yaba wrote:
the relevant firewall rules, please try the following command? set ntlm enable
Can you expand on why NTLM enable would affect my wireless clients?
Hi,
In your case it might be possible that the clients do not update their DNS record after moving from wired to wireless network. If collector agent receives the workstation name in logon event, then it needs to translate it to IP using DNS. Is the dynamic update configured in customer environment ?
http://technet.microsoft.com/en-us/library/cc784052%28v=ws.10%29.aspx
Best Regards,
Pavel
livo
Pavel_Livonec_FTNT wrote:Hi,
In your case it might be possible that the clients do not update their DNS record after moving from wired to wireless network. If collector agent receives the workstation name in logon event, then it needs to translate it to IP using DNS. Is the dynamic update configured in customer environment ?
http://technet.microsoft.com/en-us/library/cc784052%28v=ws.10%29.aspx
Best Regards,
Pavel
Dynamic DNS is not really configurable. It's either on or off. In my environment, which is AD/DNS based, dynamic updates are enabled on the clients and the DNS server. Beyond that, other than some registry tweaks I am unaware of... it is enabled in it's default setting.
K
Here is the fix.
Had to tie DHCP to DNS for dynamic updates.
http://technet.microsoft.com/en-us/library/ee941150(v=ws.10).aspx
K
We have sort of the same problem. FSSO is seeing the people logged in on wireless, but all internet traffic goes across the wired connection. DNS sees the computer on wireless connection only. We are set to "Always dynamically update DNS records". Only fix we have found is to have them turn off wireless when docked and then to turn it on when wireless, then back off before they dock again. We also tell them to make sure they log off the computer when switching between wired/wireless.
Is there any way to get FSSO to use both connections?
We were setup to have the clients update DNS records which would allow wired and wireless FSSO records but the problem we had were duplicate DNS entries with other computer names which just messed up FSSO also.
Have a look at this post as well. More detailed than the technet one. This is what I used to fine tune it.
Basically when a client polls DHCP for an address, the DHCP server will handle the dynamic updates to DNS. Somehow this will register a Logon event on the AD, which is where the FSSO is polling for accounts.
So far this has drastically lessened the number of calls our support line handles for content filtering profile problems.
If you're using WPA/WPA2 Enterprise with a wireless controller you can try sending the Radius accounting messages to the Fortigate to do RSSO for the wireless. If you're just using WPA/WPA2 with a static passphrase then I'd set the NTLM option on the policies to prompt for a username/password.
We don't use the DC polling , but then we're going a little more heavy duty for authentication than most. We use dot1x for wired & wireless; every user device (laptops, workstations, phones, tables, etc..) that is on the network is authenticated with a valid Domain account. We then send the radius accounting messages to our FortiAuthenticators which forward all user information to our Fortigates, usually within 2 seconds of a device getting an IP address the Fortigates have the User, IP & Groups and access is allowed.
Regards,
Matthew
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.