Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
voducduy
New Contributor

how to create Internet Access with AD Account

Hi everybody, 

In now, I need create Policy internet access with AD account. I already Ldap with AD Server but when create policy then can not access. 

After that, I read document and create windows polling group, add user group with FSSO and test but user can not access internet

voducduy_0-1648205625269.png

 

I think, must install FSSO Agent. But I have questions below:

 

 FSSO Agent must install on AD Server or I can install at other server with collect/polling mode ?

 

Thanks

 

 

 

1 Solution
mturic
Staff
Staff

Hi,

 

if you would like to use FSSO for passive user authentication, you have two options:
- Active Directory Connector would be for direct FSSO polling from the FortiGate, where the FGT connects directly to your AD server and retrieves Windows Security Logon Event IDs

- FSSO Agent on Windows AD: this is used for the connection towards the FSSO Collector Agent

On the FSSO CA you have the choice also between polling mode or DC-Agent mode:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Comparison-between-DC-Agent-mode-...

If the user does not have internet access, if everything is configured correctly, you can try to check the following over CLI:
- diag firewall auth list | grep -A6 -B1 x.x.x.x -> replace x.x.x.x with the IP address of the IP of the workstation used for the test

- if the user is shown as correctly authenticated in the firewall auth list with the correct IP, please verify the groups the user is shown as a member of, and if they match the FSSO group set in the firewall policy you expect the user to go through

 

You can also check the following articles for further info:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/615946/agent-based-fsso-for-windows-ad

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FSSO-CA-initial-troubleshooting/ta-p...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-polling-connector-agent-configuration...

View solution in original post

2 REPLIES 2
mturic
Staff
Staff

Hi,

 

if you would like to use FSSO for passive user authentication, you have two options:
- Active Directory Connector would be for direct FSSO polling from the FortiGate, where the FGT connects directly to your AD server and retrieves Windows Security Logon Event IDs

- FSSO Agent on Windows AD: this is used for the connection towards the FSSO Collector Agent

On the FSSO CA you have the choice also between polling mode or DC-Agent mode:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Comparison-between-DC-Agent-mode-...

If the user does not have internet access, if everything is configured correctly, you can try to check the following over CLI:
- diag firewall auth list | grep -A6 -B1 x.x.x.x -> replace x.x.x.x with the IP address of the IP of the workstation used for the test

- if the user is shown as correctly authenticated in the firewall auth list with the correct IP, please verify the groups the user is shown as a member of, and if they match the FSSO group set in the firewall policy you expect the user to go through

 

You can also check the following articles for further info:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/615946/agent-based-fsso-for-windows-ad

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FSSO-CA-initial-troubleshooting/ta-p...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-polling-connector-agent-configuration...

voducduy

Thanks for your support. I have already fixed this problem

 

Labels
Top Kudoed Authors