Authentication dropouts and user mis-reporting.

nturner · ‎07-25-2018

Hi,

We have a recently installed FortiGate 500e box. Firware version 5.4.8, build 4108.

Collector on single DC, agents on the others, policy in place to pick up logged in staff via group membership and allow them access to the web.

Seeing a lot of issues with users unable to access the web because they've dropped through the staff policy, and logging shows traffic from multiple users against a single source IP, at pretty much the same time.

Blocked traffic is TCP 443, definitely covered by the policy which is TCP 80/443.

Looks like an authentication issue, and the multiple users against a single machine is pointing the same way.

At a glance all the agents look fine, DC's aren't showing any errors, everything is sync'd fine.

Any ideas what this could be?

Thanks.

xsilver_FTNT · ‎07-25-2018

Hi,

if you do see multiple users from a single IP in fsso user list, then it might mean that those are conencted to some terminal server and originates traffic from there.

If it is MSFT Terminal Server .. then set up TS-Agent there to add port granularity to FSSO, which is otherwise just source IP based passive authentication.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

nturner · ‎07-25-2018

Thanks Tomas,

We do have the TS-Agent running here, but those servers are in a fixed address range with a policy of their own above the staff policy.

The misreporting and internet drops are unfortunately on DHCP addresses assigned to single user PC's.

nturner · ‎08-02-2018

Apologies for the heavily sanitised screenshot.

Wanted to come back with an example of what we're seeing, screenshot shows two different usernames being reported for single source here - IP and policy are the same, user being reported hasn't logged in on the machine in question at any point.