We have 2 (non-HA) FortiAuthenticators on prem that were configured to use DC agent with DNS IP validation, but were finding that when someone moves from a wired to a wireless connection that it would take too long for DNS to replicate and FortiAuthenticator to update the IP address of a workstation.
We have therefore installed the SSOMA on a couple of devices as a PoC, which works great for the above issues, but we are seeing an issue with VPN connected and On-Prem connected clients that are on the same LAN subnets. Example:
User 1 connected to Cisco AnyConnect on 10.0.0.1 with local wireless network: 192.168.0.1
User 2 connected to On-Prem network on 192.168.0.1
The FortiAuthenticator sees both connections for User 1 and updates its' DB, then when User 2's SSOMA updates FortiAuth, the DB removes User 1 IP: 192.168.0.1 and adds User 2 IP: 192.168.0.1. Then User 1's SSOMA updates FortiAuth, which removes User 1's entry.
We have IP Filters created, but as the branch site and home subnets are the same then we cannot use this to filter the non-corporate network.
I've created a Domain grouping, but unfortunately both the AnyConnect and local wireless network appear in our corp domain, so I cannot filter these out using that.
Has anyone come across this or got any ideas on how to stop the IP on our VPN connection from being seen by FortiAuthenticator?
Thank you in advance!