Staff

Technical Tip: FSSO is supplying incorrect info to the FortiGate

Forum|Forum|5 months ago
December 17, 2025
0 replies
363 views

Description

This article describes the issue where FSSO is supplying incorrect information to the FortiGate, causing VPN users to not hit the correct group-based policies and provides a step-by-step solution to resolve this issue.

This document can be used for SSL VPN/IPSec VPN users getting authenticated by RADIUS server on FortiAuthenticator and when the same info is sent to FortiGate via FSSO as FortiAuthenticator is also configured as the collector agent.

Scope

FortiGate, FortiAuthenticator.

Solution

To resolve the issue where FSSO is supplying incorrect information to the FortiGate, follow these steps:

Go to VPN -> SSL -> Settings and ensure that the user group is configured correctly.
When the user authenticates against the SSL VPN user group, the user is recognised as a firewall user and not an FSSO user
Since the user is authenticating against a domain that has a DC Agent configured, the same logon info is reflected in FortiGate as an FSSO user
Run the command diagnose firewall auth list | grep -A7 -B1 x.x.x.x to check the authentication list and verify that the user is being authenticated correctly.
Try including the Radius user group instead of the FSSO user group in the FortiGate policy.
FortiAuthenticator's FortiGate filtering can be used to filter SSLVPN IP addresses from reaching FortiGate as an FSSO user.

Related articles:

Technical Tip: How to check users logged in using FSSO on FortiGate

Troubleshooting Tip: FSSO CA initial troubleshooting

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded