- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO not working
Hi,
I have a Fortigate 92D with v5.0,build4648, and I have "try" to configure the FSSO agentless in this equipment..
I have configured the Active Directory server, created the Single-Sign-On server based in the Active directory (Local FSSO Agent) , the polling status is OK, and in case a leave a user out, I have included all the users an all the groups in this "single sign on" server.
After that I have created a user group (FSSO single sign on tyep), again with all the users and groups....82 in totaln and finally created a user identity based policy with this group..... but no one was able to do nothing.
I have to add in the same policy the FSSO_Guest_Users in order, the internal network was able to reach the Internet.
Doing some troubleshooting.....
Going to "User and Device" and monitor de firewall users, all are "guest".....
Doing a "diagnose debug fsso-polling user" I have all the users listed (all the connected user) with the Active Directory information.
Checking the Event Log (User) I am able to see the FSSO-polling-logon, the logoff....etc
I have done exactly the same configuration in a Fortigate 60D, and everything worked Ok
Any ideas?.... Thanks a lot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
one usual caveat ... do you have groups learned from AD through FSSO (config user adgrp) really bond to firewall fsso user groups (config user group / set group-type fsso-service) ??
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes, I have the AD, the groups, the FSSO groups....all by the book ;)
I went to the support guys, they told told me the association with the users have to be through a group (CN) not an OU, and the user itself CN=nameuser..... is not a group.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh, yes.
that's one another caveat as built in LDAP browser on FGT can't figure it out if presented CN is user/ user group .. OU is I thing supported on Collector Agent /FAC way/setup to FSSO.
But use of Global security group (MS terminology) is always better way. Just make sure that used LDAP object is objectClass=group in your AD and it's properties.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff