FSSO doesn't work

IlyaSeme · ‎04-05-2018

Hello, everybody,

I have FSSO configured on FG-VM. The users from required AD group (Domain Users) are not allowed to get Internet access. What most likely could be the problem?

I've installed DC agent on my controller. Configured "LDAP Servers" and "Single Sign-On" - there are full connectivity and I can get groups from my AD on Forti. The testing machine is the domain machine, for sure. Forti Agent gets all info about logons on DC.

Then I've created rule:

Name: VSYO
Incoming Interface: (port1)
Outgoing Interface: (port2
Source: all
Destination: all
Schedule: always
Service: ALL

With this rule all users could get Internet access.

Then I've added the required AD group:

Name: Full_Access_Users
Incoming Interface: Internal (port1)
Outgoing Interface: External (port2)
Source: all & Domain Userz (users group)
Destination: all
Schedule: always
Service: ALL

And no one could get the Internet access.

What is wrong? My actual conf is attached. Please, help me.

Many thanks in advance,

Ilya

S_baKleb · ‎04-10-2018

Hello Illya,

Following your configuration I would suggest you to remove the LDAP setting in the SSO Server "Baileys":
# config user fsso
# edit Baileys
# unset ldap-server
# end

Afterward, you can edit the "Domain Userz" group, by selecting the FSSO group (see attached PNG).

Hope this will help.

Regards,
Sebastien

IlyaSeme · ‎04-18-2018

Hi, Sebastien,

I am not following you - why should I change Domain Userz group type? It's FSSO already.

The problem occured in two diferrent environments (different customers). Both FGs are VMs 5.6.

Thank you.

S_baKleb · ‎04-18-2018

Hi,

Sorry, I mistyped, it wasn't a configuration suggestion, just a check that I proposed to bu sure that the AD/groups retrieved by the FSSO appear correctly in the "Domain Userz".

My idea is jsut 1st to remove the ldap settings you have in the "Baileys" (usually this setting in the FSSO configuration is used to avoid reaching the limit of group entries retrieved by the FSSO agent.) and give a test like this.

Thank you for the feedback.

Regards,
Sebastien

IlyaSeme · ‎04-19-2018

Hi, Sebastien,

I've removed LDAP settings as you'd said. No results. I can see User Events and Firewall User Events. Please, see the file attached.

S_baKleb · ‎04-19-2018

okay, that's a progress :).

Now I see that the user "semonov" has no group in the monitor screenshot.

Can you issue these two commands after trying to access internet with user SEMONOV?

# diagnose debug auth fsso list | grep -i -A 5 SEMONOV

# diagnose sys session list | grep -i -C 5 SEMONOV

The idea is to check if this user is properly associated to the group Domain Userz and the corresponding policy.

If the output returns nothing, we might have to check the FSSO Collector Agent settings (if I remember well, you can export its configuration, if so, can you please post it?)

Regards,

Sebastien

IlyaSeme · ‎04-19-2018

Hi, Sebastien,

this your recommendation solved the issue. Many thanks to you!

FSSO doesn't work

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website