Hello everyone,
I don't remember since when but already for several releases I have an anomaly in the list of users authenticated in wifi through WAP2 Enterprise protocol. User authentication is provided by a Radius server that authenticates users in an AD Domain ( NPS ) .
After their authentication I also see in the user list a set of IPV6 addresses linked to the authenticated usernames . Where do these addresses come from ? from the fact that their laptops and smartphones also have ipv6 link enabled ? because the DHCP configured on the Fortigate does not have a lease enabled in IPV6..
Has this happened to anyone?
I attach a few screens to better understand the issue
Regards
Fabio
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you have any on-premise read only domain controllers? If not, do you have domain services enabled with your AzureAD. If you do, fortiGate can talk via LDAP to either of those services to perform WPA-Enterprise Auth for your wireless clients (using username and password) https://mobdro.bio/ .
"Do you have any on-premise read only domain controllers?" for what ?
" If not, do you have domain services enabled with your AzureAD" no, none of that.
we have everything on-premis. My Fortigate talk via Radius to authenticat.
I have also a FSSO Agent install on AD domain to perform a FSSO via LAN, but the IPV6 address there are only for the Wifi groups
Hi Fabio
The displayed IPv6 addresses seems random, so it is unlikely that they were assigned by any DHCP server.
In case you don't need IPv6 in your firewall then I think if you disable it you should not see such addresses anymore.
Do you think it is better to disable it globally or on the vap interface of the SSID?
If you don't need it you may try both.
I tried this command , but the default value were already disable..
To disable IPv6 in the CLI, run the following commands:
config sys global
set gui-ipv6 disable
end
To disable IPv6 an on interface level using the CLI:
config sys interface
edit <name_of_the_interface>
config ipv6
unset ip6-address <IPv6 prefix>
unset ip6-allowaccess <>
end
Hello Fabio
Please run the sniffer command on Fortigate with ports 67 and 68, and check which DHCP server IP is responding to the packet.
Please click on below link and reference document.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Diagnosing-DHCP-on-a-FortiGate/ta-p/192960
Hi Fabio,
as you stated you have, and as it seems from screenshot, FSSO Collector Agent feeding FortiGate with users. Then I would check a Logged on Users on collector GUI.
Because:
- windows OS is trying to "register" assigned, or set, IP addresses from interfaces into DNS
- and collector agent does DNS query to discover ALL IPs of the host PC where user logged in from
Therefore it seems to me possible that user logged into workstation. Which registered IPv6 into DNS. Then Collector found it and added to a list of all IPs where we can expect a user from. Simply as additional FSSO user list record. And fed those to your FortiGate.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Created on 09-07-2024 01:46 AM Edited on 09-07-2024 01:46 AM
Hi Tomas
You mean to solve this he must disable IPv6 on hosts, right?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.