Created on 05-30-2024 02:29 AM Edited on 05-30-2024 02:33 AM By Jean-Philippe_P
Description |
This article describes the setup of SSL VPN users that also need FSSO logon information. Since FSSO builds on AD logon events that occur when the user causes a logon event on the DC, FSSO will not work with SSL VPN as expected.
The Windows logon screen for the user is causing a logon, but not on the DC. SSL VPN is not up yet and the DC is not reachable, hence FSSO will not pick up the user.
To make this work, either RADIUS Accounting or syslog messages can be configured. Either case will send a message to the Collector Agent and create an FSSO event right after login.
After configuring an FSSO Collector Agent to process logon events received from a Syslog/accounting client for AD user accounts, there could be an issue with listing user group information on FortiGate appliances. Referring to the screen below, observe an empty 'group_name' field for the FSSO logon event of the user 'aduser1' after connecting to SSL VPN tunnel mode:
Meanwhile, the same user is listed with a different logon type 'firewall', which does not reflect FSSO anymore.
|
Scope |
FortiGate 7.0.X, 7.2.X, 7.4.X. FSSO CA from fsso_5_0290. |
Solution |
Most probably, the main cause of the issue is – the FSSO CA's 'Set Directory Access Information' setting (AD Access Mode) is set to the default, Standard mode:
User group format on the FortiGate, which refers to the FSSO CA’s standard mode for the same integration following domain\user, while the Advanced mode follows the description of Distinguished Names (DN):
For Syslog events, there must be already a configured LDAP server in the FSSO CA Advanced Settings -> Syslog Source List -> Manage LDAP server (Refer to Technical Tip: Configure Fortinet Single Sign On (FSSO) for SSL-VPN users via Syslog).
05/28/2024 09:35:35 [ 5684] Try to parse log message: <190>date=2024-05-28 time=11:35:36 devname="audi-kvm24" devid="FGVM01TM21000583" eventtime=1716932136038824094 tz="+0200" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=1158537975 remip=10.191.35.84 tunnelip=10.212.134.200 user="aduser1" group="All_Domain_users" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established" … … 05/28/2024 21:35:35 [ 5412] ad_user_get_groups_str2_s():CN=AD User1,CN=Users,DC=fortinet,DC=lab+CN=Users,DC=fortinet,DC=lab+CN=Domain Users,CN=Users,DC=fortinet,DC=lab+CN=Network administrators,DC=fortinet,DC=lab+CN=Group1,DC=fortinet,DC=lab+CN=Users,CN=Builtin,DC=fortinet,DC=lab
To fix this kind of issue, it is necessary to:
To verify, connect to the SSL VPN, and execute the command:
diag firewall auth list | grep -i -A7 <username/IP> --> Grep is optional.
Related articles: Technical Tip: FSSO Windows Directory Access Methods - Standard versus Advanced Mode Technical Tip: How to switch FSSO operation mode from Standard Mode to Advanced Mode |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.