Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lohn82
New Contributor

FSSO authentication fallback with flow-based policy

Hello team,

 

we are currently using FSSO with mobility agent for authentication on some Fortigates (we have firmware version 6.4 but will upgrade to 7.2). We have been asked to implement an authentication fallback in case the source of FSSO events is off (Fortiauthenticator cluster) without changing anything at the policy level (specifically, we cannot move from flow to proxy based policy inspection mode). I found NTLM but it seems to need proxy-based inspection mode.

Another idea would be RSSO with an external radius server or direct LDAP active authentication but those solutions would lead to increased complexity and performance issues due to number of users probably.

Is it possible to enable NTLM or other fallback authentication mechanisms while keeping flow-based inspection mode?

 

Thanks

3 REPLIES 3
johnathan
Staff
Staff

In case FSSO fails to work and you do not match an FSSO policy, you can simply make another policy (or perhaps in the same policy as FSSO?) and assign an LDAP group to it. This will force users to authenticate in their web browser with their LDAP creds before accessing internet. 

This isn't a great document, but kinda covers what I am talking about:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-An-explaination-of-mixed-policies-in-Firew...

"Never trust a computer you can't throw out a window."
lohn82

Hello johnathan,

 

thanks for the answer. I know i can use LDAP active method but this requires manual user credentials insertion by the user so i'll lose the SSO feature that's why i'm looking to a fallback like RSSO which doesn't require such an interaction, also i'd need to add authentication to all my policies (otherwise traffic will be matched by unauthenticated ones) and this would lead to a full review of my policy configuration.

ebilcari

If the end hosts are already authenticated through a RADIUS client (NAS) than RSSO is easy to set up. Enabling RADIUS accounting in NAS and processing them to FortiAuthenticator should not lead to any performance issue.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors