Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjjaime
New Contributor

FSSO not working

Hi, 

 

I have a Fortigate 92D with v5.0,build4648, and I have "try" to configure the FSSO agentless in this equipment..

 

I have configured the Active Directory server, created the Single-Sign-On server based in the Active directory (Local FSSO Agent) , the polling status is OK, and in case a leave a user out, I have included all the users an all the groups in this "single sign on" server.

 

After that I have created a user group (FSSO single sign on tyep), again with all the users and groups....82 in totaln and finally created a user identity based policy with this group..... but no one was able to do nothing.

 

I have to add in the same policy the FSSO_Guest_Users in order, the internal network was able to reach the Internet.

 

Doing some troubleshooting.....

 

Going to "User and Device" and monitor de firewall users, all are "guest".....

Doing a "diagnose debug fsso-polling user" I have all the users listed (all the connected user) with the Active Directory information.

Checking the Event Log (User) I am able to see the FSSO-polling-logon, the logoff....etc

 

I have done exactly the same configuration in a Fortigate 60D, and everything worked Ok

 

Any ideas?.... Thanks a lot

 

 

 

 

3 REPLIES 3
xsilver_FTNT
Staff
Staff

one usual caveat ... do you have groups learned from AD through FSSO (config user adgrp) really bond to firewall fsso user groups (config user group / set group-type fsso-service) ??

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

fjjaime

Hi, 

 

Yes, I have the AD, the groups, the FSSO groups....all by the book ;)

 

I went to the support guys, they told told me the association with the users have to be through a group (CN) not an OU, and the user itself CN=nameuser..... is not a group.

 

Thanks

xsilver_FTNT

oh, yes.

that's one another caveat as built in LDAP browser on FGT can't figure it out if presented CN is user/ user group .. OU is I thing supported on Collector Agent /FAC way/setup to FSSO.

But use of Global security group (MS terminology) is always better way. Just make sure that used LDAP object is objectClass=group in your AD and it's properties.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors