Validate Control
-
Open two CLI windows to FortiNAC (login as root).
-
In one window, enable debug and begin packet capture.
CentOS:
nacdebug –name RemoteAccess true
nacdebug –name PaloAlto true
tf /bsc/campusMgr/master_loader/output.master | grep -i "<client MAC address>"
Example:
tf output.master | grep -i "00:21:70:D1:92:77"
FortiNAC-OS:
diagnose debug plugin enable RemoteAccess
diagnose debug plugin enable PaloAlto
execute enter-shell
tf /bsc/campusMgr/master_loader/output.master | grep -i "<client MAC address>"
Example:
tf output.master | grep -i "00:21:70:D1:92:77"
-
Connect VPN client and establish tunnel.
-
Once VPN tunnel is established, in the other window type:
CentOS:
RemoteAccess -remoteIP <client VPN IP>
Example:
> RemoteAccess -remoteIP 172.16.196.10
FortiNAC-OS:execute enter-shell
RemoteAccess -remoteIP <client VPN IP>
Example:
> RemoteAccess -remoteIP 172.16.196.10
Working example output:
IP Address = 172.16.196.10 ß client VPN IP (collected from syslog)
MAC Address = 24:77:03:07:E6:18 ßclient MAC Address (collected from agent)
Device Id = 6965
Interface Id = 6985
User Name = test ß user ID (collected from syslog)
Session Id = -44718900
Time Captured = Thu Nov 11 14:01:34 EST 2021
InetAddress = null
If MAC Address is missing, see KB article MAC address not detected over VPN for troubleshooting instructions.
-
Review the output in the first window to confirm tags are sent to the Palo Alto.
Example:
Client VPN IP: 172.16.196.10
Client MAC address = 24:77:03:07:E6:18
Firewall Tags = VPN-Authorized
yams.SSOManager FINER :: 2021-11-11 15:50:08:801 :: SSOManager.remMessageFromQueue message removed UserIDMessage[logon, mac=
24:77:03:07:E6:18, ip=
172.16.196.10, user=test,
tags=[VPN-Authorized]]for key 24:77:03:07:E6:18
If either the wrong tags or no tags were sent, see KB article Troubleshooting network access for Palo Alto VPN.
In the Palo Alto, verify the client has the appropriate policy applied and the host is granted access to the appropriate networks.