Description | This article describes a situation where the administrator manages the MAC address of the SSL VPN user and describes symptoms of normal log-in even with a non-allowed mac address. |
Scope | FortiGate. |
Solution |
Example:
Remote Access PC Ethernet Adaptor Ethernet0:
= 00:0C:29:C2:2D:70
config vpn ssl web portal
edit "full-access"
...
set mac-addr-check enable
config mac-addr-check-rule
edit "maclist"
set mac-addr-list 11:11:11:11:11:11
next
end
[2612:root:e]deconstruct_session_id:716 decode session id ok, user=[guest], group=[],authserver=[],portal=[full-access],host[10.200.20.10],realm=[],csrf_token=[8F976B2C2583CB2565CACBFA1561945],idx=0,auth=1,sid=e4d190f,login=1686893772,access=1686893772,saml_logout_url=no,pip=no,grp_info=[H01LjG],rmt_grp_info=[]
[2612:root:e]host check result:0 0000,10.0.19045,00:0c:29:c2:2d:70|20:c1:9b:1c:bb:e5|00:09:0f:aa:00:01
[2612:root:e]rmt_hcvalidate_cb_handler:535 MAC address check failed
[2612:root:0]sslvpn_internal_remove_one_web_session:3603 web session (root:guest::10.200.20.10:0 1) removed for Server terminated session normally
However, occasionally, when applying mac-address-list, a problem occurs when registering the mac address of a FortiClient adapter among multiple mac addresses. (Intermittent allow occurs).
Remote Access PC Fortinet SSL VPN Virtual Ethernet Adapter:
= 00:09:0F:AA:00:01
config vpn ssl web portal
edit "full-access"
...
set mac-addr-check enable
config mac-addr-check-rule
edit "maclist"
set mac-addr-list 00:09:0f:aa:00:01
next
end
[2612:root:14]host check result:0 0000,10.0.19045,00:0c:29:c2:2d:70|20:c1:9b:1c:bb:e5|00:09:0f:aa:00:01
...
[2612:root:14]sslvpn_reserve_dynip:1540 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[2612:root:14]form_ipv4_pol_split_tunnel_addr:79 Matched policy (id = 9) to add ipv4 split tunnel routing address
[2612:root:14]form_ipv4_pol_split_tunnel_addr:79 Matched policy (id = 7) to add ipv4 split tunnel routing address
...
[2612:root:15]Add auth logon for user guest:, matched group number 1
[2612:root:14]SSL state:fatal decode error (10.200.20.10)
[2612:root:0]ap_read,105, error=1, errno=0 ssl 0x7f3bb1bd1000 Success. error:0A000126:SSL routines::unexpected eof while reading
Solution:
Remove FortiClient MAC address (00:09:0f:aa:00:01).
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.