Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eby
New Contributor

FSSO cannot read Windows NPS user logins

I have FSSO Agent based authentication for internet access, this works for wired Windows users. I've setup Wireless controller to use Radius for AAA. Clients that are getting authenticated thru Windows NPS are unable to browse the internet as FSSO Agent is not reading NPS userlogins thus unable to.

How do i get Fortigate Agent to read NPS information and pass it to Fortigate ?. I don't want to create new "User Group" for NPS, but must retain whatever group that is already assigned in AD. Is this even possible ?.

6 REPLIES 6
Fishbone_FTNT

Hi eby,

I don't know your design in detail, but it doesn't seem to me that NPS will trigger authentication events you need to have FSSO logon.

In your case you can however utilize RSSO; SSO method based on Radius Accounting. Radius Accounting can be sent to either FSSO CA (versions >=200), or to any FortiGate running FortiOS 5.0 and later. If you choose to go RSSO way, please check that Radius Accounting packets should contain all necessary information, which is mainly username and IP address (usually User-Name and Framed-IP-Address attributes). Without them RSSO won't work.

 

Cheers,

 Fishbone )(

smithproxy hacker - www.smithproxy.org

eby

Hi Fishbone,

My design is simple. All windows systems use AD and FSSO Agent for Internet Access. Linux systems are joined to AD, but have static IP based firewall rules for internet, I couldn't get FSSO to read the login status for linux systems. Now that we're enabling Enterprise WLAN, I want all systems to use Radius authentication for wireless network access. All mobile device users should use their Domain credentials to gain wireless access and internet access should be based on their existing Group mappings(some users can only browse, but not permitted to ping!!!) My understanding is if we use RSSO, Fortigate interface be overloaded with all those radius accounting traffic eventhough the user don't have internet permission. Is there a better way to achieve the result without overloading Fortigate  ?.

Thanks,

eby

Bromont_FTNT

You could try machine authentication which will get every domain member PC connected to the network via wireless when they boot up.... then internet access will be granted based on FSSO when each user logs in.

eby

NPS is registered with AD and relevant policies applied.

When Windows laptops (Domain) are connected to Wireless using NPS authentication, FSSO is reading that information and internet access is provided accordingly. However it is not the same with Linux systems even though they're AD integrated, FSSO won't show any non-windows device info.

 

Other mobile devices (non-domain) are authenticated thru NPS, but gets blocked by Fortigate. Does FSSO only works with windows clients that are joined to domain ?.

boneyard
Valued Contributor

im not a 100% sure how those linux systemen are AD integrated? how do you do that exactly?

 

i would start with looking at the difference on the AD side between windows and linux logon events in your logs. that is the basis for FSSO.

eby
New Contributor

Using likewise-open or realmd on ubuntu. Once you join the linux system to AD, users can loin to domain from linux as they would do on windows system.

 

However FSSO agent only read centos/rhel systems joined to AD using samba+winbind configuration.