FSSO user Wifi Radius WPA2 Enterprise

Fabio · ‎09-05-2024

Hello everyone,
I don't remember since when but already for several releases I have an anomaly in the list of users authenticated in wifi through WAP2 Enterprise protocol. User authentication is provided by a Radius server that authenticates users in an AD Domain ( NPS ) .
After their authentication I also see in the user list a set of IPV6 addresses linked to the authenticated usernames . Where do these addresses come from ? from the fact that their laptops and smartphones also have ipv6 link enabled ? because the DHCP configured on the Fortigate does not have a lease enabled in IPV6..
Has this happened to anyone?

I attach a few screens to better understand the issue

Regards

Fabio

comolfa2 · ‎09-05-2024

Do you have any on-premise read only domain controllers? If not, do you have domain services enabled with your AzureAD. If you do, fortiGate can talk via LDAP to either of those services to perform WPA-Enterprise Auth for your wireless clients (using username and password) https://mobdro.bio/ .

Fabio · ‎09-05-2024

"Do you have any on-premise read only domain controllers?" for what ?

" If not, do you have domain services enabled with your AzureAD" no, none of that.
we have everything on-premis. My Fortigate talk via Radius to authenticat.

I have also a FSSO Agent install on AD domain to perform a FSSO via LAN, but the IPV6 address there are only for the Wifi groups

Fabio

AEK · ‎09-05-2024

Hi Fabio

The displayed IPv6 addresses seems random, so it is unlikely that they were assigned by any DHCP server.

In case you don't need IPv6 in your firewall then I think if you disable it you should not see such addresses anymore.

AEK

Fabio · ‎09-05-2024

Do you think it is better to disable it globally or on the vap interface of the SSID?

Fabio

AEK · ‎09-05-2024

If you don't need it you may try both.

AEK

Fabio · ‎09-05-2024

I tried this command , but the default value were already disable..

To disable IPv6 in the CLI, run the following commands:

config sys global

set gui-ipv6 disable

end

To disable IPv6 an on interface level using the CLI:

config sys interface

edit <name_of_the_interface>

config ipv6

unset ip6-address <IPv6 prefix>
unset ip6-allowaccess <>

end

Fabio

tpatel · ‎09-05-2024

Hello Fabio
Please run the sniffer command on Fortigate with ports 67 and 68, and check which DHCP server IP is responding to the packet.

Please click on below link and reference document.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Diagnosing-DHCP-on-a-FortiGate/ta-p/192960

xsilver_FTNT · ‎09-06-2024

Hi Fabio,

as you stated you have, and as it seems from screenshot, FSSO Collector Agent feeding FortiGate with users. Then I would check a Logged on Users on collector GUI.
Because:
- windows OS is trying to "register" assigned, or set, IP addresses from interfaces into DNS

- and collector agent does DNS query to discover ALL IPs of the host PC where user logged in from

Therefore it seems to me possible that user logged into workstation. Which registered IPv6 into DNS. Then Collector found it and added to a list of all IPs where we can expect a user from. Simply as additional FSSO user list record. And fed those to your FortiGate.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

AEK · ‎09-07-2024

Hi Tomas

You mean to solve this he must disable IPv6 on hosts, right?

AEK

FSSO user Wifi Radius WPA2 Enterprise

Nominate a Forum Post for Knowledge Article Creation