Skip to main content
Rob_it
Rob_it
New Member
September 20, 2018
Question

Only FSSO Agent Authentication working - Issues with NTLM and LDAP

  • September 20, 2018
  • 1 reply
  • 10209 views

I am having a major headache with our 500D (Formware 5.6.5) and I’m sure it’s some fundamental setting I am missing.

 

FSSO configured on the Fortigate and FSSO user group pointing to AD user group for internet access. IPv4 Policy setup as follows…..  Source: all+ FSSO Group above and…..  Dest: all     <--  This is working fine, logging IP and AD users!

 

I have been trying for some time to get an alternative method of authentication to help none domain devices and Apple Macs to get internet access. We just need a pop up box, or web authentication to verify an account to AD. 

 

So far I have tried;

 

NTLM authentication via an IPv4 policy (ntlm enabled via CLi) – no pop up box appears. Just fails with a page not found. Without the FSSO or LDAP user group tagged on the rule – the device gets internet.

 

NTLM, FSSO group and LDAP all tired using both a Transparent and Explicit proxy rules. Again the proxy policies both work fine without user groups - but when they are added I get “Access Denied – The page you requested has been blocked by a firewall policy restriction”

I followed Cookbook recipes such as this one for the above. 

 

I don’t mind if the device gets a pop up login box, or a web authentication box, but as soon as I introduce a user group, the policy fails.

Am I missing some global setting to allow these other methods of authentication? 

 

Help would be greatly appreciated.

 

Thank you for reading.

    1 reply

    AlfonsoGTS
    AlfonsoGTS
    New Member
    October 4, 2018

    Hi guys,

     

      Have a same situation with the same firmware.

    Please help.

     

    NTLM Enabled on the FSSO Collector NTLM Enabled on the Policy FSSO Working aprop

     

    Regards.

    Alfonso Pereira.

    Rob_it
    Rob_itAuthor
    New Member
    October 4, 2018

    Hi Alfonso, 

     

    Hope this helps, I ended up raising a ticket with their support. This was their reply. It worked for me. 

     

    Really hope it helps

    Rob

    ~~~~~~~~~~~~~~~~~~

    - You will need to change the groups to the FSSO groups you set up in the firewall proxy policy

    - Please add the following authentication schemes :

     

    config authentication scheme

    edit "NTLM"

    set method ntlm

    next

    end

     

    config authentication rule

    edit "NTLM-RULE"

    set srcaddr "all"

    set ip-based disable

    set active-auth-method "NTLM"

    next

    end"

     

    - Set the active-auth-scheme to "NTLM"

     

     

     

    dieter
    dieter
    New Member
    June 16, 2021

    Sorry I have to respond on an old topic. What do you mean with "You will need to change the groups to the FSSO groups you set up in the firewall proxy policy" ?

     

    And how do you set the active-auth-scheme to "NTLM" ?

    Terms & ConditionsAccessibility statement