Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
abmas
New Contributor

Some users randomly de-authenticated

Hi,

 

We're using Fortigate 300D (FortiOS 5.4) and have a AD FSSO Collector Agent (with WMI). Authentication is working fine except for few users. For those users for a reason I ignore, authentication is lost randomly, and then they lose their internet access. In that time they are not listed in the "Show all FSSO Logons". They are not listed in the "Show Logon Users" on the FSSO Server.

I know that they are autheticated on our Windows Domain.

 

To be authenticated they have to logoff and logon on their PC but after a random amount of time they get de-authenticaed.

 

Can anyone help, please ?

 

Best regards.

Abmas

 
5 REPLIES 5
xsilver_FTNT
Staff
Staff

Hello Abmas, basically turn Collector log to debug level and some 50MB size and check what happened when such user looses his access and is gone from FSSO user list on Collector. 1. It might appear that WMI received logoff and so Collector removed user from list. 2. It might appear that user used 'Run as' and logged somewhere under different account, or some (possibly background) service has started on his workstation under different account. Such events usually create logon event on DC, with workstation's source IP. Causing the current user being overwritten in FSSO user list as workstation is believed to be owned/used by single user at a time.

 

Still no clue/resolved ? Then open a ticket on customer support postal (https://support.fortinet.com). Best regards, Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

dudarra

try this...

 

The setting "set auth-timeout" controls authentication timeout for Firewall authentication users. By default this value is set to 5 minutes.

# config user setting
# set auth-timeout

<timeout_integer>    The auth-timeout range is 1 to 1440 minutes(24 hours).
# end


The "auth-timeout type" setting controls how the authentication entry is removed.

# config user setting
# set auth-timeout-type ?
idle-timeout    Idle timeout.
hard-timeout    Hard timeout.
new-session     New session timeout.


By default, authentication timeout type is set to "idle-timeout".

Idle timeout: User entry will be removed if there is no traffic received for configured idle time (5 minutes by default).

Example

* User1 authenticated by identity based policy and granted to access resources.
* Now the User1 idle timer can be triggered if there is no traffic received from the user, this can happen  in one of the following scenarios;

- User locked the computer
- User logged out of the computer.
- User PC disconnected from network.
- User PC shutdown or put to standby mode.

 * If there is no traffic received from the user IP address for the configured auth-timeout (5 minutes by default), user authentication entry will be removed.

* If the user tries to access resources now, FortiGate will prompt the user to authenticate again.


Hard timeout: User entry will be removed after the configured auth- timeout value

Example

* User1 authenticated by identity based policy and granted to access resources.
* FortiGate will forcefully remove the user authentication entry after configured auth-timeout setting (5 minutes by default). This is done irrespective of traffic received or not from the user.
* Once the authentication entry is removed, user will be prompted to authenticate for further requests.


New-session timeout: User will be prompted to authenticate for new sessions after the configured auth-timeout timer.

Example
 

* User1 authenticated by identity based policy and generate a request to www.fortinet.com.
* User will start a download from www.fortinet.com and does not generate further requests.
* After 5 minutes (default auth-timeout), user tries to access www.google.com, now FortiGate will ask the user to authenticate again but the existing download to www.fortinet.com will not be terminated.


Configuration CLI

config user setting
set auth-timeout-type
idle-timeout    Idle timeout.
hard-timeout    Hard timeout.
new-session     New session timeout.

thanks in advanced Rafael

thanks in advanced Rafael
xsilver_FTNT

@raffau .. it was said that those are FSSO users, so auth session might timeout and iprope record might get removed but if everything is OK in FSSO then user should persist in 'diag debug auth fsso list' -or- 'diag firewall auth list | grep -f fsso' till the user:

- log off the workstation

- fail in workstation check and timeout on dead entry interval

- another user log into the same workstation and so fsso record get overwritten

 

This might help you a bit ..

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=fortigate-trouble...

Page 185 - FSSO issues

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

xsilver_FTNT

Or collect data from troubleshooting plan attached and open a ticket on Fortinet support site via FortiCare, or push data through Fortinet Partner in case you do not have an account on FortiCare.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

dudarra

@thomas, for me this was the solution...

 

Rafael

thanks in advanced Rafael

thanks in advanced Rafael
Labels
Top Kudoed Authors