FSSO and mobile computers that have been docked

Forum|Forum|5 years ago
October 21, 2020
2 replies
2679 views

I have lots of users that frequently undock their laptops and work off WiFi. When they re-dock the FSSO collector retains only the DHCP supplied WiFi IP address against the user. When they subsequently make a web request the FortiGate does not authenticate them and blocks access because they have no username or group assignments. I've tried re-authenticating on the wired network but no joy.

If I manually remove the DHCP lease, the corresponding DNS record, clear the FSSO cache and get the user to re-authenicate this usually fixes the problem after the FortiGate refresh interval. This is not an ideal solution!!

I can't imagine that my situation is unusual in any way. Any suggestions on things to check would be appreciated.

Dave

Alivo__FTNT

Staff

Hi Dave,

What does nslookup <workstation name> show on the server with Collector Agent

when the user gets back to use ethernet?

Best Regards, Alivo

xsilver_FTNT

Staff

It seems to me that you might struggle with DHCP overwriting a single A DNS record for the workstation and so FSSO, when it checks logon event, does see just last DHCP requested IP.

And so when user log from wired (dock), get IP and DNS let's say 10.10.1.1, then undock and gets Wifi IP let's say 10.20.1.1, which is then updated to DNS as a single last assigned IP to respective A record,

then when user re-docs, and start re-using 10.10.1.1 , then this IP is no longer in FSSO as authorized one. Because Wifi DHCP request for 10.20.1.1 overwritten DNS A record. And that's AFAIK default behavior of MSFT DNS/DHCP.

More on that could be found here I guess: https://forum.fortinet.com/tm.aspx?m=126175

EDIT:

More on Dual NIC issue summarized and posted into KB here: https://kb.fortinet.com/k...amp;externalId=FD50329

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded