- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO - Wireless <--> LAN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO - Wireless <--> LAN
I have a policy set to allow the marketing AD group to access social networking sites, the next entry is set to block. Everything works as expected, until the user un-docks the laptop and moves to the wireless network. Under the wireless network it is blocked for the user under the marketing AD group. I look under "Show Logon Users" it shows the username and workstation associated to the LAN IP address and not the updated IP address, can we set to ignore the IP? If i do a "ipconfig /registerdns" and wait 60 seconds the list is updated and it woks as expected. This will be an issue if we have to do this every time they move between subnets (LAN/Wireless). Also this will cause an issue when we run a report based on a username.
More Info:
[ul]
Thanks!
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone? 
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Robert,
no, I don't think that you can ignore the IP. That's how User Authentication works: IP <->User.
You should make sure that the DNS server is automatically updated with the new IP, once the user has changed from wired to wireless network.
Alternatively you can make use of the FSSO guest users for those users who has received a new IP. So that this group will get limited internet access at least.
Sylvia
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They already have 2 DNS entries for the same host. One for the wireless and one for the LAN. I understand how it works it just causes an issue and was looking for a work around. Has anyone else have the same issue. Another issue I came across is if a user logs into a workstation at the desk and then sign onto a thin client in the exam room it doesn't pick up the correct user information.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
from mentioned DCAgent mode I assume you have Collector somewhere and so we are talking about FSSO.
- Collector by default does use DNS from underlying MS OS, so check that mentioned 2 IP for WKS are resolvable from WKS name ON that underlying server where Collector is installed.
- if needed/suitable, you can specify alternative DNS servers in Collector GUI Advanced settings
- also check that Collector does have "IP address change verify interval" set >0 so it WILL check for additional IP or IP changes made in DNS, in registry it's "DNSlookupinterval"=dword:00000002 in [HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent]
Those should help. Collector is able to handle multiple IP addresses as source IP for a single user.
Kind regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm facing the same issue.
Our FSSO Collector (we don't have DCAgent) doesn't update the ip changes. I think that the problem is that he doesn't know all workstation names. Some entries have IP in IP address column and device name in workstation name. Others have ip address in both, address column and Workstation name.
How does the FSSO know the workstation name?
I have seen the AD Event 4624 and the field workstation name is blank. But, there are some entries in the FSSO Collector that have workstation name and in the corresponding AD Event the filed is blank.
Kind Regards,
Iratxe
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
it is recommended to use MSSO (mobility agent sso, aka Forticlient SSO). A FAC a required to use that, but it is the best way to have an up to date information.
Lucas
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Collector knows IP and name from multiple sources.
Primary source is event. Especially in polling modes. However some events like 4624 do not contain workstation name anymore, while older events like 680 672 contained workstation name only and no IP.
Secondary source is DNS. And FSSO depends on accurate and working DNS heavily. So IP can be derived from workstation name and verified from IP. Additional events spotted can contribute to precision of the records.
IP updates are by default NOT performed, so Collector learns new IPs from new events.
But it could be changed via registry key "verifyIP". So new DNS lookup will be done periodically and IPs updated.
Single workstation can have multiple IPs, but make sure that your DNS is updating A/AAA records accordingly and not just overwriting a single A record. That could be avoided by proper DNS setup or by workstations being allowed to update all their NICs IP addresses into DNS (by default MSFT workstations are trying to do so and DNS prevents that).
Alternative way is mentioned agent on workstation. Called SSOMA (Single Sign-On Mobility Agent) but it requires FortiAuthenticator as Collector and peer to work with.
Windows EventIDs used in WinSec Poling
https://kb.fortinet.com/k...amp;externalId=FD36424
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More on Dual NIC issue summarized and posted into KB here: https://kb.fortinet.com/k...amp;externalId=FD50329
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Related Posts
Labels
-
FortiGate
6,519 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.