jstan
Staff
Staff
Description

This article describes how to configure FortiAuthenticator to recognize the RSSO events for AD machine/computer accounts.

Scope

 

Solution

1) With the default AD configuration as follows, FortiAuthenticator will be able to identify radius accounting events for only user accounts and not computer/machine accounts.

 

jstan_0-1648716764600.png
jstan_1-1648716788929.png

 

2) By default, the following LDAP filter will be used when FortiAuthenticator is querying the LDAP server for the user information:

 

(&(objectCategory=person)(objectclass=user)(sAMAccountName=PC1.ftnt.local))

 

- With the above LDAP filter, the machine/computer account will not be identified as the computers sAMAccountName usually ends with a '$' symbol.

 

3) In order to allow FortiAuthenticator to recognize machine/computer login events, it is necessary to make 2 changes (LDAP configuration and RSSO accounting sources setting).

 

4) For LDAP configuration, it is necessary to change the setting so that instead of querying based on user attribute, we query based on group attribute.


jstan_2-1648716937843.png

 

5) For RSSO accounting sources setting, enable the option 'Use a different attribute to search for the user in the remote LDAP server '(instead of the username attribute specified in the remote LDAP server settings) and use the following value.

 

6) Remote LDAP user attribute : sAMAccountName;dNSHostName     (Take note of the semicolon separator).

 

jstan_3-1648716956109.png

 

7) After configuring the above, FortiAuthenticator will use the following LDAP filter as a query and will be able to identify both user and computer accounts:

 

(&(objectclass=*)(|(sAMAccountName=PC1.ftnt.local)(dNSHostName=PC1.ftnt.local)))

 

8) It is possible to review the radius accounting processing by navigating to https://<FAC-IP>/debug/fsso-agent, sample of a successful machine accounting as follows:


09/10/2021 17:14:56 [EC703700] RAD_ACCT<10.47.1.134>: realm: none username: PC1.ftnt.local

09/10/2021 17:14:56 [EC703700] RAD_ACCT<10.47.1.134>: trying to logon user:PC1.ftnt.local domain:ftnt.local sid:testing ip:10.47.1.134

09/10/2021 17:14:56 [EC703700] Domain Manager [WARN]: LDAP search for reverse group membership of CN=PC1,CN=Computers,DC=ftnt,DC=local failed [err: number of entries: 0]

09/10/2021 17:14:56 [EC703700] Group Cache [INFO]: Loaded groups for user[PC1.ftnt.local]:CN=PC1,CN=Computers,DC=ftnt,DC=local

09/10/2021 17:14:56 [EC703700] Group Cache [INFO]: added (replaced existing one): ftnt.local/PC1.ftnt.local

09/10/2021 17:14:56 [EC703700] RAD_ACCT<10.47.1.134>: user group: CN=PC1,CN=Computers,DC=ftnt,DC=local

09/10/2021 17:14:56 [EC703700] Logon Cache [INFO]: Added new logon, src:RAD_ACCT<10.47.1.134> ip:10.47.1.134 user:ftnt.local/PC1.ftnt.local

Contributors