I am using Radius accounting from our Wifi to a FortiAuthenticator, that log out users into the Fortigate.
The SSO user type on the FAC is a remote user which points towards a cloud based LDAP platform.
User logins are working perfectly fine the only issue I have is that users are not being associated against any groups and I cannot work out why.
If anyone has any ideas I'd love to hear them as currently this is stopping me from making granular rules based on user groups.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Please check if the SSO User type is configured as Remote Users and an appropriate LDAP server is selected.
https://docs.fortinet.com/document/fortiauthenticator/6.4.1/administration-guide/178615/radius-accou...
You didn't read my OP, I wrote " The SSO user type on the FAC is a remote user which points towards a cloud based LDAP platform."
Hey SMC,
do you see the groups on FortiAuthenticator itself? You should be able to see the logins under Monitor > SSO > SSO sessions.
If the groups are present there, then the issue is with either FAC not sending the group information for whatever reason, or FortiGate not parsing it.
If the group information is NOT present in the FAC SSO session list, then the issue is with FAC/LDAP group lookup somewhere.
If you haven't done already, you could create a FortiGate Filtering rule for that specific FortiGate in FAC and set the according LDAP groups as filter; sometimes FAC and/or FortiGate will only take group information into account if it is actively filtered for.
You might want to edit the FSSO Connector on FortiGate and hit 'apply&refresh' on it to fetch the group filter settings from FortiAuthenticator (set the group filter location to Collector Agent/FAC, and FortiGate will adopt the filters set in the FortiGate filtering rule).
In additon to Tom's suggestion, I did encounter a similar issue recently where FSSO users showed in FortiGate perfectly fine, but with no groups.
In that case the issue was that the FSSO group filters (from the connector) were not mapped to group objects.
Check under User & Authentication > User Group, if you have groups of type FSSO, and if those map to group filter objects.
Hi,
so I guess you have RSSO Source like this on your FAC
Listening to RADIUS Accounting messages for user names and source IP addresses, but "SSO user type" is "Remote users" pointing to some LDAP.
Therefore what's the group attribute in that Authentication > Remote Auth. Servers > LDAP > Group object class , and also in Group membership attribute in Query elements??
Does it fit to your external LDAP schema and what users truly have set up?
Some helpful hints might be gathered from FAC log, but more from https://<your-fac>/debug/ and related Services like LDAP or RADIUS Accounting.
Just to make sure there is an LDAP search for groups and group membership of the user after RADIUS accounting is received.
Last hint, if this group missing trouble is a bit short term or not reflecting group changes, check Fortinet SSO Methods > SSO > General > User Group Membership and group caching options.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.