Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jond
New Contributor III

Intune devices and authentication

We are going to be joining a lot of our devices to InTune.

 

I wonder whether anyone has any hints on getting details of the logged in user from these devices to be used by the Fortigate. 

 

Particularly in a 'shared device scenario' - we have cabinets full of laptops and iPads that are handed out to students.

 

Cheers

Jon

8 REPLIES 8
xsilver_FTNT
Staff
Staff

How about something usually called BYOD .. so allow any device on your nettwork and communication from it to some protected resources ONLY when user on that device can authenticate somehow.

 

So alternatives to investigate are:

- FortiNAC, for complete network access controll

- 802.1X port based authentication everywhere

- RSSO, so users will auth with their AD account when they log to WiFi and the WLC will send RADIUS accounting to either FortiGate, or standalone Collector Agent, or FortiAuthenticator, which can make FSSO like record from RADIUS data and verified AD group membership.

- if all users will authenticate towards some MSFT domain, then even something like FSSO should work

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Jond
New Contributor III

What I'm seeking to do is the same as the seamless nature of a login to a AD joined device that is authenticated to FSSO.  The idea being that the user logs into their AAD account on the intuned device, then FG authenticates them based on that.

 

At present it seems the only option is to web-authenticate the users which is a little pants.  There are some potential solutions but the costs are prohibitive for a large education provider.

xsilver_FTNT

Those more detailed guides might help I think.


I know that FortiAuthenticator might not be in your scenario.

But it can act as SAML SP (Service Provider) and ask AAD (Azure Active Directory) as SAML IdP (Identity Provider) to authenticate users and do SSO.

Direct link to how to guide. But there is more than this one documented.
https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/316341/saml-fsso-with-fortiauth... 


Similar SAML SSO connectivity on FortiGate
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/33053/outbound-firewall-auth... 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

brown999
New Contributor

Hi Jon,

 

I wanted to ask if you got anywhere with this issue.  I am facing a similar problem, after moving from on prem Windows AD to Azure AD and using Intune we have been left without the ability to properly authenticate users through our FG.

 

Any thoughts or advise from anyone would be much appreciated.

 

Thanks

 

Jond
New Contributor III

Alas no - how about you?

curtisrussell
New Contributor

I also don't have problems with this one, strange. Besides this I as a student use iPad to use this service, writing APA format research paper https://edusson.com/apa-paper-writing-service of my daughter this helps me a lot, because I work and it reduces my time, and this service does everything for me and I manage to come with my homework ready. This is a pretty good lifehack taken from my colleague who already two years doing so, are there more like us?)) because this one is brilliant, I hope teachers don't find out about it soon.

Jond
New Contributor III

If you have an outline of your setup then perhaps that would extend the conversation?

What we're talking about is InTune only setup, no hybrid joins to local AD etc.

Without substantial additional infrastructure it appears that your only option is a web-authentication, nothing similar to the seamless nature of FSSO/FSAE etc.

chng
New Contributor

We have a similar situation, we want to get devices only joined with AAD pure Intune Cloud, no AD. And we don't have EMS license. Did you find a solution? Or do you know other way to sync devices only connected to Intune?

Labels
Top Kudoed Authors