Description
This article describes when logs 'Even though the user has not been successfully authenticated you will observe DNS traffic working from the user machine' appear.
Scope
FortiOs
Solution
A captive portal has been created (user-based policy) and internet traffic works fine post-authentication, but even though the user has logged out or has not authenticated, the DNS traffic still works.
In this example, a user based policy and the internet will only work post successful authentication
Firewall policy:
- Port2 is the LAN int and port1 is the WAN int.
- There is only a single policy with user details.
- So to access the internet the user needs to authenticate.
- Username is Monday.
No user is authenticated yet:
mercury-kvm34 # diagnose firewall auth list
----- 0 listed, 0 filtered ------
The user is not authenticated but there is nslookup information:
> fortinet.com
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: fortinet.com
Addresses: 54.177.212.176
54.151.118.105
DNS flow, and it is possible to see that DNS traffic is being received on port2(LAN) and being sent out of port1(WAN).
In forwarding traffic logs, DNS traffic is allowed yet and the user has not authenticated yet:
The user is authenticated and other services are working after the authentication but only the DNS service is working before the authentication:
mercury-kvm34 # diagnose firewall auth list
10.5.61.105, monday
src_mac: 00:6d:65:72:23:01
type: fw, id: 0, duration: 12, idled: 0
expire: 288
flag(804): hard no_idle
packets: in 236 out 144, bytes: in 205590 out 19336
user_id: 16777225
group_id:
group_name:
----- 1 listed, 0 filtered ------
DNS is allowed because it is a base protocol and will most likely be required to initially see proper authentication protocol traffic.
Hostname resolution is almost always a requirement for any protocol. However, the DNS service must still be defined in the policy as allowed, in order for it to pass.
DNS traffic will be allowed if the user has not authenticated.
