Skip to main content
Kevin
Kevin
New Member
October 20, 2014
Question

FSSO and wifi/wired connections

  • October 20, 2014
  • 6 replies
  • 19849 views
I have 3 domain controllers that I have installed the FSSO agent on. I have configured the fortinet 300D to query the three domain controllers. For desktop users I am pretty happy with the authentication. For laptop users that bounce between wifi and wired, they are getting quite frustrated with the web filtering. When they unplug from the network, switch on their wifi, the fortinet gives them the guest access web filter which is pretty limited. In order to update their authentication on the firewall they are having to logout / logon. Is there some better way I am missing to resolve this? K

    6 replies

    TuncayBAS
    TuncayBAS
    Explorer
    October 20, 2014
    the relevant firewall rules, please try the following command? set ntlm enable
    Kevin
    KevinAuthor
    New Member
    October 22, 2014

    yaba wrote:
    the relevant firewall rules, please try the following command? set ntlm enable

    Can you expand on why NTLM enable would affect my wireless clients?

    Alivo__FTNT
    Staff
    Alivo__FTNT
    Staff
    October 21, 2014

    Hi,

    In your case it might be possible that the clients do not update their DNS record after moving from wired to wireless network. If collector agent receives the workstation name in logon event, then it needs to translate it to IP using DNS. Is the dynamic update configured in customer environment ?

     

    http://technet.microsoft.com/en-us/library/cc784052%28v=ws.10%29.aspx

     

    Best Regards,

    Pavel

     

    Kevin
    KevinAuthor
    New Member
    October 22, 2014

    Pavel_Livonec_FTNT wrote:

    Hi,

    In your case it might be possible that the clients do not update their DNS record after moving from wired to wireless network. If collector agent receives the workstation name in logon event, then it needs to translate it to IP using DNS. Is the dynamic update configured in customer environment ?

     

    http://technet.microsoft.com/en-us/library/cc784052%28v=ws.10%29.aspx

     

    Best Regards,

    Pavel

     

     

    Dynamic DNS is not really configurable. It's either on or off. In my environment, which is AD/DNS based, dynamic updates are enabled on the clients and the DNS server. Beyond that, other than some registry tweaks I am unaware of... it is enabled in it's default setting.

     

     

     

    K

    Kevin
    KevinAuthor
    New Member
    October 28, 2014

    Here is the fix.

     

    Had to tie DHCP to DNS for dynamic updates.

     

    http://technet.microsoft.com/en-us/library/ee941150(v=ws.10).aspx

     

     

     

    K

    Jasonhilt
    Jasonhilt
    New Member
    October 29, 2014

    We have sort of the same problem.  FSSO is seeing the people logged in on wireless, but all internet traffic goes across the wired connection.  DNS sees the computer on wireless connection only.  We are set to "Always dynamically update DNS records".  Only fix we have found is to have them turn off wireless when docked and then to turn it on when wireless, then back off before they dock again.  We also tell them to make sure they log off the computer when switching between wired/wireless.

     

    Is there any way to get FSSO to use both connections?

     

    We were setup to have the clients update DNS records which would allow wired and wireless FSSO records but the problem we had were duplicate DNS entries with other computer names which just messed up FSSO also.

    Kevin
    KevinAuthor
    New Member
    October 29, 2014

    Have a look at this post as well. More detailed than the technet one. This is what I used to fine tune it.

     

    Basically when a client polls DHCP for an address, the DHCP server will handle the dynamic updates to DNS. Somehow this will register a Logon event on the AD, which is where the FSSO is polling for accounts.

     

    So far this has drastically lessened the number of calls our support line handles for content filtering profile problems.

     

    http://blogs.msmvps.com/a...-dnsproxyupdate-group/

    Matthew_Mollenhauer
    Matthew_Mollenhauer
    New Member
    October 30, 2014

    If you're using WPA/WPA2 Enterprise with a wireless controller you can try sending the Radius accounting messages to the Fortigate to do RSSO for the wireless. If you're just using WPA/WPA2 with a static passphrase then I'd set the NTLM option on the policies to prompt for a username/password.

     

    We don't use the DC polling , but then we're going a little more heavy duty for authentication than most. We use dot1x for wired & wireless; every user device (laptops, workstations, phones, tables, etc..) that is on the network is authenticated with a valid Domain account. We then send the radius accounting messages to our FortiAuthenticators which forward all user information to our Fortigates, usually within 2 seconds of a device getting an IP address the Fortigates have the User, IP & Groups and access is allowed.

     

    Regards,

    Matthew

    Terms & ConditionsAccessibility statement