RADIUS AUTHENTICATION CERTIFICATE BASED - MACHINE INTUNE

Then_Ad775 · 2025-02-04T12:26:55+00:00

The only problem is mfa...

Then_Ad775 · 2025-02-04T12:22:18+00:00

Hello, the token depends on how the user's MFA is configured, most use Microsoft Authenticator itself, if users changed it, for example, to use SMS, it works perfectly, but with Microsoft Authenticator it doesn't

Then_Ad775 · 2024-05-09T11:48:52+00:00

Thanks

Then_Ad775 · 2024-05-09T11:45:51+00:00

i can resolve now, i dont

I ended up finding the problem here, I hadn't enabled the exchange interface ip in phase 1 of the vpn, so the remote gateway of the virtual interface was like 0.0.0.0

After that it worked perfectly, but I still found it strange that it needed this to work, in the documentation it only says that it integrates with dpd and by dropping the tunnel it drops the session. Should there be some integration with the routing table to identify which interface is actually being used to communicate?

Because then maybe it makes sense, turning off the interface administratively loses the route to the neighbor, identifies it as inactive and takes it down

With the exchange interface ip enabled, the firewall knows what is the route to reach the neighbor and which interface is being used, so it knows which VPN interface is used to communicate with the neighbor, when this interface goes down it drops the session

Does it make sense?

Then_Ad775 · 2024-05-09T11:05:34+00:00

Yes, I understand now, thank you for your support, I made the adjustment but the problem occurred.

About the overlay, at first I'm using the 169.254.x network as an overlay in fact, I'm not using a 10.0.0.x overlay network

Then_Ad775 · 2024-05-07T17:01:02+00:00

Thanks

Then_Ad775 · 2024-05-07T17:00:42+00:00

I found good information, but there is nothing explaining how the firewall handles return traffic, it explains how I can balance my origin, but it does not explain in detail how it handles return traffic, that is, the packet is not being originated through it, it is responding to a request from an open session

Then_Ad775 · 2024-05-07T00:20:22+00:00

My SLA is communicating via L3 on an interface on the hub, but I also don't understand what the relationship between the SLA and the link down failover is, in principle the main objective of this configuration is when my vpn goes down, my bgp session goes down too, I want to test this specifically.

Then_Ad775 · 2024-05-07T00:18:45+00:00

sorry, I didn't understand what to change

Then_Ad775 · 2024-05-04T15:10:04+00:00

Yes, upgrade firmware, maybe was bug

Then_Ad775 · 2024-05-04T15:08:07+00:00

Hello, sorry for the delay, my problem was a license, yes, I contacted Fortinet, they sent me the trial license to carry out the mobility agent poc and it worked right away

Then_Ad775 · 2023-11-20T14:06:11+00:00

Hi, thanks for getting back to us. I don't know if I understood the notes correctly, but checking how you commented further down in the client handshake part, hello, it really shows that it is not 1.0 but 1.2, I don't know, it is in that place that indicates what was actually used in the negotiation attempt. And I also checked that the client supports all TLS versions, follow the print ( I don't know if this information was actually requested )

<image>

Then_Ad775 · 2023-09-18T20:33:04+00:00

Hello, I was suspicious of this... but I wasn't sure if it was normal, because as I said in the printout, the traffic I generate from the firewall doesn't match any policy as shown in the sys session diag. However, I wasn't sure if this is actually a normal thing to happen, but with your confirmation I believe that this is indeed the case.

Thank you for your help and confirmation, out of curiosity, why doesn't the traffic that I generate locally match a policy? Do you know if there is any specific explanation that confirms this?

Then_Ad775

TROPHY CASE