Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stlblufan
New Contributor

On-Net / Off-Net

I am running 5.2 on a 60C, with FortiClient 5.2.1 on all clients, all of which are " on-net" . However, on the 60C, all of the clients show up as " off-net" . Is there something that I need to do in order to make them register properly?
1 Solution
rwdorman
New Contributor III

Quick update - AFter getting the suggestion earlier in this thread I setup Option 224 in my DHCP server (Windows 2012 server) to send a single valued string attribute with the serial number of the registered fortigate and on-net/off-net works as I wanted it to. In defense of TAC: this is not a published, documented or supported method of making this work so YMMV.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

View solution in original post

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
36 REPLIES 36
netmin
Contributor II

There' s still a known issue in 5.2.1 (0248014) and we cannot currently convince FortiClient to display on-net status. The (directly) connected (latest) client either does not use an appropriate VCI string or the FGT simply does not provide the required information in DHCP although this functionality was enabled.
 config system dhcp server
  edit <server_index_int>
   set forticlient-on-net-status
 
Christopher_McMullan

Do you know the age of the FortiClient license that was applied? The issue may have to do with whether the license is specifically for 5.2, or was for FCT 5.0.

Regards, Chris McMullan Fortinet Ottawa

netmin

It is one of the 10 integrated licenses of our 2 fully licensed test FGTs 100D on 5.2.1.
Christopher_McMullan

Ah...okay. The 10 built-in licenses are for registration and Endpoint Control profile distribution only. They do not support the on-net/off-net feature. You would need to purchase full FortiClient licenses for this feature. This distinction is according to the bug.

Regards, Chris McMullan Fortinet Ottawa

netmin

Interesting, from the FCT release notes it doesn' t read like default managed client licenses differentiate from additional managed FCT licenses, but I may have missed that. So that means we cannot continue our tests at this time.
Christopher_McMullan

I would work through your SE to see if you could be provided with a trial of full licenses for your testing. That would be the easiest route.

Regards, Chris McMullan Fortinet Ottawa

Christopher_McMullan

As an update, 5.2.2 will allow the 10 built-in licenses to be used for on-net/off-net support. It' s been checked into build 619 (5.2.1 is 618), so 5.2.2 will feature this.

Regards, Chris McMullan Fortinet Ottawa

rwdorman
New Contributor III

Quick update - AFter getting the suggestion earlier in this thread I setup Option 224 in my DHCP server (Windows 2012 server) to send a single valued string attribute with the serial number of the registered fortigate and on-net/off-net works as I wanted it to. In defense of TAC: this is not a published, documented or supported method of making this work so YMMV.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
neonbit
Valued Contributor

Thanks for the info Ryan, that looks like a winner! I just tested the DHCP 224 option on my FGT running 5.2.1 without the FortiClient license (ie: just the standard 10 freebie ones) and I can now see the win8 computer show up as ' Registered - On-Net' when it never used to before. Unplugged the win8 machine and it then changed to ' Offline' (took about 3 minutes to update). Connected via SSLVPN and it says ' Registered - Off-Net' . Plugged it back into the network and it' s showing ' Registered - On-Net' again. Looks good so far!
terry_jjr

Hi neonbit

 

Could you outline the steps you went through to get this working?

We have a 2008R2 DHCP server and cannot use the fortigate.  We also have 2000 forticlient licenses and would really like to get this working.  I logged a ticket with TAC, but its gone in to the feature request queue.

 

Any help would be appreciated.

 

Thanks,

 

neonbit wrote:
Thanks for the info Ryan, that looks like a winner! I just tested the DHCP 224 option on my FGT running 5.2.1 without the FortiClient license (ie: just the standard 10 freebie ones) and I can now see the win8 computer show up as ' Registered - On-Net' when it never used to before. Unplugged the win8 machine and it then changed to ' Offline' (took about 3 minutes to update). Connected via SSLVPN and it says ' Registered - Off-Net' . Plugged it back into the network and it' s showing ' Registered - On-Net' again. Looks good so far!

Top Kudoed Authors