- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Machines in the domain, requesting login in Captiv...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Machines in the domain, requesting login in Captive Portal
Hello everyone, I have a very annoying problem and I do not know how to solve it. Here in the company the navigation on the internet depends on authentication of the users in the domain, I installed FSAE_FSSO on the domain controllers, I configured Fortigate correctly, which in fact are two in cluster. Most of the network users surf normal, Fortigate recognizes and authenticates, but other good users always need to put their login and password on a Captive Portal screen, it's as if Fortigate does not recognize them automatically, all computers are in the domain, some using network cable and others using Wi-Fi, all take IP in normal DHCP and have the records due in the Active Directory-integrated DNS zone. So I ask, what can it be? Anyone here have any ideas? Thank you !
Ivanildo Galvão Consultor de Tecnologia MCP, MCT, MCSA, VSP, VTSP, ITIL V3
Ivanildo Galvão Consultor de Tecnologia MCP, MCT, MCSA, VSP, VTSP, ITIL
V3
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the collector agent using DC Agent mode or Polling mode?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
DC Agent. I install in 3 domain controllers.
Ivanildo Galvão Consultor de Tecnologia MCP, MCT, MCSA, VSP, VTSP, ITIL V3
Ivanildo Galvão Consultor de Tecnologia MCP, MCT, MCSA, VSP, VTSP, ITIL
V3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1.
be aware that if you run Collector in DCAgent mode then those agents ahs to be installed on all the DCs which are supposed to login users. Decision which logon server will be used is up to the workstation and Windows OS.
Therefore is some user/workstation has issues, also check 'echo %logonserver%' on workstation and then if that DC is properly monitored by DCAgent ans agent's updates properly seen in Collector.
2.
DNS records made by MSFT DHCP tend to overwrite a single A record, so if workstation connect via cable and wifi it will have just latest assigned IP in DNS, not both. But if its routing cause data (HTTP requests for example) to pass through other NIC and being sourced with that IP, then firewall will not match that traffic with FSSO user record as that would have second IP. Solution it so allow updates of DNS from workstations. As every NIC will try to update it's records by default. This will result in all NIC addresses registered in DNS for a single workstation name. Multiple A records. And so FSSO will check DNS and create user record for all the IPs found. That might be part of your issue.
3.
check if users trully hit Captive portal or it's NTLM fallback. Config check needed. Use flow debug on FGT and make sure their traffic frlows through intended interfaces and firewall policies. It might appear that interface the users are conencting in has Captive portal turned on.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I'll check all these points. The DNS records issue I already knew, but I will review all points. Thank you !
Ivanildo Galvão Consultor de Tecnologia MCP, MCT, MCSA, VSP, VTSP, ITIL V3
Ivanildo Galvão Consultor de Tecnologia MCP, MCT, MCSA, VSP, VTSP, ITIL
V3
Related Posts
- SSO on Self-Service Portal FortiAuthenticator 134 Views
- Script Authentication 310B 1662 Views
- Captive Portal inline with FSSO 3807 Views
- Captive portal authentication for wired Domain... 4027 Views
Labels
-
FortiGate
6,527 -
FortiClient
1,302 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.