Skip to main content
jeroenwichers
jeroenwichers
New Member
July 12, 2021
Question

FortGate Radius implementation sends client IP as calling-station-id

  • July 12, 2021
  • 1 reply
  • 8481 views

Hi guys,

 

I've noticed that my FortiGate with FortiOS v6.4.2 send the IP-address of my client as "Calling-station-ID". I'd like to see the mac-address of my client here so that I can make use of device authentication. Is it possible to change this behaviour?

 

Many thanks in advance!

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    July 12, 2021

    Not sure about FOS 6.4.2, but quick tested on one 6.4.4.

    I made simple SSID with WPA2-Enterprise and pointed to FAC as RADIUS server.

    And Calling-Station-Id does contain MAC of the end-point device. So it works.

    jeroenwichers
    jeroenwichersAuthor
    New Member
    July 12, 2021

    Hi!

     

    Thanks for you reply! I am using the NPS feature from Windows Server to act as Radius server and here, the calling station identifier is thus an IP-address..

     

    Any thoughts?

     

     

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    August 9, 2021

    I was testing and thinking about that and .. what feature do you use and so which one produces those Access-Requests ??

     

    Because RADIUS Auth and Accounting messages and Calling-Station-Id on FGT 6.4.x are produced this way ..

     

    - if I do auth on WiFi SSID, then Calling-Station-Id is populated with MAC address Because FGT is the WLC (WiFi controller) and client is directly connecting to AP which is managed by FGT

    And therefore FGT is the one who somehow assign IP, as when user connects it has no IP assigned yet. And so MAC address is the only identifier.

    - if I do auth on SSLVPN, then Calling-Station-Id is populated with IPv4 address

    Because FGT is VPN concentrator and clients already do have IP assigned and also because in VPN case client is not connecting to FGT (SSID on AP and WLC specifically), but from distance and so MAC address is not that relevant detail as final packets received on FGT came from close peer device MAC address and not from client.

    It appears in both, Access-Request and if FGT set to send ACCT, then in Accounting-Request too. 

     

    Terms & ConditionsAccessibility statement