Hi,
I have a Fortigate 92D with v5.0,build4648, and I have "try" to configure the FSSO agentless in this equipment..
I have configured the Active Directory server, created the Single-Sign-On server based in the Active directory (Local FSSO Agent) , the polling status is OK, and in case a leave a user out, I have included all the users an all the groups in this "single sign on" server.
After that I have created a user group (FSSO single sign on tyep), again with all the users and groups....82 in totaln and finally created a user identity based policy with this group..... but no one was able to do nothing.
I have to add in the same policy the FSSO_Guest_Users in order, the internal network was able to reach the Internet.
Doing some troubleshooting.....
Going to "User and Device" and monitor de firewall users, all are "guest".....
Doing a "diagnose debug fsso-polling user" I have all the users listed (all the connected user) with the Active Directory information.
Checking the Event Log (User) I am able to see the FSSO-polling-logon, the logoff....etc
I have done exactly the same configuration in a Fortigate 60D, and everything worked Ok
Any ideas?.... Thanks a lot
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
one usual caveat ... do you have groups learned from AD through FSSO (config user adgrp) really bond to firewall fsso user groups (config user group / set group-type fsso-service) ??
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi,
Yes, I have the AD, the groups, the FSSO groups....all by the book ;)
I went to the support guys, they told told me the association with the users have to be through a group (CN) not an OU, and the user itself CN=nameuser..... is not a group.
Thanks
oh, yes.
that's one another caveat as built in LDAP browser on FGT can't figure it out if presented CN is user/ user group .. OU is I thing supported on Collector Agent /FAC way/setup to FSSO.
But use of Global security group (MS terminology) is always better way. Just make sure that used LDAP object is objectClass=group in your AD and it's properties.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1545 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.