FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akanibek
Staff
Staff
Article Id 317969
Description

This article describes the setup of SSL VPN users that also need FSSO logon information. Since FSSO builds on AD logon events that occur when the user causes a logon event on the DC, FSSO will not work with SSL VPN as expected.

 

The Windows logon screen for the user is causing a logon, but not on the DC. SSL VPN is not up yet and the DC is not reachable, hence FSSO will not pick up the user.

 

To make this work, either RADIUS Accounting or syslog messages can be configured. Either case will send a message to the Collector Agent and create an FSSO event right after login.

 

After configuring an FSSO Collector Agent to process logon events received from a Syslog/accounting client for AD user accounts, there could be an issue with listing user group information on FortiGate appliances. Referring to the screen below, observe an empty 'group_name' field for the FSSO logon event of the user 'aduser1' after connecting to SSL VPN tunnel mode:

 

diag_fir_auth_list_blank_gr.png

 

Meanwhile, the same user is listed with a different logon type 'firewall', which does not reflect FSSO anymore.

 

All_DC_Users_Fir_gr.png

Scope

FortiGate 7.0.X, 7.2.X, 7.4.X.

FSSO CA from fsso_5_0290.

Solution

Most probably, the main cause of the issue is – the FSSO CA's 'Set Directory Access Information' setting (AD Access Mode) is set to the default, Standard mode:

 

standardMode.png

 

User group format on the FortiGate, which refers to the FSSO CA’s standard mode for the same integration following domain\user, while the Advanced mode follows the description of Distinguished Names (DN):

 

fsso_Connector_StandardGroup.png

 

For Syslog events, there must be already a configured LDAP server in the FSSO CA Advanced Settings -> Syslog Source List -> Manage LDAP server (Refer to Technical Tip: Configure Fortinet Single Sign On (FSSO) for SSL-VPN users via Syslog).


For the time being, user group information from this particular LDAP server is being received in the Advanced mode (format CN=Group1,DC=forti,DC=lab). Snippet of the logon event, and user group information retrieved from the LDAP Server:

 

05/28/2024 09:35:35 [ 5684] Try to parse log message:

<190>date=2024-05-28 time=11:35:36 devname="audi-kvm24" devid="FGVM01TM21000583" eventtime=1716932136038824094 tz="+0200" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=1158537975 remip=10.191.35.84 tunnelip=10.212.134.200 user="aduser1" group="All_Domain_users" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established"

05/28/2024 21:35:35 [ 5412] ad_user_get_groups_str2_s():CN=AD User1,CN=Users,DC=fortinet,DC=lab+CN=Users,DC=fortinet,DC=lab+CN=Domain Users,CN=Users,DC=fortinet,DC=lab+CN=Network administrators,DC=fortinet,DC=lab+CN=Group1,DC=fortinet,DC=lab+CN=Users,CN=Builtin,DC=fortinet,DC=lab

 

To fix this kind of issue, it is necessary to:

 

  1. Change Active Directory Group Information from Standard to Advanced.

    AD_Access_mode.png

 

  1. On FortiGate's FSSO Fabric Connector, select the proper one, and select 'Apply & Refresh'. Important: Notify that it will be necessary to rebind firewall user group objects, which have been referenced to FSSO Groups:

    ApplANDRefr.png
  2. Result of FSSO Groups format:

    fsso_connector_AdvancedGrp.png

To verify, connect to the SSL VPN, and execute the command:

 

diag firewall auth list | grep -i -A7 <username/IP>  --> Grep is optional.

 

firewall_auth_list.png

 

Related articles:

Technical Tip: FSSO Windows Directory Access Methods - Standard versus Advanced Mode

Technical Tip: How to switch FSSO operation mode from Standard Mode to Advanced Mode

Technical Tip: Fortinet Single-Sign-On and nested groups