- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Strange RSSO issue in FortiOS 5.0.7 onwards.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Strange RSSO issue in FortiOS 5.0.7 onwards.
Freeradius server is configured to send Radius accounting packets to our firewall running 5.0.7. Wireless users get network access thru Radius authentication. We use user email address as the username, and email address contain up to 55 characters. And on Fortigate, RSSO endpoint-attribute is set to user-name, so to display usernames in the logs and reports. This Setup was working fine up until November 2016. Somewhere in November, none of the RSSO users are able to access internet or other networks. Troubleshooting RSSO revealed "Parse error: Carrier Endpoint". When RSSO endpoint-attribute is unset, the users are able to access relevant networks and the Parse error vanished. Setting RSSO endpoint-attribute to User-name would work for few minutes and stop RSSO with the same "Parse error".
To resolve the issue, we have rebooted the firewall and finally upgraded to 5.2, the same problem persist ever after upgrading. Now the firewall logs/reports only show the client mac-address. Fortigate TAC team confirmed this as a bug after one month of followups and they have escalated to the engineering team. Till now no resolution. Have anyone here experienced this problem and know any workarounds for this ?. I need user names in firewall logs and reports. Thanks.
Labels:
- Labels:
-
5.0
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi eby,
that might be relevant to the old (FOS 5.0.0 mid 2012) engineering bug #174693 we have seen a long time ago, which turned to not-a-bug but technological limitation of what RADIUS daemon inside the FortiOS can handle as endpoint attribute.
Limit was claimed as to be 48 bytes. I'm not sure that limit stayed the same but it is highly probable.
Those data are stored in memory, so limiting their volume to necessary minimum is good, as in result it will either use less memory or allow higher amount of the logged on users within same amount of memory consumed.
Therefore as a workaround I'd suggest to shorten User-Name or use another AVP as endpoint attribute.
Something which can still perfectly identify user or his workstation as source of the data, but is also considerably shorter.
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomas, Many thanks for the insights, do you work for Fortinet ?.
Shortening User-Name is not possible. If that 48byte user-name limitation is still there, any idea what other AVP supports at least 56byte length to be set as endpoint attribute ?. On Fortigate 5.2, the following can be set for rsso-endpoint-attribute, and for sso-attribute, i'm using "Class" to pass the user_group_name to Fortigate.
User-NameThanks, Eby
User-Password
CHAP-Password
NAS-IP-Address
NAS-Port
Service-Type
Framed-Protocol
Framed-IP-Address
Framed-IP-Netmask
Framed-Routing
Filter-Id
Framed-MTU
Framed-Compression
Login-IP-Host
Login-Service
Login-TCP-Port
Reply-Message
Callback-Number
Callback-Id
Framed-Route
Framed-IPX-Network
State
Class
Session-Timeout
Idle-Timeout
Termination-Action
Called-Station-Id
Calling-Station-Id
NAS-Identifier
Proxy-State
Login-LAT-Service
Login-LAT-Node
Login-LAT-Group
Framed-AppleTalk-Link
Framed-AppleTalk-Network
Framed-AppleTalk-Zone
Acct-Status-Type
Acct-Delay-Time
Acct-Input-Octets
Acct-Output-Octets
Acct-Session-Id
Acct-Authentic
Acct-Session-Time
Acct-Input-Packets
Acct-Output-Packets
Acct-Terminate-Cause
Acct-Multi-Session-Id
Acct-Link-Count
CHAP-Challenge
NAS-Port-Type
Port-Limit
Login-LAT-Port
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi eby,
Q: do you work for Fortinet ?
A: yes, on TAC support center.
Therefore I have no direct access to the code to know the lengths of all possible attributes.
My previous idea was NOT to shorted username, or use another attribute which can hold that loooong username. Idea was to use another of user attributes, like email address or UserPrincipalName (UPN) or just anything which do serve both purposes:
- is short enough to be <48 bit long
- is unique user identifier
Therefore you'll be able to uniquely identify user who committed actions but without the limit hit.
Your other option is to contact our sales team and with their help open NFR (New Feature Request). Which is basically code change request which is not a bug but modification to enhance feature set or particular feature.
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomas, I was thinking of passing real names in some RADIUS "reply attribute" that fortigate understand. We can configure RADIUS server to pass real names to fortigate in some reply attribute like email or UserFullName, but the problem is fortigate do not know how to process those attributes other than the list i have mentioned earlier and I don't know of any FortiOS 5.2 attribute that support long STRING in "rsso-endpoint-attribute" section. Can you provide a link/info on STRING "type" attributes that can be set in rsso-endpoint ?. Thanks, Eby
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Eby,
have a look into base RFC: https://tools.ietf.org/html/rfc2865
there are two possible types, text and string, see pg.24
So you can use multitude of default attributes (for example Filter-Id),
or one of few AVP from Fortinet RADIUS Dictionary.
http://kb.fortinet.com/kb/documentLink.do?externalID=FD30830
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Related Posts
- Microsoft Update Secure Server CA 2.1... 915 Views
- VPN Tunnel Aggregate - Custom IPSec... 523 Views
- Forticlient Compatability 3472 Views
- How to save password on IPSEC... 1676 Views
- FortiGate GUI not responding 1162 Views
Labels
-
FortiGate
6,554 -
FortiClient
1,307 -
5.2
801 -
5.4
639 -
FortiManager
565 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiAP
336 -
FortiSwitch
334 -
FortiClient EMS
264 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
FortiConnect
24 -
SD-WAN
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
IP address management - IPAM
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.