FSSO and ip addresses that change
I've got a strange problem that crops up. I think the issue is that people get a new ip address without re-logging on and the FSSO/fortigate gets confused.
multiple sites, different subnet on each site. Windows laptops, Aruba wireless, Fortigate with FSSO authenticated AD groups, Fortigate policies based on AD groups.
Person logs into their windows laptop at site A, successfully connects to internet through Fortigate. Closes the lid, drives to site B, opens the lid (gets a new IP address from DHCP.) After coming out of sleep, the laptop has internal network access (i.e. to local file servers) but nothing through the Fortigate. The Fortigate logs show an unauthenticated person at the new IP address trying to get through. I always have to tell them to reboot the laptop and then all is ok.
I have the "IP address change verify interval (seconds)" set to 60 in the Single Sign On Agent config screen even though I doubt it is needed because the documentation states "FSAE periodically checks the IP addresses of logged-in users and updates the FortiGate unit when user IP addresses change. This does not apply to users authenticated through NTLM. "
Is this a FSSO limitation or some kind of configuration error on my part? difficult to diagnose I know with such limited info but I would appreciate any pointers I could get.