FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
xsilver_FTNT
Staff
Staff
Article Id 190654

Description


This article describes how to run FSSO in dual (or multi) NIC environment.

Quite often we see issues in FSSO caused by simultaneous use of wired and Wi-Fi connections, especially with docking stations and notebooks.
Not that often in dual-NIC/dual-LAN standalone workstations.
Root cause of the issue is singe IP A record in DNS.
 
In Short: (Below behavior seen in Windows Server 2012 R2)
Issue with single IP A DNS record in Microsoft environment is usually caused by DNS and DHCP server setup.
Where DNS is set to be updated only by DHCP, which locks the records.

DHCP also update workstation's single A record in DNS with the very last assigned IP.
There is no secondary IP, for secondary network interface created in DNS.
 ** Windows Server 2019 does support same A record with 2 different IP addresses. **

For example:

  1. user booted up with wired NIC (docked notebook for example), got IP from DHCP, then DHCP updated DNS.
  2. later on workstation connect to Wi-Fi, then DHCP assign new IP for Wi-Fi connection, and also update DNS again.
    But in this case DHCP is not going to add secondary A record with Wi-Fi IP alongside to IP from wired connection. DHCP will overwrite A record of the wired IP with Wi-Fi IP!
    Result is that DNS still contain only one IP for workstation, the one assigned to Wi-Fi (last DHCP offer/assignment).
  3.  if such workstation returns back to use wired connection (re-docked for example) and first assigned IP, then this IP is no longer in FSSO user list.
    And connection attempts with this wired IP are no longer considered as FSSO authorized!

 

In a bit more details:
When Collector Agent does DNS resolution of workstation name (as Events from DC mostly do not contain IP but NetBIOS hostname, and so DNS resolution is crucial and needed), or periodic IP check, then workstation name resolves to just one IP from DNS. Wi-Fi IP in above mentioned case, last IP assigned by DHCP in general.
Therefore FSSO user record is created/updated with one IP as Collector Agent, based on latest DNS record, does believe that workstation has just one NIC and IP assigned to it.
 
To check.
if that is the root cause, simply do nslookup on machine (DC most probably) where Collector is installed to see actual IP of the workstation after it connected to wired, then when it connects to Wi-Fi.
one IP only will always be visible.

Solution

 

  1. MS Workstations by default tries to do DNS update per every interface.
    Therefore cure is simple, reconfigure DNS to allow both IP addresses being updated from the workstation. So allow DNS updates from workstations.Related document.
    https://technet.microsoft.com/en-us/library/cc784052%28v=ws.10%29.aspx
  2. Above mentioned will work well for any Collector Agent, regardless of polling or DC/TS-Agents used together with Collector.
    If there is possibility to have FortiAuthenticator as Collector Agent, then there is one another, better, solution.
    And that is SSOMA (Single Sign-On Mobility Agent), which is part of FortiClient, but could be just only FortiClient component running (without any additional VPN,AV,WF functions).
    That agent will then report all actually used IP addresses, alongside to all user logons, workstation locks/unlocks to noted FortiAuthenticator. Which then creates respective FSSO records accordingly.
  3. Sure it could be solved by making those dual IP A records manually but it is lot less practical.
    However it might be solution in more restrictive environment especially where IP addresses are predictably assigned, for example via DHCP but semi-statically per MAC address of the client.