Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On-Net / Off-Net
I am running 5.2 on a 60C, with FortiClient 5.2.1 on all clients, all of which are " on-net" . However, on the 60C, all of the clients show up as " off-net" . Is there something that I need to do in order to make them register properly?
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quick update - AFter getting the suggestion earlier in this thread I setup Option 224 in my DHCP server (Windows 2012 server) to send a single valued string attribute with the serial number of the registered fortigate and on-net/off-net works as I wanted it to.
In defense of TAC: this is not a published, documented or supported method of making this work so YMMV.
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
36 REPLIES 36
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There' s still a known issue in 5.2.1 (0248014) and we cannot currently convince FortiClient to display on-net status. The (directly) connected (latest) client either does not use an appropriate VCI string or the FGT simply does not provide the required information in DHCP although this functionality was enabled.
config system dhcp server edit <server_index_int> set forticlient-on-net-status
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you know the age of the FortiClient license that was applied? The issue may have to do with whether the license is specifically for 5.2, or was for FCT 5.0.
Regards, Chris McMullan Fortinet Ottawa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is one of the 10 integrated licenses of our 2 fully licensed test FGTs 100D on 5.2.1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah...okay. The 10 built-in licenses are for registration and Endpoint Control profile distribution only. They do not support the on-net/off-net feature.
You would need to purchase full FortiClient licenses for this feature.
This distinction is according to the bug.
Regards, Chris McMullan Fortinet Ottawa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting, from the FCT release notes it doesn' t read like default managed client licenses differentiate from additional managed FCT licenses, but I may have missed that. So that means we cannot continue our tests at this time.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would work through your SE to see if you could be provided with a trial of full licenses for your testing. That would be the easiest route.
Regards, Chris McMullan Fortinet Ottawa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As an update, 5.2.2 will allow the 10 built-in licenses to be used for on-net/off-net support. It' s been checked into build 619 (5.2.1 is 618), so 5.2.2 will feature this.
Regards, Chris McMullan Fortinet Ottawa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quick update - AFter getting the suggestion earlier in this thread I setup Option 224 in my DHCP server (Windows 2012 server) to send a single valued string attribute with the serial number of the registered fortigate and on-net/off-net works as I wanted it to.
In defense of TAC: this is not a published, documented or supported method of making this work so YMMV.
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info Ryan, that looks like a winner!
I just tested the DHCP 224 option on my FGT running 5.2.1 without the FortiClient license (ie: just the standard 10 freebie ones) and I can now see the win8 computer show up as ' Registered - On-Net' when it never used to before.
Unplugged the win8 machine and it then changed to ' Offline' (took about 3 minutes to update).
Connected via SSLVPN and it says ' Registered - Off-Net' .
Plugged it back into the network and it' s showing ' Registered - On-Net' again.
Looks good so far!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi neonbit
Could you outline the steps you went through to get this working?
We have a 2008R2 DHCP server and cannot use the fortigate. We also have 2000 forticlient licenses and would really like to get this working. I logged a ticket with TAC, but its gone in to the feature request queue.
Any help would be appreciated.
Thanks,
neonbit wrote:
Thanks for the info Ryan, that looks like a winner! I just tested the DHCP 224 option on my FGT running 5.2.1 without the FortiClient license (ie: just the standard 10 freebie ones) and I can now see the win8 computer show up as ' Registered - On-Net' when it never used to before. Unplugged the win8 machine and it then changed to ' Offline' (took about 3 minutes to update). Connected via SSLVPN and it says ' Registered - Off-Net' . Plugged it back into the network and it' s showing ' Registered - On-Net' again. Looks good so far!