Hello everyone,
I don't remember since when but already for several releases I have an anomaly in the list of users authenticated in wifi through WAP2 Enterprise protocol. User authentication is provided by a Radius server that authenticates users in an AD Domain ( NPS ) .
After their authentication I also see in the user list a set of IPV6 addresses linked to the authenticated usernames . Where do these addresses come from ? from the fact that their laptops and smartphones also have ipv6 link enabled ? because the DHCP configured on the Fortigate does not have a lease enabled in IPV6..
Has this happened to anyone?
I attach a few screens to better understand the issue
Regards
Fabio
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
the list of users with ipv6 only happens with WPA2 Enterprise wifi and not for example with others that I manage in WPA2/3 or Captive Portal. There must be something with the Windows AD and his NPS ( Radius module ) . I'll also put you the screenshot with the Collector Agent users installed on the Domain Controller but here you don't see users connected in IPV6.
I'm going to see if any configuration of the NPS that runs the RADIUS module has qualvhe problem with hosts that have IPV6 interface enabled.
Then as you see with the user in a few seconds it takes several IP addresses in IPV6.. and this user has an iPhone not a Windows laptop.
Dear Fabio,
I'm not sure if this has been suggested before, but based on the screenshot snippets, the IPv6 information does NOT come from FSSO - the login source shows as 'WiFi Single Sign On', not 'FSSO'.
Can you run this command in CLI?
'dia firewall auth list'
That should give you a better idea of the authentication source; I'm guessing FortiGate is passively picking up on WPA2 enterprise auth in some way, and generates logins from that.
Cheers,
Debbie
Created on 09-11-2024 12:22 AM Edited on 09-11-2024 12:25 AM
Hi Debbie,
i just run the command, but list only user with IPV4 and not IPV6..
I attached the screens of my FortiAnalyzer and Fortigate when the IPV6 has detects.
When the client is authenticated, the FGT detects, in addition to the IPV4 address which is filtered here, the IPV6 address, with this reason by NONE packet and as you can see this process is repeated numerous times, it does not stop, showing different IPV6 addresses, each time different.
What I would like is for the FGT not to count these entries as Firewall Users and for them not to appear in that list which causes me confusion in the total user count.
Hey Fabio,
I'm wondering a bit how FortiGate is picking up on the users and IPs then - do you have device detection enabled on the WiFi interface perhaps?
Do you find those IPv6 entries when running the command 'dia user device list'?
Cheers,
Debbie
Hello,
in the command 'dia user device list' there aren't the ipv6 address:
vd root/0 be:d5:55:02:d6:0f gen 238495 req 0
created 603163s gen 238333 seen 603162s WIFI_PUB_2 gen 1206
ip 10.3.6.50 src arp
vd root/0 42:6b:06:2b:8e:49 gen 244237 req 0
created 517588s gen 243741 seen 312868s WIFI_PUB gen 1294
ip 10.3.4.110 src arp
hardware vendor 'Apple' src http id 1716 weight 220
type 'Phone' src http id 1716 weight 220
family 'iPhone' src http id 1716 weight 220
os 'iOS' src http id 1716 weight 220
hardware version '11' src dns id 4598 weight 200
software version '16.3.1' src http id 1716 weight 220
host 'iPhone-XXXXXXX' src dns
vd root/0 48:9e:bd:5e:4f:a6 gen 222817 req 0
created 1025744s gen 222039 seen 15s VLAN_19 gen 1099
ip 10.12.7.93 src arp
hardware vendor 'HP' src dns id 3521 weight 150
type 'Printer' src dns id 3521 weight 150
family 'OfficeJet' src dns id 3521 weight 150
os 'Linux' src mwbs id 3340 weight 50
host 'EXXXXXXXX' src mwbs
But even disabling the Device Detection option, the IPV6 addresses still remain.
I noticed one thing that if I see in a Windows Pc the virtual interfaces for example just of the FortiClient you will notice that it has an IPV6 address .
I did a test with my iPhone where I can't disable the IPV6 address on wifi interface and it detect it at the first time you log in.
This evidently means that every interface both physical and virtual if not disabled has an IPV6 address.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.