Skip to main content
Jevgenij
Jevgenij
New Member
November 9, 2016
Question

FSSO-polling from AD over LDAP and AD groups

  • November 9, 2016
  • 1 reply
  • 8641 views

Hello

We have Fortigate 300D HA cluster 5.2.9

By Fortinet guide configured LDAP server, 2 AD DC (Windows server 2012 R2) in SSO and User group.

When in SSO settings selected only AD group IPv4 policy do not recognize AD users (members of that AD group) and deny all traffic. If users also selected in SSO settings and added to Forti usergroup anything working ok, policy permits traffic.

My config:

 

config user ldap
    edit "in.axis.lt"
        set server "in.axis.lt"
        set cnid "sAMAccountName"
        set dn "DC=in,DC=axis,DC=lt"
        set type regular
        set username "xxx"
        set secure ldaps
        set port 636
    next
end

config user fsso-polling
    edit 1
        set server "una.in.axis.lt"
        set user "xxx"
        set ldap-server "in.axis.lt"
            config adgrp
                edit "CN=Forti_test_gr_1,OU=Security Groups,OU=Special,DC=in,DC=axis,DC=lt"
            end
    next
    edit 2
        set server "sula.in.axis.lt"
        set user "xxx"
        set ldap-server "in.axis.lt"
            config adgrp
                edit "CN=Forti_test_gr_1,OU=Security Groups,OU=Special,DC=in,DC=axis,DC=lt"
                next
            end
    next
end

config user group
    edit "SSO_Guest_Users"
    next
    edit "AD_Forti_test_gr_1"
        set group-type fsso-service
        set member "CN=Forti_test_gr_1,OU=Security Groups,OU=Special,DC=in,DC=axis,DC=lt" 
    next
end

 

Do i need select all AD users in SSO settings and add them to Forti usergroups one by one? 

Another question - do i have to select all groups/users on both AD DC servers in fsso-polling settings?

1 reply

xsilver_FTNT
Staff
xsilver_FTNT
Staff
November 10, 2016

Hi,

 

I would suggest to open ticket on Fortinet support for that and share full config + outputs of FSSO troubleshooting.

LDAP in local polling is used to let you select groups and also for group membership verification. So it has to work flawlessly. Make sure it is.

I do not know your policies but be aware that FortiOS 5.2 and 5.4 prefer non-identity policies over those with identity.

If policy uses "AD_Forti_test_gr_1" and user is already known in the FSSO user list (diag debug auth fsso list), and his "Groups" matches "CN=Forti_test_gr_1,OU=Security Groups,OU=Special,DC=in,DC=axis,DC=lt", then he is considered a "MemberOf" "AD_Forti_test_gr_1" as per your group config. Then if IP headers like SRC/DST/Service do match he should be considered as matching to the policy. Otherwise next policy, with same IP headers, will be checked.

 

Groups in FSSO should point to group objects in AD (in LDAP objectClass = group). There is no need and it does not make any sense to add user objects into group definitions.

 

Second, as fsso-poller does check just users matchin AD group "CN=Forti_test_gr_1,OU=Security Groups,OU=Special,DC=in,DC=axis,DC=lt", then make sure your users, logged on test workstation, do belong to that group. As logon events from users outside of this group will be discarded by FSSO poller and they do not make it to FSSO user list. It's a filter for wanted records, whitelist sort of, non-matching entries are simply not taken into account.

 

Hope it helped a bit. Tomas

 

PS: for initial troubleshooting of FSSO polling directly from FGT I'm using attached template to callect all necessary data. Use that and provide those to ticket if you are going to open one on support site.

Terms & ConditionsAccessibility statement