- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiAP
- FortiClient
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiExtender
- FortiEDR
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Can't get FSSO working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't get FSSO working
Hello!
I have tried to get FSSO working but I just can't. I've read manuals, watched video, nothing.
I tried to use polling mode, didn't work. Then I installed collector agents in all DC-s and in one of them (local) I see some few "Logon Users", but that's it. My computer is not listed.
My initial purpose was to set up 802.1X port authentication for FWF30D models but it looks like these devices don't support it. They are in remote locations so it is actually important for such places. Then I found that using AD-connected security groups (FSSO), it should be possible to create policies so that only domain computers can access internet or resources behind the tunnel with headquarter. Which is also good.
So I made a test environment in my office by creating a policy with FSSO-related user group that only domain computers could access certain public web page which I know but others don't (so they won't be affected by this rule). The next rule prohibits access to that web page. And of course, I can't access that web page, only the second rule gets hits.
FGT60D524 # diag debug fsso-polling detail AD Server Status: ID=1, name(192.168.18.5),ip=192.168.18.5,source(security),users(0) port=auto username=administrator read log offset=58549447, latest logon timestamp: Mon Nov 2 15:55:57 2015 polling frequency: every 10 second(s) success(171666), fail(0) LDAP query: success(11299), fail(0) LDAP max group query period(seconds): 4 most recent connection status: connected Group Filter: CN=Domain Computers,CN=Users,DC=ourdomain,DC=ourtld
I actually don't want to keep collector agents running in dc's because that seems too complicated but even when I have those installed, what should I check next?
Labels:
- Labels:
-
5.2
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Echo, I'm new to this forum but have worked with Fortigates for years and wanted to give you some feedback and food for thought. You dont need the collector agent on all DC's. Start off with 1 collector agent on one of your domain controllers and the DC agent on your other domain controllers. Do not register to the Fortigate yet as the collector might pull a dodgy group filter from the Fortigate that might be contributing to your issue. When you install the collector to start with dont set any user or group filters. If you're not even seeing your machine on the collector then we need to sort this before we progress any further with linking the Collector to the FGT. Make sure to reboot after installing the DC agent on the other domain controllers. Then, log into a client and use the set command to check what logon server you authenticated with and make sure that this DC is one with a DC agent on (or is the collector agent). I have had most success not using polling mode. Polling mode is not as feature rich as the collector method and generally I have more success with DCagent that event log polling. Your group filter looks a bit odd - domain computers? Shouldn't this be domain users? I have in the past seen an issue whereby if you dont select the advanced under AD access mode you can get issues too. This can be found in the collector setting under "Set directory Access Information". If you get to the stage whereby you can see your logged on users on the collector let me know and we'll take ti from their. Hope this is of some help. Matt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Matt, thanks a lot for your help! I uninstalled collector agents from other two dc's and installed dc agents there.
I haven't yet set any "Group filters" in Collector agent and Directory access information has been chosen as Advanced by default. I unchecked polling mode checkbox in FGT.
I still don't see my computer/username in the list of logon users, but of those which are presented, some have status OK, some Not Verified. What's that?
Yes, I want domain computers in the policy so not considering user which is logged on to the workstation, especially if there is noone logged in at all, like after power failure or just restart. Just like I've done with wireless "enterprise" authentication -- it should be computer based so that even if there is nobody logged in, there will be connection to internal network and group policies can be applied and machine is "visible" for various management.
I will probably make a restart this evening to the dc where collector agent is installed.
I will let you know how is it after that.
e
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! After being overwhelmed with other work I finally have some time to deal with this further.
There is one dc in our office, other two are hosted away, connected with a tunnel and having dcagents.
In out office, my colleague dared to install v5.4.0 so I updated the dcagents and collector agent too.
I see my own computer in collector agent list now.
I also added, even if just for testing, the Domain Users group in the FGT config but that didn't help. I try to open a randomly specified-for-testing web page from my computer to which I gave access only from AD-authenticated "users" but only the next denying rule gets hits.
Anybody knows how to figure out the cause why my computer is not authenticated against FGT?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now I finally had some progress. I found that after I went on to Agent mode instead of Polling mode, the fsso user in the fgt was actually polling-mode user but neither gui nor cli revealed that information. Only when I started listing users in cli I found that there are different users, fsso and fsso-polling. So I deleted the polling one, also replaced the Domain Computers with Domain Users, I also set the password in dc and fgt, and source-ip too, then finally that authentication rule in fgt got hit and the web page opened.
In the meantime while testing I added domain admin credentials to the collector agent but later removed it and it continued to work as expected.
I also logged into another computer with local admin account, the web page didn't open, then switched user, logged in with my domain user account, the web page opened. Logged off, switched back to local admin account -- the web page still opened, even after restart of the browser or using another browser! Restart of computer didn't help either. But I noticed from FGT that my temporary authentication was still valid so after forcing de-authenticate in FGT I couldn't open the web page anymore.
At the moment it seems like case closed but now I will configure all this to the environment where this is really needed and see if it works there too.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more note which took so many hours of debugging from me. After I set this up in client's environment, my test-router as a test branch office didn't authenticate, even though Collector agent showed that domain username in the list coming from the computer behind the test router. But "diag deb authd fsso list" was empty and no group filter appeared in Collector agent.
The helping article was this: http://kb.fortinet.com/kb....do?externalId=FD31819
It turned out that the installer of Collector Agent was not automatically added to the Firewall of the domain controller which I used for authentication. After I added C:\Program Files (x86)\Fortinet\FSAE\collectoragent.exe manually to the list of "Allowed apps and features" in Windows Firewall, the authentication started working.
So far, so good.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Verified Temu coupon code acs546758 $40... 53 Views
- Temu coupon code acs546758 $100 for... 38 Views
- Mean time between failure rate for... 75 Views
- FortiGate 200A Not booting or Displaying... 141 Views
- Rubrik support Tunnel access not working 133 Views
Labels
-
FortiGate
7,034 -
FortiClient
1,387 -
5.2
801 -
5.4
639 -
FortiManager
610 -
FortiAnalyzer
446 -
6.0
416 -
FortiAP
369 -
FortiSwitch
368 -
5.6
362 -
FortiClient EMS
285 -
FortiMail
272 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
172 -
6.4
128 -
FortiNAC
123 -
FortiGuard
112 -
IPsec
104 -
SSL-VPN
94 -
FortiGateCloud
93 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
48 -
FortiADC
45 -
Fortivoice
44 -
SD-WAN
43 -
FortiEDR
42 -
FortiDNS
37 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiAuthenticator
32 -
FortiSwitch v6.4
32 -
Firewall policy
32 -
VLAN
28 -
High Availability
28 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
DNS
21 -
FortiConverter
21 -
BGP
19 -
FortiGate v5.2
19 -
Certificate
19 -
SAML
18 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
VDOM
16 -
FortiMonitor
14 -
Authentication
14 -
FortiLink
14 -
Interface
14 -
FortiDDoS
14 -
Logging
14 -
FortiGate v5.0
13 -
Fortigate Cloud
13 -
Routing
13 -
FortiCASB
12 -
RADIUS
11 -
NAT
11 -
Web profile
11 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
Application control
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
WAN optimization
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Proxy policy
6 -
Security profile
6 -
Traffic shaping policy
6 -
Static route
6 -
FortiDirector
5 -
IPS signature
5 -
Packet capture
5 -
FortiAP profile
5 -
Automation
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
Web rating
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
System settings
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
FortiDB
3 -
Intrusion prevention
3 -
Protocol option
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
FortiAI
2 -
Application signature
2 -
VoIP profile
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
4.0MR1
1 -
TACACS
1 -
Subscription Renewal Policy
1 -
Replacement messages
1 -
FortiCWP
1 -
FortiNDR
1 -
Schedule
1 -
SDN connector
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
DLP sensor
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1041 | |
| 862 | |
| 512 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.