Hello everyone, I have a very annoying problem and I do not know how to solve it. Here in the company the navigation on the internet depends on authentication of the users in the domain, I installed FSAE_FSSO on the domain controllers, I configured Fortigate correctly, which in fact are two in cluster. Most of the network users surf normal, Fortigate recognizes and authenticates, but other good users always need to put their login and password on a Captive Portal screen, it's as if Fortigate does not recognize them automatically, all computers are in the domain, some using network cable and others using Wi-Fi, all take IP in normal DHCP and have the records due in the Active Directory-integrated DNS zone. So I ask, what can it be? Anyone here have any ideas? Thank you !
Ivanildo Galvão Consultor de Tecnologia MCP, MCT, MCSA, VSP, VTSP, ITIL V3
Is the collector agent using DC Agent mode or Polling mode?
Hi,
DC Agent. I install in 3 domain controllers.
Ivanildo Galvão Consultor de Tecnologia MCP, MCT, MCSA, VSP, VTSP, ITIL V3
1.
be aware that if you run Collector in DCAgent mode then those agents ahs to be installed on all the DCs which are supposed to login users. Decision which logon server will be used is up to the workstation and Windows OS.
Therefore is some user/workstation has issues, also check 'echo %logonserver%' on workstation and then if that DC is properly monitored by DCAgent ans agent's updates properly seen in Collector.
2.
DNS records made by MSFT DHCP tend to overwrite a single A record, so if workstation connect via cable and wifi it will have just latest assigned IP in DNS, not both. But if its routing cause data (HTTP requests for example) to pass through other NIC and being sourced with that IP, then firewall will not match that traffic with FSSO user record as that would have second IP. Solution it so allow updates of DNS from workstations. As every NIC will try to update it's records by default. This will result in all NIC addresses registered in DNS for a single workstation name. Multiple A records. And so FSSO will check DNS and create user record for all the IPs found. That might be part of your issue.
3.
check if users trully hit Captive portal or it's NTLM fallback. Config check needed. Use flow debug on FGT and make sure their traffic frlows through intended interfaces and firewall policies. It might appear that interface the users are conencting in has Captive portal turned on.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Okay, I'll check all these points. The DNS records issue I already knew, but I will review all points. Thank you !
Ivanildo Galvão Consultor de Tecnologia MCP, MCT, MCSA, VSP, VTSP, ITIL V3
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.