Good day. I'm trying to get FSSO working in a transparent VDOM. Config:
Fortigate: 5.6.5 / 5.6.7. Transparent (PROD) VDOM with out-of-band mgmt from root VDOM. Management (root) VDOM is in NAT mode.
I'm using FortiManager, but I'm bypassing it while I get this set up. FortiManager can connect to the FortiAuthenticator server successfully.
When I add the FSSO server in the transparent VDOM, it can't connect to the FortiAuthenticator server. Nothing in /debug on FortiAuthenticator. Works fine if I add it in the root VDOM, but then I can't see it in the PROD VDOM.
I've followed the directions I can find, but wondering if something with transparent mode is biting me (again). Any suggestions?
Thanks - Ours is configured as described on that page, but with "out of band" management. It has worked in the past for LDAP groups, appears it doesn't work for FSSO.
Out-of-band management details and example
When VDOM is enabled and the VDOMs are operating in Transparent mode, it is recommended, to avoid L2 loops and allow more routing flexibility, to keep one VDOM (generally the root VDOM) in NAT mode, with one or more VLAN or physical interface as out-of-band management.
Just an update for anybody else who may be experiencing this - looks like a double-whammy for me. I am using virtual wire pair in this VDOM - it was an existing design to be in transparent mode, then added virtual wire pair so I didn't have to deal with VLAN tags. You can't use an interface that participates in a virtual wire pair as management, so I'm moving toward having a dedicated management port in this VDOM.
Hello Forum Experts,
I have very similar issue. I'm using two VDOMs:
1. NAT mode VDOM for office LAN and management of the firewall.
2. Transparent VDOM for untrusted Wi-Fi
Agent-based FSSO seems to be working fine and reporting users from AD on my LAN VDOM.
I need to enable user tracking (for reporting rather than enforcement) on Transparent untrusted VDOM.
I'm not sure what is better - a) Enable same Agent-based FSSO with Radius Accounting b) Enable RSSO straight on the firewalls.
Perhaps the biggest question is - if it is possible to pass SSO details from one L3 VDOM to L2 VDOM. I was not planning to allow any IP access to L2 VDOM and used made up IP of 18.104.22.168 under mandatory "set mangeip". But it is seems like it is required if I want to feed this VDOM with some FSSO or RSSO details.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.