Technical Tip: How to switch FSSO operation mode from Standard Mode to Advanced Mode

FiFa_FTNT · ‎05-28-2015

Description

This article provides an explanation of standard mode and advanced mode of the FSSO collector Agent.

Solution

FSSO has two modes of operation: Standard Mode and Advanced Mode.

- Standard: The FSSO Collector Agent receives group information from the Collector agent in the domain\user format. In this mode the monitored groups are specified on the Collector Agent.

- Advanced: The FSSO Collector Agent obtains user group information using LDAP. The benefit of this method is that it is possible to nest groups within groups. The group information is in standard LDAP format "CN=myGroup,OU=myOrganizationUnit,DC=myDomain". In this mode the monitored groups are specified on the FortiGate.

It is necessary for the Collector Agent and FortiGate to have the same Directory Access mode, or the connection between them might fail.

Even though Standard mode is the default mode of operation, sometimes it is necessary to switch to Advanced mode in order to comply to company polices or authenticate nested groups.

To switch the FSSO Directory Access mode, the following steps are needed (this applies only if an FSSO solution has been deployed and does not address steps required to deploy a fresh FSSO install). Starting from firmware branch 6.0 there were some GUI changes on the FortiGate but the underlying mechanism is the same.

Collector Agent

1) On the Collector Agent (CA) open the Fortinet Single Sign On Agent Configuration console and click Set Directory Access Information button.

2) Select required mode and apply changes by clicking 'ok' button.

3) If any filters have been configured, remove old filters by clicking Set Group Filters and then selecting filters and pressing 'remove' button.
4) After group filter is specified, FSSO service should be restarted automatically.

FORTIGATE 5.0.x

1) On the FortiGate, go to User & Device -> Authentication > Single Sign-On.

2) To use group filter specified on FSSO collector agent, leave LDAP server empty. With such settings the 'Apply & Refresh' button should be seen.

3) After selecting 'Apply & Refresh' button, the groups specified on FSSO CA group filter should be seen.

In CLI this should be done by running commands:

# exe fsso refresh
# diag debug authd fsso refresh-groups
4) Remap local FSSO groups to reflect change in operation mode.

Go User & Device -> User -> User Groups and specify AD groups which should be in FSSO group.

5) Run the CLI command to clear logons:

# diag debug auth fsso refresh-logons
6) Check logged on users, output should look similar to this:

#di de en
#di de authd fsso server-status

2015-02-18 00:15:51
Server Name                Connection Status   Version
-----------                -----------------   -------
2015-02-18 00:15:51 myCA   connected           FSSO 5.0.0230

#di de authd fsso list
----FSSO logons----
IP: 192.168.168.3 User: FIFAUSER Groups: CN=DOMAIN USERS,CN=USERS,DC=FIFA,DC=WM,DC=COM+CN=DOMAIN ADMINS,CN=USERS,DC=FIFA,DC=WM,DC=COM Workstation: WIN-2V9B6LEQ45R.FIFA.WM.COM MemberOf: fifauser FSSO_Domain_Users_proxy
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----

Under User & Device -> Monitor -> Firewall the logged on users should be seen.

FORTIGATE 5.6.x

1) On the FortiGate, go to User & Device -> Single Sign-On and edit the FSSO entry.

2) To use the group filter specified on the FSSO collector agent, change the Collector Agent AD access mode to Standard. Save the setting with 'OK' and if needed afterwards 'Apply & Refresh'.

After selecting 'Apply & Refresh' button, the groups specified on FSSO CA group filter should be seen.

In CLI this should be done by running:

# diag debug authd fsso refresh-groups
3) To specify a group filter on the FortiGate, set the the Collector Agent AD access mode to Advanced.

Select one of the preconfigured LDAP server entries from the FortiGate and select which groups, users or OUs it is required to filter.

Run the CLI command to clear logons:

#diag debug auth fsso refresh-logons
4) Remap local FSSO groups as they will be unset with the Directory Access Change on the FortiGate.

Go to User & Device -> User -> User Groups and specify AD groups which should be in FSSO group.

FORTIGATE 6.0.x and 6.2.x

1) On the FortiGate, go to Security Fabric -> Fabric Connectors and edit the FSSO entry.

2) To use the group filter specified on the FSSO collector agent, change the User Group Source to Collector Agent. Save the setting with 'OK' and if needed afterwards 'Apply & Refresh'.

After selecting 'Apply & Refresh' button, the groups specified on FSSO CA group filter should be seen.

In CLI this should be done by running:

# diag debug authd fsso refresh-groups
3) To specify a group filter on the FortiGate, change the User Group Source to Local.

Select one of the preconfigured LDAP server entries from the FortiGate and select which groups, users or OUs it is required to filter.

Difference between User Group Source: Collector Agent and Local:-
Collector Agent:
- Usually selected when FSSO Collector Agent is configured in Standard mode.
- Means that the Group Filter for users is specified on the Collector Agent

Local:
- Usually selected when FSSO Collector Agent is configured in Advanced mode.
- Means that the Group Filter for users is specified on the Fortigate.
- Fortigate can see the user information tree sent by the Collector Agent but those users will have to be explicitly selected as seen below.

Run the CLI command to clear logons:

# diag debug auth fsso refresh-logons
4) Remap local FSSO groups as they will be unset with the Directory Access Change on the FortiGate.

Go to User & Device -> User -> User Groups and specify AD groups which should be in FSSO group.