Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ms228
New Contributor II

FortiClient Single Sign On Mobility Agent (SSOMA) Conflicting IPs in FortiAuthenticator

Hi all,

 

We have 2 (non-HA) FortiAuthenticators on prem that were configured to use DC agent with DNS IP validation, but were finding that when someone moves from a wired to a wireless connection that it would take too long for DNS to replicate and FortiAuthenticator to update the IP address of a workstation.

 

We have therefore installed the SSOMA on a couple of devices as a PoC, which works great for the above issues, but we are seeing an issue with VPN connected and On-Prem connected clients that are on the same LAN subnets. Example:

User 1 connected to Cisco AnyConnect on 10.0.0.1 with local wireless network: 192.168.0.1

User 2 connected to On-Prem network on 192.168.0.1

 

The FortiAuthenticator sees both connections for User 1 and updates its' DB, then when User 2's SSOMA updates FortiAuth, the DB removes User 1 IP: 192.168.0.1 and adds User 2 IP: 192.168.0.1. Then User 1's SSOMA updates FortiAuth, which removes User 1's entry.

 

We have IP Filters created, but as the branch site and home subnets are the same then we cannot use this to filter the non-corporate network.

 

I've created a Domain grouping, but unfortunately both the AnyConnect and local wireless network appear in our corp domain, so I cannot filter these out using that.

 

Has anyone come across this or got any ideas on how to stop the IP on our VPN connection from being seen by FortiAuthenticator?

 

Thank you in advance!

 

MS

1 Solution
Debbie_FTNT
Staff
Staff

Hey MS,

wow, that sounds like a tricky situation you're facing.

I'm afraid I have some bad news - there aren't any filtering options for FSSOMA available at the moment. A filter WILL be added to allow excluding virtual interfaces (like HyperV/VirtualBox/etc interfaces), but that filter will not be able to exclude local physical interfaces.

It would require a feature request to expand on the FSSOMA filtering abilities.

 

I can think of one workaround at the moment:

1. Ensure FSSOMA is turned off for anyone connected via Cisco AnyConnect

-> this will prevent FSSOMA from reporting the private IPs, and those users are unlikely to change their IP quickly/often

2. Use for example RADIUS Accounting or syslog from the AnyConnect server to FortiAuthenticator for the AnyConnect users and have FortiAuthenticator add AnyConnect users to FSSO that way

 

There is still the question of FSSO-related DNS lookups; if FortiAuthenticator verifies the workstation name against your internal DNS, what IPs will it get in return, just the AnyConnect IP or also the user's local IP?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

6 REPLIES 6
Debbie_FTNT
Staff
Staff

Hey MS,

wow, that sounds like a tricky situation you're facing.

I'm afraid I have some bad news - there aren't any filtering options for FSSOMA available at the moment. A filter WILL be added to allow excluding virtual interfaces (like HyperV/VirtualBox/etc interfaces), but that filter will not be able to exclude local physical interfaces.

It would require a feature request to expand on the FSSOMA filtering abilities.

 

I can think of one workaround at the moment:

1. Ensure FSSOMA is turned off for anyone connected via Cisco AnyConnect

-> this will prevent FSSOMA from reporting the private IPs, and those users are unlikely to change their IP quickly/often

2. Use for example RADIUS Accounting or syslog from the AnyConnect server to FortiAuthenticator for the AnyConnect users and have FortiAuthenticator add AnyConnect users to FSSO that way

 

There is still the question of FSSO-related DNS lookups; if FortiAuthenticator verifies the workstation name against your internal DNS, what IPs will it get in return, just the AnyConnect IP or also the user's local IP?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
ms228
New Contributor II

Hi Debbie,

 

I really appreciate you coming back to me. It's a shame that there is no filtering possible on the FSSOMA or FortiAuthenticator for this, but we are thinking about blocking the SSOMA comms from our AnyConnects clients to the FortiAuthenticators, which would cover point 1 that you made.

 

We currently use syslog to get the IP of AnyConnect users, so we could continue to use this method alongside the FSSOMA.

 

We do use RADIUS on the AnyConnect ASA, so I was wondering if you have some more details on how we could use RADIUS Accounting with FortiAuth?

 

Thank you,

 

MS

xsilver_FTNT

Blocking SSOMA updates from outside coming via VPN sounds like solution.

Not sure how doable would be to change on-prem subnet and addressing and move away from one of the most used and so obvious ranges - 192.168.0.0/24 (something from that range is used as default IP in almost any networked device).
As my itchy scalp tells me that this might not be your last IP address conflict issue.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

ms228
New Contributor II

Thanks for the response - unfortunately, like you say, I know we'll have other conflicts in our branch subnets and it would be something out of our control (I never like to put in a solution that could cause issues down the line!)

 

Luckily it sounds like there may be a solution and I think we'll take this to our SE/Account Manager to see if a feature request can be raised for us. :) 

Debbie_FTNT

Hey MS,

regarding filtering on FortiAuthenticator - that's not granular enough to ignore specific IPs ONLY if they come from a specific SSO source.
You could ignore 192.168.0.0/24 completely, but that would also affect your company environment :/.

As for RADIUS accounting:
https://docs.fortinet.com/document/fortiauthenticator/6.4.1/administration-guide/178615/radius-accou...
Essentially, you need to ensure the AnyConnect server sends accounting messages to FortiAuthenticator, on FortiAuthenticator you define an accounting source, set what attribute provides username and IP, and select where the group information should come from (also RADIUS packet, local DB, or userlookup against remote LDAP)
-> I don't know how to get AnyConnect to send the accounting messages to FortiAuthenticator, though

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
ms228
New Contributor II

Ideal - thanks for the additional information about RADIUS too. I'll have a read and make a decision on how we move this one forwards.

 

Thanks again for the help! :)

MS

Labels
Top Kudoed Authors