Description
This article describes the standard mode and advanced mode of the FSSO collector Agent.
Scope
FortiGate.
Solution
FSSO has two modes of operation: Standard Mode and Advanced Mode.
- Standard: The FSSO Collector Agent receives group information from the DC Agent in the NetBIOS domain\user format.
- Advanced: The FSSO Collector Agent obtains user group information using LDAP. The benefit of this method is that it is possible to nest groups within groups. The group information is in standard LDAP format 'CN=myGroup,OU=myOrganizationUnit,DC=myDomain'. In this mode, the monitored groups are specified on the FortiGate.
It is necessary for the Collector Agent and FortiGate to have the same Directory Access mode, or the connection between them might fail.
Even though Standard mode is the default mode of operation, sometimes it is necessary to switch to Advanced mode in order to comply to company polices, authenticate nested groups, or if some devices have host (computer) names longer than 15 characters. Host names longer than 15 characters will cause Collector Agent DNS resolution to fail. See this article: Technical Note: Workstation hostname character limit with FSSO scenario.
Standard mode does not support nested groups, so a user must be a direct member of the group being monitored.
To switch the FSSO Directory Access mode, the following steps are needed (this applies only if an FSSO solution has been deployed and does not address steps required to deploy a fresh FSSO install). Starting from firmware branch v6.0, there were some GUI changes on the FortiGate, but the underlying mechanism is the same.
To switch the FSSO Directory Access mode, the following steps are needed (this applies only if an FSSO solution has been deployed and does not address steps required to deploy a fresh FSSO install). Starting from firmware branch v6.0, there were some GUI changes on the FortiGate, but the underlying mechanism is the same.
Collector Agent:
- On the Collector Agent (CA), open the Fortinet Single Sign On Agent Configuration console and select the Set Directory Access Information button.
- Select the required mode and apply changes by selecting the 'OK' button.
- If any filters have been configured, remove old filters by selecting Set Group Filters, selecting filters, and then pressing the 'remove' button.
- After the group filter is specified, the FSSO service should be restarted automatically.
FortiGate v6.0.x and v6.2.x:
- On the FortiGate, go to Security Fabric -> Fabric Connectors and edit the FSSO entry.
- To use the group filter specified on the FSSO collector agent, change the User Group Source to Collector Agent. Save the setting with 'OK' and, if needed afterwards, select 'Apply & Refresh'.
After selecting the 'Apply & Refresh' button, the groups specified on the FSSO CA group filter should be seen.
CLI configuration:
config user fsso
edit "fsso_mttest"
set server "10.0.0.10"
set password ENC LT4RY0HQnKeyqDelRYPLdkqjGDOiHGiSmhq5CIVhrEI76nrspnjSEaBmoeDH/Q6Xp6KnjSA6UWHWpqbwrTMGfhfU7K/Z5wLOK+hSETa3QSxWXhgKVl2LJ2rarIY1OUthg7Jj25wOoOkXFzK3PkYUnkecROl9sf2E3LdzKYGbxqd4FCEgMM3UHfqUQ5ry3ltyRckfdVlmMjY3dkVA
next
end
edit "fsso_mttest"
set server "10.0.0.10"
set password ENC LT4RY0HQnKeyqDelRYPLdkqjGDOiHGiSmhq5CIVhrEI76nrspnjSEaBmoeDH/Q6Xp6KnjSA6UWHWpqbwrTMGfhfU7K/Z5wLOK+hSETa3QSxWXhgKVl2LJ2rarIY1OUthg7Jj25wOoOkXFzK3PkYUnkecROl9sf2E3LdzKYGbxqd4FCEgMM3UHfqUQ5ry3ltyRckfdVlmMjY3dkVA
next
end
In the CLI, this should be done by running the following commands:
diagnose debug authd fsso refresh-groups
- To specify a group filter on the FortiGate, change the User Group Source to Local.
Select one of the pre-configured LDAP server entries from the FortiGate and select which groups, users, or OUs it is necessary to filter.
Difference between Local and Collector Agent as User Group Source:
Collector Agent: Usually selected when the FSSO Collector Agent is configured in Standard mode.
Local:
- Usually selected when the FSSO Collector Agent is configured in Advanced mode. This option supports nested groups.
- Means that the Group Filter for users is specified on the FortiGate.
- FortiGate can see the user information tree sent by the Collector Agent, but those users will have to be explicitly selected, as shown below.
Run the following CLI command to clear logons:
diagnose debug auth fsso refresh-logons
- Remap local FSSO groups as they will be unset with the Directory Access Change on the FortiGate.
Go to User & Device -> User -> User Groups and specify AD groups that should be in the FSSO group.
Refer to the article below if the dynamic address type is used:
Related article:
