Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiTester
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiVoice
- FortiWAN
- FortiToken
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: FSSO and multiple network connections
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO and multiple network connections
I' m curious if anyone has run into this problem and if so, what have they done to fix it? (v4 MR3 P8)
I have FSSO configured and it has been working properly now for several years. However, in the last few years more and more wireless connections are being made available to our users. We have implemented group policy to configure our wireless adapters to authenticate users using 802.1x and PEAP to allow authenticated users access directly onto our corporate wireless network and keeping guest users separate. The problem we have is that with this setup, users frequently use both wireless and wired connections simultaneously as they generally forget to disable their wireless connections.
This seems to present a problem with FSSO. It seems (this is a bit of an educated guess) that when a user authenticates they may source from either the wireless or the wired connection resulting in a event log entry that is monitored by the collector agent. However, sometimes when a user later goes to the internet, the traffic sources from the other adapter' s IP address. This seems to confuse the FSSO system and the user ends up with Guest access even though they are authenticated.
I know this is a lot of info...but has anyone run into this? Thoughts/Suggestions?
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does anyone have any thoughts on this?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if anyone is interested...but I have isolated this problem to a DNS issue. The problem is caused by dynamically update settings in the DNS settings for the DHCP scope. While FSSO can handle duplicate logins from multiple IPs, it still utilizes DNS when logging entries in its table. FSSO seems to log the IP, hostname, and username for each user it " authenticates" .
The problem:
Sometimes a wired connection' s DNS entry is dynamically removed and the wireless IP is registered with DNS as an A record. This is not normally a problem. However, if the binding order is set properly and the PC utilizes the wired connection as it' s outbound connection, this presents a problem for FSSO. The firewall sees the user connection coming from the wired segment but the entries in the FSSO table on the collector sees the user associated with the A record which is now pointing to the wireless address. The fortigate then determines that the user should get " guest" access as it cannot match the user to the appropriate IP.
The solution:
Not sure yet. There are multiple ways to attack this but I am still trying to figure this out. Suggestions welcome.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This may be a problem with network adapter binding order. The FSSO collector will only see the IP address of the network connection which was used for initial authentication to the server. If the wired and wireless adapters are both active then it depends on a few factors.
If the wired network adapter is highest in the binding order, then domain authentication and internet traffic should traverse it as long as it was present at startup and remains active.
If the wireless network adapter is highest in the binding order, then it depends on whether the wireless network is available when the user logs in and how the wireless connection is authenticated. The wired network may be used for authentication if they log in quickly after startup before the wireless network is available, then switch to the wireless network when available because it' s higher in the binding order. This may cause the computer to use the wireless network and FSSO will have no authentication record for that IP.
If the user always connects the network cable before startup, then ensuring the wired network adapter is top of the binding order should help. If they tend to plug in cables after startup, then it' s difficult to control.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wasn' t the " FSSO IP address change verify interval" option suppose to overcome this?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you both for the replies.
@Dave - Not sure if that feature will specific resolve this issue. It seems to me that Fortinet is using DNS as a part of this process to authenticate users. So if the DNS entry is pointing to a wireless IP and the PC is configured to use the wired interface then the issue persists.
@jmac - Yes you are on to something there. We investigated this as well. The problem is that we always set the binding order for the wired interface to be ahead of the wireless interface. This allows for a better connection if both interfaces are enabled at the same time. So we have the binding order set the way we want it. However, we also have group policy configured which sets up a wireless configuration using PEAP. This is to allow our mobile users to move from wired to wireless and AP to AP seamlessly on the network while maintaining security. When you set this in group policy the wireless connection will always attempt to connect to this immediately if the network is in range and the adapter is enabled. So in our experience setting the binding order also doesn' t seem to resolve this issue.
A simple solution would be to " just switch the dang wireless off" . Apparently this is not something people can easily get used to as they use wireless at home and forget to disable it when returning to the office. So at this point I think I am down to either adjusting some setting in FSSO that I am unaware of (open ticket with Fortinet) or modifying the way we handle DNS either on the server or client to prevent this from occurring.
In most situations multiple connections hasn' t even been an issue but for FSSO it creates a problem sporadically. Thanks again for the responses. Any other thoughts?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mike,
I see this exact problem, though not widely because we have pretty strict controls on who can use the Corporate wireless. Funny enough, it is my boss (the IT Director) that I have the most frequent problems with. I came to the same conclusions that you have, largely, and have tried the same fixes to no avail. So, right now we' re just living with it. I did find some third-party utilities that will monitor both the wireless and wired interfaces and automatically disable the wireless if the wired is hooked up. This seems like a viable solution, but none of the utilities I found were free and I have not yet convinced my boss that the expense is worth it.
As an aside, we migrated from Websense to the webfilter in the Fortigate mostly because of cost (we didn' t even start using the firewall portion until recently). Websense did not have this problem, but it also seemed to have a different method for identifying users. Hopefully someone up at Fortinet keeps an eye on these forums and can suggest to engineering to take a look at the way Websense does user identification.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah I have looked at those too. There are even some solutions that suggest using a script that runs via scheduled tasks to monitor the network connections and shut off wireless when wired is in use. However, this seems like it might have it' s own set of issues.
I do have a ticket in with Fortinet to see what they suggest and will post back if they provide a solution. Thanks for the reply it' s good to hear I' m not alone in this.
If you are interested in the scripted option check this article out...
http://community.spiceworks.com/how_to/show/14437-how-to-bring-harmony-to-your-mixed-wired-and-wireless-networks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The corporate standard we have deployed is to simply create two wireless network: one internal corporate wireless network and one public (for guests only).
The corporate wireless network is merged into a soft-switch with the internal subnet -- authentication is done thorough a RADIUS server. Guest wireless is strictly firewalled off from any contact at all to the internal network.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Dave - this is very similar to what we have for corporate and public. We use group policy to configure windows to handle the corporate settings since we use PEAP. This results in the network automatically connecting if it is enabled (the system will follow the order in group policy). Do you have this same issue if both interfaces are enabled and connected at the same time? Do you use DHCP? If so, do you use dynamically controlled DNS settings in the DHCP scope?
Labels
-
FortiGate
9,195 -
FortiClient
1,871 -
5.2
801 -
FortiManager
788 -
5.4
639 -
FortiAnalyzer
593 -
FortiSwitch
504 -
FortiAP
491 -
FortiClient EMS
462 -
6.0
416 -
5.6
362 -
FortiMail
335 -
SSL-VPN
281 -
IPsec
258 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiWeb
219 -
FortiNAC
215 -
5.0
196 -
FortiGuard
146 -
SD-WAN
133 -
6.4
128 -
FortiAuthenticator
125 -
FortiGateCloud
103 -
FortiCloud Products
102 -
FortiSIEM
100 -
Firewall policy
97 -
FortiToken
96 -
Wireless Controller
83 -
Customer Service
81 -
FortiProxy
71 -
High Availability
67 -
4.0MR3
64 -
Fortivoice
60 -
FortiEDR
60 -
FortiADC
56 -
vlan
54 -
ZTNA
54 -
Routing
53 -
DNS
51 -
LDAP
47 -
FortiSandbox
46 -
FortiExtender
46 -
BGP
46 -
RADIUS
45 -
SAML
45 -
Authentication
44 -
NAT
43 -
FortiDNS
42 -
SSO
42 -
Certificate
42 -
FortiGate-VM
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
VDOM
34 -
fortilink
33 -
FortiConnect
32 -
Interface
32 -
Application control
32 -
Virtual IP
28 -
FortiWAN
27 -
Logging
27 -
Web profile
27 -
FortiConverter
26 -
FortiGate v5.2
24 -
FortiPAM
24 -
SSL SSH inspection
23 -
FortiPortal
22 -
Fortigate Cloud
21 -
Traffic shaping
20 -
FortiSwitch v6.2
19 -
Automation
19 -
Static route
19 -
FortiMonitor
18 -
SSID
18 -
snmp
17 -
OSPF
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
Admin
14 -
Security profile
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiManager v5.0
12 -
Proxy policy
12 -
FortiRecorder
11 -
IPS signature
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
Explicit proxy
10 -
Traffic shaping policy
10 -
FortiAP profile
10 -
Intrusion prevention
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Port policy
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Antivirus profile
8 -
Traffic shaping profile
8 -
Web rating
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
API
7 -
trunk
7 -
Users
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Packet capture
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
Authentication rule and scheme
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
File filter
1 -
ICAP profile
1 -
Virtual wire pair
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1921 | |
| 1144 | |
| 769 | |
| 447 | |
| 277 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.