| Description |
This article describes that the FSSO Collector Agent can monitor logon events for accounts using multiple UPN (User Principal Name) Suffixes and authenticating using RADIUS. Alternative UPN Suffix : student.test-domain.com
|
| Scope | FortiGate, FSSO. |
| Solution | In order for FSSO Collector Agent to monitor logon events from Alternative UPN suffixes, it should be:
Technical Tip: How to switch FSSO operation mode from Standard Mode to Advanced Mode
Note: The 'Default domain name' should be the AD domain for which this CA is configured such as the 'test-domain.com' in this example. If this field is configured, the username in the RADIUS accounting message such as 'test_user@test-domain.com' doesn't need to include the domain name but can be as simple as 'test_user'.
If this value is empty, then the user name in the RADIUS accounting message must be in one of these formats 'test_user@test-domain.com', 'test-domain.com\test_user' or 'test-domain.com/test_user'.
CA will use the user name and domain to query the group membership of the user. Client IP address (Framed IP) should also be in RADIUS accounting message so that CA can forward user name, IP address, and groups to the FortiGate.
Additional Steps on FSSO CA: 
Highlight the domain and select 'Setting'. The setting is only available/editable on Advance Mode:
Input the server address, port, and user credential, then select 'OK'. Credential is essential and it should have domain permission on Domain Controller and AD Server.  |
