Skip to main content
echo
echo
Explorer II
November 2, 2015
Question

Can't get FSSO working

  • November 2, 2015
  • 1 reply
  • 17419 views

Hello!

I have tried to get FSSO working but I just can't. I've read manuals, watched video, nothing.

I tried to use polling mode, didn't work. Then I installed collector agents in all DC-s and in one of them (local) I see some few "Logon Users", but that's it. My computer is not listed.

 

My initial purpose was to set up 802.1X port authentication for FWF30D models but it looks like these devices don't support it. They are in remote locations so it is actually important for such places. Then I found that using AD-connected security groups (FSSO), it should be possible to create policies so that only domain computers can access internet or resources behind the tunnel with headquarter. Which is also good.

So I made a test environment in my office by creating a policy with FSSO-related user group that only domain computers could access certain public web page which I know but others don't (so they won't be affected by this rule). The next rule prohibits access to that web page. And of course, I can't access that web page, only the second rule gets hits.

 

FGT60D524 # diag debug fsso-polling detail AD Server Status: ID=1, name(192.168.18.5),ip=192.168.18.5,source(security),users(0) port=auto username=administrator read log offset=58549447, latest logon timestamp: Mon Nov  2 15:55:57 2015 polling frequency: every 10 second(s) success(171666), fail(0) LDAP query: success(11299), fail(0) LDAP max group query period(seconds): 4 most recent connection status: connected Group Filter: CN=Domain Computers,CN=Users,DC=ourdomain,DC=ourtld

I actually don't want to keep collector agents running in dc's because that seems too complicated but even when I have those installed, what should I check next?

1 reply

Matthew_Lee
Matthew_Lee
New Member
November 2, 2015

Hi Echo, I'm new to this forum but have worked with Fortigates for years and wanted to give you some feedback and food for thought. You dont need the collector agent on all DC's.  Start off with 1 collector agent on one of your domain controllers and the DC agent on your other domain controllers.  Do not register to the Fortigate yet as the collector might pull a dodgy group filter from the Fortigate that might be contributing to your issue.  When you install the collector to start with dont set any user or group filters. If you're not even seeing your machine on the collector then we need to sort this before we progress any further with linking the Collector to the FGT. Make sure to reboot after installing the DC agent on the other domain controllers.  Then, log into a client and use the set command to check what logon server you authenticated with and make sure that this DC is one with a DC agent on (or is the collector agent).    I have had most success not using polling mode.  Polling mode is not as feature rich as the collector method and generally I have more success with DCagent that event log polling.   Your group filter looks a bit odd - domain computers?  Shouldn't this be domain users? I have in the past seen an issue whereby if you dont select the advanced under AD access mode you can get issues too.  This can be found in the collector setting under "Set directory Access Information". If you get to the stage whereby you can see your logged on users on the collector let me know and we'll take ti from their. Hope this is of some help. Matt

echo
echoAuthor
Explorer II
November 3, 2015

Hello, Matt, thanks a lot for your help! I uninstalled collector agents from other two dc's and installed dc agents there.

 

I haven't yet set any "Group filters" in Collector agent and Directory access information has been chosen as Advanced by default. I unchecked polling mode checkbox in FGT.

 

I still don't see my computer/username in the list of logon users, but of those which are presented, some have status OK, some Not Verified. What's that?

 

Yes, I want domain computers in the policy so not considering user which is logged on to the workstation, especially if there is noone logged in at all, like after power failure or just restart. Just like I've done with wireless "enterprise" authentication -- it should be computer based so that even if there is nobody logged in, there will be connection to internal network and group policies can be applied and machine is "visible" for various management.

 

I will probably make a restart this evening to the dc where collector agent is installed.

I will let you know how is it after that.

e

echo
echoAuthor
Explorer II
February 10, 2016

Hello! After being overwhelmed with other work I finally have some time to deal with this further.

There is one dc in our office, other two are hosted away, connected with a tunnel and having dcagents.

In out office, my colleague dared to install v5.4.0 so I updated the dcagents and collector agent too.

I see my own computer in collector agent list now.

I also added, even if just for testing, the Domain Users group in the FGT config but that didn't help. I try to open a randomly specified-for-testing web page from my computer to which I gave access only from AD-authenticated "users" but only the next denying rule gets hits.

Anybody knows how to figure out the cause why my computer is not authenticated against FGT?

Terms & ConditionsAccessibility statement