I believe this was an issue with older versions of FortiOS previously. When going to Authentication -> User Management -> User Groups, I hit create and target my remote LDAP (Windows AD), and try to specify the LDAP filter. The filter returns nothing when trying to use the memberOf property to grab members of a specific AD group. When using the information from the Administration Guide to create the filter as per the example, it also fails. I can add the group directly (Windows AD group under User Group), but it won't recognize the users within the group when I try to use FortiToken.
If I go to Authentication -> Remote Auth. Servers -> LDAP -> My Win AD Setup -> Remote LDAP Users -> Import users by group memberships, this will work.
Is there a way around this, or to make it work? The best I've come up with is to import the users by group memberships, and then in User Groups select the "Set a list of imported remote LDAP users". But this is a manual process with two steps, whereas I was hoping to have it just work off a group, so in future if I want to add someone, I just add them to the Windows AD group.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I personally like to use Remote User Sync rules. I create one for each remote<>local group mapping.
Some advantages of doing it that way:
1) Auto assignment of mobile token
2) When you look under your local groups, you can actually see the members. This is helpful for troubleshooting. If instead you define a filter under a group, you can't see who FAC has inside that group.
3) You can also have the FAC delete old user accounts when they are no longer present on the domain.
I personally like to use Remote User Sync rules. I create one for each remote<>local group mapping.
Some advantages of doing it that way:
1) Auto assignment of mobile token
2) When you look under your local groups, you can actually see the members. This is helpful for troubleshooting. If instead you define a filter under a group, you can't see who FAC has inside that group.
3) You can also have the FAC delete old user accounts when they are no longer present on the domain.
Ive got the memberof LDAP filter working in my 5.4.1 FAC for User Groups using the following for example
(memberof=CN=SSL_VPN_Users,CN=Users,DC=mydomain,DC=co,DC=uk)
where SSL_VPN_Users is a Security Group in the Users OU on mydomain.co.uk
I did end up making a Remote User Sync Rule, but it seems to be bugged. It has synced my account to the group I created and I got the auto-provision token, but I get the following message in the logs when I try to login:
Windows AD user authentication(mschap) with FortiToken failed: user not filtered by groups
It thinks my account isn't filtered by a group, but I'm in a User Group that was generated by Remote User Sync Rule. The only difference between when I had it working was that the group was set to LDAP filter and had specifically my account filtered only. The group generated by Remote User Sync Rule is a "Set a list of imported remote LDAP users".
Looks like it stripped my group from the RADIUS connection to the FortiGate when I made the Remote User Sync Rule. I've re-added it, but now having issues with FTM push, so gotta test that.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.