Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mes-Lili2
New Contributor III

AD Integration

I am looking to add AD users and groups to firewall policies.

Do i need to use FSSO collector agent or can i just set a remote group in "user groups" via LDAP.

Many thanks

21 REPLIES 21
gsekar
Staff
Staff

Hi

You can configure remote user group via the LDAP please refer the below document for configuration .

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-FortiGate-to-use-an-LDAP-...

 

 

Mes-Lili2
New Contributor III

Thanks for the reply, this shows me how to add user groups into policies but my firewall is only seeing me as an ip address so i need to enable user identification and this is what i need advice on. thanks again..

Mes-Lili2
New Contributor III

Perhaps i need to enable the "poll active directory server"

mle2802
Staff
Staff

Hi @Mes-Lili2

As said in the document "Users that have been imported from the LDAP server, can be used to enforce user based policies as permission sets and allow VPN connections", this is use case for VPN policy. In order to have policy based on user, you may want to take a look at FSSO or active directory polling. Please refer to this document for more information "https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/888827/poll-active-directory...

Regards,
Minh

ebilcari
Staff
Staff

If you want to do what is called passive authentication, apply policies based on AD user groups without asking the user to authenticate you have to use FSSO. This is explained in the documentation guide. You can configure FGT to poll directly the AD for events or install a collector agent on the AD (better scalability):

polling.PNG

Basically FSSO will tie the user with its IP based on their domain logins events, than the user is tied to a FSSO group that is applied to a policy.

fsso-user.PNGLDAP groups are used for active authentication, users will be prompted to enter their credentials again.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Mes-Lili2
New Contributor III

Yes I am now polling the AD server directly but my authentication seems to be failing. I am using UPN as suggested in documentation and testing directly on an AD sever i can authenticate but via tha active directory connector within external connectors it fails. thanks all for your help here..

ebilcari

Is the LDAP server configured correctly? Can you share the output of this command:

diagnose debug fsso-polling detail 1

The local firewall on the server should allow the connection and the user credentials should have privileges to read the events.

I would still suggest to download and use FSSO collector, is free to use and you can get it from the support page

fsso collector.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
mle2802

Hi @Mes-Lili2
For agentless troubleshooting, please refer to this document for more detail "https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-p...

Regards,
Minh

Mes-Lili2
New Contributor III

Thanks all...  

Thus far...debug.png

The LDAP seems ok as we are using it for admin access..

 

Unfortunately DC management is by a different company so will be asking them to check the given credentials on Monday. This also makes the download FSSO not an easy option.

Many thanks to you all. I will of course update soon.

 
 
 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors