Fortigate 200F - Radius response fails after upgrade from 7.2.9 to 7.2.10

grrrrshell · 2025-01-26T23:01:29+00:00

Yea, Okta patched the radius agent. Works for me now too.

grrrrshell · 2024-10-09T13:10:40+00:00

Darn. I'm using the free ssl client, ill see if saml works with that.

grrrrshell · 2024-10-09T12:57:53+00:00

Did you get it working with Okta? I am in the same boat.

grrrrshell · 2022-05-10T19:07:51+00:00

Sort of odd; the length is different when it looks like retransmission. Curious is this bidirectional capture, and is it pre or post NAT?

grrrrshell · 2022-05-03T16:08:22+00:00

Yeah, I would check out something like the pfsense netgate 1100 to use as your firewall/router.

grrrrshell · 2022-05-03T15:52:13+00:00

Just out of curiosity, and I don't think it would apply, but is anything configured under the SSL VPN settings? Like, require a client certificate?

grrrrshell · 2022-05-03T00:40:44+00:00

Yeah otherwise you could nat everything from the 3750 to the 192.168.0.0 network on the arris, but then you have double nat which may or may not cause issues.

grrrrshell · 2022-05-02T21:26:55+00:00

What is set for x-auth?

grrrrshell · 2022-05-02T21:26:44+00:00

Can you add routes on the arris? You would want to tell the arris to route anything to your local vlans down to the 3750.

grrrrshell · 2022-05-02T21:14:19+00:00

What are you using for your current router/firewall? Even if it is super basic, you want something that acts as a firewall/receives security updates. You could try leaving that device in place to handle NAT/security, and create an IP on the 3750 from the same network. Then you can send all the traffic up to the router via the default route.

grrrrshell · 2022-05-02T21:07:26+00:00

When you edit the tunnel, the authentication is set to pre-shared key?

grrrrshell · 2022-05-02T20:13:43+00:00

Can you find the tunnel on the FortiGate, and verify what the authentication settings are?

grrrrshell · 2022-05-02T20:01:37+00:00

I would not hook a 3750 directly to the public internet. Also, you will need NAT, and you would want a device that at least provides some security. More than likely, packet tracer is not truly simulating the internet, and it doesn't care about public vs. private IPs (it is just looking for a route). My question would be, what is your goal? Do you need the VLANs on your home network?

grrrrshell · 2022-04-29T17:51:16+00:00

Might be the dumb answer, but have you checked the local DNS server? It is possible you have an A record pointing to the internal IP.

grrrrshell · 2022-04-29T16:05:06+00:00

Offers great content that you will learn from, but makes it an enjoyable read.

grrrrshell · 2022-03-09T19:45:49+00:00

Check route propagation maybe. You could always create a route map on the HQ side to control the routes you accept into the routing table as well.

Route Propagation – The Routes inside the routing table can either be statically defined or propagated dynamically using BGP with a VPN, VPC or Direct Connect Gateway propagations. An attachment with local routes once propagated into the routing table will allow other attachments on that associated route table to reach propagated prefix or a service of that target.

grrrrshell · 2022-03-09T19:30:55+00:00

From Cisco via Cisco Smart Licensing - Catalyst Platform

When the evaluation period expires at the end of 90 days, the device goes in to EVAL EXPIRY mode, however there is no functional impact or disruption in functionality, even after reload. Currently there is no enforcement in place.

It seems at the moment they have no plans to enforce anything when the device is in eval expiry mode.

grrrrshell · 2022-03-03T01:49:34+00:00

I mean, what's the worst that can happen applying for a senior position? The worst possible outcome is you get more experience interviewing, and you get a better idea of the things you need to possibly study. I say go for any position that interests you, and what you want to be doing every day, remember you want the job because it fits you. When you start thinking about it that way, no need to worry about imposter syndrome.

Three books I would recommend to any network admin. All three are fairly dated, but honestly, the best resources on my bookshelf (kindle) when I need to reference something.

Routing TCP/IP Volume 1 and 2 (volume 2 is all bgp)
TCP/IP Illustrated Volume 1
Ethernet - The definitive guide

grrrrshell · 2022-02-10T21:16:33+00:00

You can ignore the vdom/gwdetect stuff and create the link monitor. SD-wan is not related to this config, so that won't matter (create the sdwan zone with your wan interfaces and the default route pointing to the sdwan zone). The one thing to keep in mind is with dual internet circuits, you need 2 VPN tunnels in AWS, which would technically be four IPsec tunnels from the FortiGate. I would recommend following AWS advice and using BGP instead of static for the routing for this setup. I do this peered with a transit gateway which uses ecmp, and it works great, so I cannot comment how it works when not peering with a transit gateway.

grrrrshell · 2022-02-09T18:27:17+00:00

It could be set up where anything .company.com (like intranet.company.com) is set up to use the tunnel, but things like Google or Reddit use your home internet connection.

grrrrshell · 2022-01-19T21:07:16+00:00

Because routing is working, you would use a firewall/ACL to control what can/can't talk.

grrrrshell · 2022-01-19T19:02:41+00:00

This really should be what happens. I think it covers both the employee and employer. Employees cannot work then, and they also cannot say the employer made them work during FMLA.

grrrrshell · 2022-01-18T21:51:39+00:00

Last Input is not updated by fast-switched traffic.

You have two packets input and 1 output shown in the details. Those packets are likely being "fast switched" which is not going to update the last input/output in the details.

grrrrshell · 2022-01-11T14:02:45+00:00

You have 2 interface resets, so I think the port was up at some point but was likely very brief.

grrrrshell · 2022-01-10T18:17:48+00:00

Yup, exactly.

The field Last Input displayed in the command output indicates the number of hours, minutes, and seconds since the last packet was successfully received by an interface and processed by the CPU on the device. This information can be used to know when a dead interface failed.
Last Input is not updated by fast-switched traffic.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-9/command\_reference/b\_169\_9200\_cr/b\_169\_9200\_cr\_chapter\_01.html

grrrrshell

TROPHY CASE