADIUS) |
Stop logging: Ctrl-C
|
/var/log/radius/radius.log |
|
L2 related activity |
|
/bsc/logs/output.master |
|
FortiGate wired port and Managed (FortiLink) FortiSwitch specific |
|
/bsc/logs/output.master |
|
FortiNAC Network association to each FortiGate |
|
/bsc/logs/output.master |
|
SSO activity** |
|
/bsc/logs/output.master |
|
Disable debug |
|
N/A |
*Enables logging for a given MAC Address:nacdebug -logger 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55' -level FINEST
To disable:
nacdebug -logger 'yams.RadiusAccess.RadiusAccessEngine.00:11:22:33:44:55'
**SSO communication:
Logon and logoff messages are written to /bsc/logs/output.master in the FortiNAC CLI by default without debug enabled.
Logon Sample message:
FortiGate IP: 10.0.0.1
Client IP address: 10.0.0.10
Client MAC address = 00:09:B0:DA:40:C9
SSO Tag = Production
yams.SSOManager INFO :: 2021-02-23 07:33:25:003 :: SSOManager.sendMessage sending message to 10.0.0.1 for client 00:09:B0:DA:40:C9
com.bsc.plugin.manager.SSOManager$DeviceMessage[logon, mac=00:09:B0:DA:40:C9, ip=10.0.0.10, tags=[Production]]Other Tools
Send a RADIUS Disconnect:
SendCoA -ip <devip> -mac <clientmac> -dis
Example:
SendCoA -ip 10.1.0.25 -mac 00:1B:77:11:CE:2F -dis
Manual SSO resync (versions 8.8.11 and greater)
SSOTool -r -ip <FortiGate IP>