Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
terry_miesse
New Contributor

FSSO with transparent VDOM

Good day.  I'm trying to get FSSO working in a transparent VDOM.  Config:

Fortigate: 5.6.5 / 5.6.7.  Transparent (PROD) VDOM with out-of-band mgmt from root VDOM.  Management (root) VDOM is in NAT mode.

Fortiauthenticator: 6.0.2

 

I'm using FortiManager, but I'm bypassing it while I get this set up.  FortiManager can connect to the FortiAuthenticator server successfully.

 

When I add the FSSO server in the transparent VDOM, it can't connect to the FortiAuthenticator server.  Nothing in /debug on FortiAuthenticator.  Works fine if I add it in the root VDOM, but then I can't see it in the PROD VDOM.

 

I've followed the directions I can find, but wondering if something with transparent mode is biting me (again).  Any suggestions?

4 REPLIES 4
mjcrevier
New Contributor III

Does your transparent VDOM have a management interface assigned to it with IP reachability to FAC?

 

VDOM-A can't use management interface from VDOM-B. VDOM-A needs its own management.

 

See the following article:

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-transparent-52/Remote-Management...

terry_miesse

Thanks - Ours is configured as described on that page, but with "out of band" management.  It has worked in the past for LDAP groups, appears it doesn't work for FSSO.

Out-of-band management details and example

When VDOM is enabled and the VDOMs are operating in Transparent mode, it is recommended, to avoid L2 loops and allow more routing flexibility, to keep one VDOM (generally the root VDOM) in NAT mode, with one or more VLAN or physical interface as out-of-band management.

 

terry_miesse

Just an update for anybody else who may be experiencing this - looks like a double-whammy for me.  I am using virtual wire pair in this VDOM - it was an existing design to be in transparent mode, then added virtual wire pair so I didn't have to deal with VLAN tags.  You can't use an interface that participates in a virtual wire pair as management, so I'm moving toward having a dedicated management port in this VDOM.

Sergg
New Contributor

Hello Forum Experts, I have very similar issue. I'm using two VDOMs: 1. NAT mode VDOM for office LAN and management of the firewall. 2. Transparent VDOM for untrusted Wi-Fi Agent-based FSSO seems to be working fine and reporting users from AD on my LAN VDOM. I need to enable user tracking (for reporting rather than enforcement) on Transparent untrusted VDOM. I'm not sure what is better - a) Enable same Agent-based FSSO with Radius Accounting b) Enable RSSO straight on the firewalls. Perhaps the biggest question is - if it is possible to pass SSO details from one L3 VDOM to L2 VDOM. I was not planning to allow any IP access to L2 VDOM and used made up IP of 1.2.3.4 under mandatory "set mangeip". But it is seems like it is required if I want to feed this VDOM with some FSSO or RSSO details.   Regards, Serg

Top Kudoed Authors