Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
echo
Contributor II

Can't get FSSO working

Hello!

I have tried to get FSSO working but I just can't. I've read manuals, watched video, nothing.

I tried to use polling mode, didn't work. Then I installed collector agents in all DC-s and in one of them (local) I see some few "Logon Users", but that's it. My computer is not listed.

 

My initial purpose was to set up 802.1X port authentication for FWF30D models but it looks like these devices don't support it. They are in remote locations so it is actually important for such places. Then I found that using AD-connected security groups (FSSO), it should be possible to create policies so that only domain computers can access internet or resources behind the tunnel with headquarter. Which is also good.

So I made a test environment in my office by creating a policy with FSSO-related user group that only domain computers could access certain public web page which I know but others don't (so they won't be affected by this rule). The next rule prohibits access to that web page. And of course, I can't access that web page, only the second rule gets hits.

 

FGT60D524 # diag debug fsso-polling detail AD Server Status: ID=1, name(192.168.18.5),ip=192.168.18.5,source(security),users(0) port=auto username=administrator read log offset=58549447, latest logon timestamp: Mon Nov  2 15:55:57 2015 polling frequency: every 10 second(s) success(171666), fail(0) LDAP query: success(11299), fail(0) LDAP max group query period(seconds): 4 most recent connection status: connected Group Filter: CN=Domain Computers,CN=Users,DC=ourdomain,DC=ourtld

I actually don't want to keep collector agents running in dc's because that seems too complicated but even when I have those installed, what should I check next?

5 REPLIES 5
Matthew_Lee
New Contributor

Hi Echo, I'm new to this forum but have worked with Fortigates for years and wanted to give you some feedback and food for thought. You dont need the collector agent on all DC's.  Start off with 1 collector agent on one of your domain controllers and the DC agent on your other domain controllers.  Do not register to the Fortigate yet as the collector might pull a dodgy group filter from the Fortigate that might be contributing to your issue.  When you install the collector to start with dont set any user or group filters. If you're not even seeing your machine on the collector then we need to sort this before we progress any further with linking the Collector to the FGT. Make sure to reboot after installing the DC agent on the other domain controllers.  Then, log into a client and use the set command to check what logon server you authenticated with and make sure that this DC is one with a DC agent on (or is the collector agent).    I have had most success not using polling mode.  Polling mode is not as feature rich as the collector method and generally I have more success with DCagent that event log polling.   Your group filter looks a bit odd - domain computers?  Shouldn't this be domain users? I have in the past seen an issue whereby if you dont select the advanced under AD access mode you can get issues too.  This can be found in the collector setting under "Set directory Access Information". If you get to the stage whereby you can see your logged on users on the collector let me know and we'll take ti from their. Hope this is of some help. Matt

echo

Hello, Matt, thanks a lot for your help! I uninstalled collector agents from other two dc's and installed dc agents there.

 

I haven't yet set any "Group filters" in Collector agent and Directory access information has been chosen as Advanced by default. I unchecked polling mode checkbox in FGT.

 

I still don't see my computer/username in the list of logon users, but of those which are presented, some have status OK, some Not Verified. What's that?

 

Yes, I want domain computers in the policy so not considering user which is logged on to the workstation, especially if there is noone logged in at all, like after power failure or just restart. Just like I've done with wireless "enterprise" authentication -- it should be computer based so that even if there is nobody logged in, there will be connection to internal network and group policies can be applied and machine is "visible" for various management.

 

I will probably make a restart this evening to the dc where collector agent is installed.

I will let you know how is it after that.

e

echo
Contributor II

Hello! After being overwhelmed with other work I finally have some time to deal with this further.

There is one dc in our office, other two are hosted away, connected with a tunnel and having dcagents.

In out office, my colleague dared to install v5.4.0 so I updated the dcagents and collector agent too.

I see my own computer in collector agent list now.

I also added, even if just for testing, the Domain Users group in the FGT config but that didn't help. I try to open a randomly specified-for-testing web page from my computer to which I gave access only from AD-authenticated "users" but only the next denying rule gets hits.

Anybody knows how to figure out the cause why my computer is not authenticated against FGT?

echo
Contributor II

Now I finally had some progress. I found that after I went on to Agent mode instead of Polling mode, the fsso user in the fgt was actually polling-mode user but neither gui nor cli revealed that information. Only when I started listing users in cli I found that there are different users, fsso and fsso-polling. So I deleted the polling one, also replaced the Domain Computers with Domain Users, I also set the password in dc and fgt, and source-ip too, then finally that authentication rule in fgt got hit and the web page opened.

 

In the meantime while testing I added domain admin credentials to the collector agent but later removed it and it continued to work as expected.

 

I also logged into another computer with local admin account, the web page didn't open, then switched user, logged in with my domain user account, the web page opened. Logged off, switched back to local admin account -- the web page still opened, even after restart of the browser or using another browser! Restart of computer didn't help either. But I noticed from FGT that my temporary authentication was still valid so after forcing de-authenticate in FGT I couldn't open the web page anymore.

 

At the moment it seems like case closed but now I will configure all this to the environment where this is really needed and see if it works there too.

echo
Contributor II

One more note which took so many hours of debugging from me. After I set this up in client's environment, my test-router as a test branch office didn't authenticate, even though Collector agent showed that domain username in the list coming from the computer behind the test router. But "diag deb authd fsso list" was empty and no group filter appeared in Collector agent.

The helping article was this: http://kb.fortinet.com/kb....do?externalId=FD31819

It turned out that the installer of Collector Agent was not automatically added to the Firewall of the domain controller which I used for authentication. After I added C:\Program Files (x86)\Fortinet\FSAE\collectoragent.exe manually to the list of "Allowed apps and features" in Windows Firewall, the authentication started working.

So far, so good.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors