Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SMC-IT
New Contributor

FSSO Sessions not showing group

I am using Radius accounting from our Wifi to a FortiAuthenticator, that log out users into the Fortigate. 

 

The SSO user type on the FAC is a remote user which points towards a cloud based LDAP platform.

 

User logins are working perfectly fine the only issue I have is that users are not being associated against any groups and I cannot work out why.

 

Screen Shot 2022-03-09 at 2.09.28 PM.png

 

If anyone has any ideas I'd love to hear them as currently this is stopping me from making granular rules based on user groups. 

5 REPLIES 5
aahmadzada
Staff
Staff

Hi,

 

Please check if the SSO User type is configured as Remote Users and an appropriate LDAP server is selected.

https://docs.fortinet.com/document/fortiauthenticator/6.4.1/administration-guide/178615/radius-accou...

Ahmad
SMC-IT
New Contributor

You didn't read my OP, I wrote " The SSO user type on the FAC is a remote user which points towards a cloud based LDAP platform." 

Debbie_FTNT

Hey SMC,

do you see the groups on FortiAuthenticator itself? You should be able to see the logins under Monitor > SSO > SSO sessions.

If the groups are present there, then the issue is with either FAC not sending the group information for whatever reason, or FortiGate not parsing it.

If the group information is NOT present in the FAC SSO session list, then the issue is with FAC/LDAP group lookup somewhere.

If you haven't done already, you could create a FortiGate Filtering rule for that specific FortiGate in FAC and set the according LDAP groups as filter; sometimes FAC and/or FortiGate will only take group information into account if it is actively filtered for.

You might want to edit the FSSO Connector on FortiGate and hit 'apply&refresh' on it to fetch the group filter settings from FortiAuthenticator (set the group filter location to Collector Agent/FAC, and FortiGate will adopt the filters set in the FortiGate filtering rule).

 

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Debbie_FTNT

In additon to Tom's suggestion, I did encounter a similar issue recently where FSSO users showed in FortiGate perfectly fine, but with no groups.

In that case the issue was that the FSSO group filters (from the connector) were not mapped to group objects.
Check under User & Authentication > User Group, if you have groups of type FSSO, and if those map to group filter objects.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
xsilver_FTNT
Staff
Staff

Hi,

so I guess you have RSSO Source like this on your FAC

xsilver_FTNT_0-1652781988674.png

 

Listening to RADIUS Accounting messages for user names and source IP addresses, but "SSO user type" is "Remote users" pointing to some LDAP.

Therefore what's the group attribute in that Authentication > Remote Auth. Servers > LDAP > Group object class , and also in Group membership attribute in Query elements??

Does it fit to your external LDAP schema and what users truly have set up?

 

xsilver_FTNT_2-1652782668187.png

 

 

Some helpful hints might be gathered from FAC log, but more from https://<your-fac>/debug/ and related Services like LDAP or RADIUS Accounting.
Just to make sure there is an LDAP search for groups and group membership of the user after RADIUS accounting is received.

Last hint, if this group missing trouble is a bit short term or not reflecting group changes, check Fortinet SSO Methods > SSO > General > User Group Membership and group caching options.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors