Skip to main content
boneyard
boneyard
Valued Contributor
January 2, 2016
Question

FSSO with collector agent is directory access set to advanced manditory?

  • January 2, 2016
  • 1 reply
  • 12041 views

have been through a long struggle with FSSO using a collector agent. the active directory part worked from the start, i could see the logon users i expected. the issue was they were not send to the fortigate (5.2.4), nothing in logs / cli: diagnose debug authd fsso list showed zero. after trying all kind of configurations on the fortigate and collector agent i finally changed "Set Directory Access Information" to Advanced on the collector agent and now it works fine. i have read several sections of the manual, cookbooks, ... and nowhere i see mentioned that Advanced is needed for Directory Access Information when doing FSSO with collector agent. Is it needed and did i miss this in the documentation or am i doing something wrong and should Standard be fine also? in principle it seems to make sense to me Advanced is needed. when i look at "Set Group Filters" in the collector agent i see that the fortigate pushes a filter based on the Advanced structure (i.e. CN=Domain Users,CN=Users,DC=DOMAIN,DC=EXT). where if i want to add a filter, something that doesn't seem useful in general as it gets overwritten by the fortigate every time, i use the DOMAIN\name format if im not in Advanced.

 

1 reply

xsilver_FTNT
Staff
xsilver_FTNT
Staff
January 4, 2016

Hello,

 

it is NOT needed to be advanced, but I'd recommend to use it.

 

But! there are differences between Advanced and Standard mode which made your config not working.

Main difference is that Standard mode does use group name as in MS format (DOMAIN/GROUP) while Advanced format does use LDAP format (CN=group,dc=domain).

And therefore, if you set LDAP into FSSO Agent config on FortiGate, it will gives you possibility to choose groups you'd like to use on FortiGate (instead of learning all the groups, so filter is in general very good idea). When you choose the groups this way then FortiGate pushes those groups as Group Filter into Collector Agent .. in LDAP format.

So, IF Collector runs in Standard, but Group Filter is in LDAP format, then users are processed but as they do not match filter they are not published to FortiGate's FSSO user list.

 

In short:

1. pay attention to group name format

2. format and groups has to be aligned on 3 places :

2.1 FSSO Collector mode (Standard/Advanced)

2.2 FSSO Collector Group Filter

2.3 FortiGate AD groups (config user adgrp) + related firewall groups (config user group)

 

Best regards, Tomas

boneyard
boneyardAuthor
Valued Contributor
January 4, 2016

thank you Tomas. i suspected the LDAP server was a mandatory choice for the Single Sign-On configuration so i always selected one, thereby also having to select one or more users or groups. this isn't the case? there is no reason to select an LDAP server expect to do some extra filtering from the Fortigate side?

Ralph1973
Ralph1973
New Member
January 4, 2016

Hello, just for your information, what I recognized lately while configuring FSSO together with ldap and advanced mode is that the manual says to select Userprincipal name in the ldap config. When you have ldap configured for sslvpn acces, it happened that this didn't work anymore. I had to select SamAccountname.

Also, when using ldap, passwords are transfered in plain (not even hashed or whatever). Something to take into account.

 

Kind regards,

Ralph Willemsen

Arnhem, Netherlands

Terms & ConditionsAccessibility statement