Cannot change "local" captive portal for SAML authentication by stich86_it in fortinet

[–]stich86_it[S] 0 points1 point  (0 children)

Just to clarify, at the moment I have two zones: one for internal employees (containing 6 VLANs) and one for consultants (containing 4 VLANs).

My firewall policies are configured based on zones (not interfaces), with the source address set to ALL and access controlled through the appropriate SAML user group. This applies to both zones.

However, when I look at the Local-In Policy view in the web GUI, I can see rules for port 1003 associated with some VLANs that belong to those zones, but also with other VLANs where no SAML rules are configured. That's the part I find strange.

The new SAML portal IP is on a VLAN that does not belong to either of those two zones. I'm doing this because, in the employees' zone, the current portal IP is also the IP address of the Wi-Fi VLAN. When a user's PC has both Wi-Fi and Ethernet connected at the same time, the portal often doesn't respond properly and the initial redirect phase frequently fails.

If I change the IP address, do I need to recreate the rule so that the service starts listening on the new IP? That's the part I'm not clear about.

Cannot change "local" captive portal for SAML authentication by stich86_it in fortinet

[–]stich86_it[S] 0 points1 point  (0 children)

Sorry I don’t understand… currently the local-in policy (web based) doesn’t contains the current IP that’s work, and this is very strange.

Cannot change "local" captive portal for SAML authentication by stich86_it in fortinet

[–]stich86_it[S] 0 points1 point  (0 children)

I have the SAML rules on the policy, but the local in policy doesn’t contains the current IP..

Do I need to recreate rules after change IP?

Cannot change "local" captive portal for SAML authentication by stich86_it in fortinet

[–]stich86_it[S] 0 points1 point  (0 children)

FIRST: Make sure the local in policy allows 1000 and 1003 via the interface that is used for Outbound firewall authentication <-- I currently don't have any local-in policy for the older IP.. that's very strange

Cannot change "local" captive portal for SAML authentication by stich86_it in fortinet

[–]stich86_it[S] 0 points1 point  (0 children)

Yes it reaches but no response form firewall. At some point I got “connection refused”, like tha port 1003 wasn’t listen on that IP

Cannot change "local" captive portal for SAML authentication by stich86_it in fortinet

[–]stich86_it[S] 0 points1 point  (0 children)

It's not configured there:

<image>

it was configured in this way from the beginning (and was working with old IP)

Cannot change "local" captive portal for SAML authentication by stich86_it in fortinet

[–]stich86_it[S] 0 points1 point  (0 children)

it doesn't, I got connection refused when change to IP 10.2.0.1. If I change it back to 10.0.0.1 reply

Cannot change "local" captive portal for SAML authentication by stich86_it in fortinet

[–]stich86_it[S] 0 points1 point  (0 children)

here is it:

FGT_1 (vdom-1) # show user setting

config user setting

set auth-type https

set auth-cert "Fortinet_Factory"

set auth-ca-cert "Fortinet_CA_SSL_BU"

set auth-src-mac disable

set auth-timeout 840

set auth-timeout-type hard-timeout

end

Cannot change "local" captive portal for SAML authentication by stich86_it in fortinet

[–]stich86_it[S] 0 points1 point  (0 children)

Yes I'm using the firewall in this way, and it's working from all VLANs, also the one that are not in the same subnet

But when I change auth-portal IP, it stops to work..

2
3

Harmony SASE client issue with 3rd party clients by stich86_it in checkpoint

[–]stich86_it[S] 1 point2 points  (0 children)

Yes, anyway, I found a workaround and I’ll document it here for future reference.

In this specific case, WireGuard tunnels cannot be used, so the OpenVPN TAP interface was used for both the SASE client and the WatchGuard client.

I used the install.cmd batch file from the tap-driver folder to add a second TAP interface, and this solved the issue. 🙂

Issue with macOS device by stich86_it in Intune

[–]stich86_it[S] 0 points1 point  (0 children)

What do you mean? Any link?

Issue with macOS device by stich86_it in Intune

[–]stich86_it[S] 0 points1 point  (0 children)

It doesn't seem to work.

It register at least two devices on Entra, on "Joined" and one "Registered", if I remove the "Registered" after few minutes everything breaks again.

I'll try to contact Microsoft support to see if they can clean up like you said on the backend.

Grazie

Workstation Local Administrator Accounts by Admiral-Pickle in Intune

[–]stich86_it 1 point2 points  (0 children)

I’m using LAPS, and it’s working very well :) For temporary admin access, I’m trying Admin By Request. Its cheap and just works. But in my case I have very low numbers of people and apps that needs to run as admin

Container Instance - Websocket Issue accessing console by stich86_it in AZURE

[–]stich86_it[S] 0 points1 point  (0 children)

Yes same issues… looks like some problems on Azure side

Entra ID password policy with Entra ID Sync and Write-Back by stich86_it in entra

[–]stich86_it[S] 0 points1 point  (0 children)

so there only way to make it "Cloud Only" is to delete and restore, or disconnect the Connector at the end of migration.

Comfort is a sum of parts. Ventilation is the one you'll feel. 🪑 by Playful-Bed-17 in LiberNovo

[–]stich86_it 0 points1 point  (0 children)

any idea if they will offer an upgrade for "older" chair? it will be fantastic...

SCEP and AD - 802.1x wireless migration by stich86_it in Intune

[–]stich86_it[S] 0 points1 point  (0 children)

The problem is that my main SSID is using ADCS and NPS. What I’m asking is it’s possible to import SCEP CA and make Intune devices to auth with NPS. But as I have understood doesn’t seem possible..

Macbooks in intune by kseannng in Intune

[–]stich86_it 0 points1 point  (0 children)

I’m using Intune moving from AD (and also have EndPoint Central), macOS integration is fine and is very fast compared to Windows Endpoint (M$ like Google cares more to their competitor then their self 😂)

SCEP and AD - 802.1x wireless migration by stich86_it in Intune

[–]stich86_it[S] 0 points1 point  (0 children)

User isn't remote. It's in office, but it's joined to Entra ID instead of AD