Hi,
We're using Fortigate 300D (FortiOS 5.4) and have a AD FSSO Collector Agent (with WMI). Authentication is working fine except for few users. For those users for a reason I ignore, authentication is lost randomly, and then they lose their internet access. In that time they are not listed in the "Show all FSSO Logons". They are not listed in the "Show Logon Users" on the FSSO Server.
I know that they are autheticated on our Windows Domain.
To be authenticated they have to logoff and logon on their PC but after a random amount of time they get de-authenticaed.
Can anyone help, please ?
Best regards.
Abmas
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Abmas, basically turn Collector log to debug level and some 50MB size and check what happened when such user looses his access and is gone from FSSO user list on Collector. 1. It might appear that WMI received logoff and so Collector removed user from list. 2. It might appear that user used 'Run as' and logged somewhere under different account, or some (possibly background) service has started on his workstation under different account. Such events usually create logon event on DC, with workstation's source IP. Causing the current user being overwritten in FSSO user list as workstation is believed to be owned/used by single user at a time.
Still no clue/resolved ? Then open a ticket on customer support postal (https://support.fortinet.com). Best regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
try this...
The setting "set auth-timeout" controls authentication timeout for Firewall authentication users. By default this value is set to 5 minutes.
# config user setting
# set auth-timeout
<timeout_integer> The auth-timeout range is 1 to 1440 minutes(24 hours).
# end
The "auth-timeout type" setting controls how the authentication entry is removed.
# config user setting
# set auth-timeout-type ?
idle-timeout Idle timeout.
hard-timeout Hard timeout.
new-session New session timeout.
By default, authentication timeout type is set to "idle-timeout".
Idle timeout: User entry will be removed if there is no traffic received for configured idle time (5 minutes by default).
Example
* User1 authenticated by identity based policy and granted to access resources.
* Now the User1 idle timer can be triggered if there is no traffic received from the user, this can happen in one of the following scenarios;
- User locked the computer
- User logged out of the computer.
- User PC disconnected from network.
- User PC shutdown or put to standby mode.
* If there is no traffic received from the user IP address for the configured auth-timeout (5 minutes by default), user authentication entry will be removed.
* If the user tries to access resources now, FortiGate will prompt the user to authenticate again.
Hard timeout: User entry will be removed after the configured auth- timeout value
Example
* User1 authenticated by identity based policy and granted to access resources.
* FortiGate will forcefully remove the user authentication entry after configured auth-timeout setting (5 minutes by default). This is done irrespective of traffic received or not from the user.
* Once the authentication entry is removed, user will be prompted to authenticate for further requests.
New-session timeout: User will be prompted to authenticate for new sessions after the configured auth-timeout timer.
Example
* User1 authenticated by identity based policy and generate a request to www.fortinet.com.
* User will start a download from www.fortinet.com and does not generate further requests.
* After 5 minutes (default auth-timeout), user tries to access www.google.com, now FortiGate will ask the user to authenticate again but the existing download to www.fortinet.com will not be terminated.
Configuration CLI
config user setting
set auth-timeout-type
idle-timeout Idle timeout.
hard-timeout Hard timeout.
new-session New session timeout.
thanks in advanced Rafael
@raffau .. it was said that those are FSSO users, so auth session might timeout and iprope record might get removed but if everything is OK in FSSO then user should persist in 'diag debug auth fsso list' -or- 'diag firewall auth list | grep -f fsso' till the user:
- log off the workstation
- fail in workstation check and timeout on dead entry interval
- another user log into the same workstation and so fsso record get overwritten
This might help you a bit ..
Page 185 - FSSO issues
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Or collect data from troubleshooting plan attached and open a ticket on Fortinet support site via FortiCare, or push data through Fortinet Partner in case you do not have an account on FortiCare.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
@thomas, for me this was the solution...
Rafael
thanks in advanced Rafael
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.