Hello FAC admins
According to your experience and/or knowledge,
Among the two below FSSO methods, which one is the more efficient (and recommended) to configure on FortiAuthenticator?
Is it AD polling mode or DC agent mode?
I'm also asking this because I had not so good result with AD poling mode on FortiGate and I'd never use it in prod, so I wonder if it is better on FortiAuthenticator.
Hi @AEK ,
According to my past experiences, both of them did not work properly.
If you have a chance to use FortiClient as an FSSO agent, this is the method that works best.
I have previously used radius accounting and syslog from Cisco ISE to send session information to FortiAuthenticator. These methods work well.
If your number of users is a little high and the configurations on the AD side are not exactly what FSSO wants, FSSO can drive you crazy. :)
Thanks for sharing your experience, Ozkan, especially for RADIUS accounting and syslog.
Agree with you that FortiClient Mobile Agent is the most clean, simple and efficient.
As per my experience, when using FGT without FAC, FSSO Collector Agent method worked always fine for me when configured properly, even for high load.
Now I see in various documentation that AD polling mode with FAC is presented as much more developed and efficient than AD polling mode with FGT. But I didn't have the chance to test it yet. So anyone sharing his experience will be welcome.
Hello @AEK
Please click on below link and refence document on working of polling mode and agent mode.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-choose-between-DC-Agent-mode-or-Polli...
Agent mode will be more scalability then polling mode.
Hello Patel
Thanks for sharing.
If I'm not wrong this tech tip is about DC agent and collector agent with FortiGate, while I'm searching the information about FortiAuthenticator (agent vs agentless).
The difference is essentially the same as with Collector Agent.
Polling has the FAC/Collector do the talking to the DCs and pulling info; DC Agent is hooked into the system and pushes the login "events" to FAC/Collector.
DC Agent should in theory have higher performance ceiling, but the main limitations are that you need to "install some dll on a domain controller", and it's inability to detect non-Windows machine logons (last I've heard).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.