Hi!

Thanks for you reply! I am using the NPS feature from Windows Server to act as Radius server and here, the calling station identifier is thus an IP-address..

Any thoughts?

I was testing and thinking about that and .. what feature do you use and so which one produces those Access-Requests ??

Because RADIUS Auth and Accounting messages and Calling-Station-Id on FGT 6.4.x are produced this way ..

- if I do auth on WiFi SSID, then Calling-Station-Id is populated with MAC address Because FGT is the WLC (WiFi controller) and client is directly connecting to AP which is managed by FGT

And therefore FGT is the one who somehow assign IP, as when user connects it has no IP assigned yet. And so MAC address is the only identifier.

- if I do auth on SSLVPN, then Calling-Station-Id is populated with IPv4 address

Because FGT is VPN concentrator and clients already do have IP assigned and also because in VPN case client is not connecting to FGT (SSID on AP and WLC specifically), but from distance and so MAC address is not that relevant detail as final packets received on FGT came from close peer device MAC address and not from client.

It appears in both, Access-Request and if FGT set to send ACCT, then in Accounting-Request too. 

Hi,

I am using ISE between Fortigate and FortiAuthenticator. On ISE I see IP Address as calling Station ID. Anyway I can modify this?

Just for understanding SSL VPN User -> Foritgate -> ISE (Synced with AD) -> FortiAuth (Synced with AD, using it for MFA). We ultimately want to do posture of VPN user through Cisco ISE.

nocengineer wrote:

On ISE I see IP Address as calling Station ID. Anyway I can modify this?

Not sure, this is Fortinet forum, so I would not expect many experts on ISE here.

Maybe everyone who read your update misunderstood who is sending what to whom, as I did (probably).

Is it based on RADIUS Accounting-Requests .. or, maybe on Access-Requests, not clear .. a bit of clarification would be nice.

Hmm, thought about it second time ... it supposed to not matter if Access or Accounting request is sent from FGT to whatever. In SSLVPN case that Calling-Station-ID identifier will be populated with client's IP address. As it's remote client and so MAC is irrelevant here. And no, I'm not aware of any way how to change this on FGT. However for Accounting it is possible to use FAC as Accounting Proxy and add some data, to Accounting requests, even data from AD based on AD user (AVP User-Name) for example.