Description
This article describes the basic troubleshooting steps for FSSO when using an external Collector Agent with polling or DC-Agents, as well as TS-Agents.
The most common issues that can occur:
1) Collector Agent not receiving DC-Agent logon information.
2) FortiGate not connecting to FSSO Collector Agent.
3) User not being authenticated initially.
4) User was authenticated but got sporadically or intermittently deauthenticated at one point in time.
5) User gets de-authenticated when switching from wired to wireless and vice versa.
6) User shown as authenticated on the FortiGate but without group membership.
Solution
1) Collector Agent not receiving DC-Agent logon information.
DC-Agent sends logon information to the Collector Agent by default via port UDP/8002.
Verify the Collector Agent is listening on port UDP/8002 in the Windows Firewall.
Received logon information can be verified in Collector Agent in the Show Monitored DCs window:
2) FortiGate not connecting to FSSO Collector Agent.
FortiGate connects to the Collector Agent by default via port TCP/8000.
Verify the Collector Agent is listening on port TCP/8000 in the Windows Firewall.
Make a telnet connection from the FortiGate to see if the CA is listening and to additionally verify that is connected:
# exec telnet 10.0.0.10 8000
Trying 10.0.0.10...
Connected to 10.0.0.10.
FSSO 5.0.0278 BDWFSAE_SERVER_10001
Connection closed by foreign host.
# diag debug enable
# diag debug auth fsso server-status
Server Name Connection Status Version Address
----------- ----------------- ------- -------
fsso_mttest connected FSSO 5.0.0278 10.0.0.10
Additionally, verify if the passwords match by setting a new password 15 characters or less on both the FortiGate's FSSO connector and the password field on the collector agent. Once passwords match and connectivity is sound, the FortiGate serial will be listed in 'Show Service Status'.
If it is still not listed, try the following to debug the FSSO process. Recommend connecting via SSH and logging output to a file:
# diag deb reset
# diag deb app auth 8256
# diag deb en
Then set an unused IP in the FortiGate's connector. Wait a moment. Then populate the correct server IP for the system running the collector agent. This should generate a connection attempt and output relevant details.
If no output is generated the FSSO process may be in an unusual state. Kindly engage Fortinet support for further assistance.
3) User not being authenticated initially.
Check in Collector Agent if a user is shown in the Show User List and filter by IP address of workstation or username.
Ensure the IP address and username match the workstation IP and the username of the user in question.
If the user is not shown in the Show User List, enable Log level to Debug, try a new logon event and verify if user-related logon information is in the log.
If no information for the user is shown in the log, run the following command in the Windows CMD on the User’s workstation: echo %logonserver%.
The output will provide information on which DC has served the logon event.
Verify on the DC in question if there is a logon event for that user and with which Windows Security Event ID.
4) User was authenticated but got sporadically or intermittently de-authenticated at one point in time
- Note the username, IP address and workstation name of the affected user.
- Check in the Collector Agent if the user is authenticated, and check if the IP address matches.
- Open an SSH session to the FortiGate and run the following commands:
# diag debug authd fsso list | grep X.X.X.X <- while this is the IP of the affected user.
# diag firewall auth list | grep X.X.X.X <- while this is the IP of the affected user.
Verify if the user is shown in both FSSO and firewall auth lists.
The user is completely authenticated on the FortiGate if he is shown in the firewall auth list (the equivalent of GUI Firewall User List).
5) User gets de-authenticated when switching from wired to wireless and vice versa.
This issue is very common and usually can occur when the DNS servers do not accurately or quickly enough reflect IP address changes on the workstation.
As FSSO highly relies on DNS A-records of workstations to verify the IP address, this is necessary for the DNS servers to reflect the correct IP address.
This can be verified with a simple nslookup command for the workstation name on the network.
6) User is shown as authenticated on the FortiGate but without group membership in the Firewall User List.
This can occur if the user is not a member of a monitored FSSO group, or if the group is monitored but not applied to the FortiGate IPv4 policies.
The monitored groups can be verified with the command:
# show user adgrp
# config user adgrp
edit "CN=Domain Users,CN=Users,DC=mt-test,DC=local"
set server-name "fsso_mttest"
next
end