Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
helenio_sartori
New Contributor

FW policy based on AD Group

I'd like to configure a FW policy that is based on a users that belong to particular AD Group.

 

I Installed FSSO Agent to poll our domain DC and on Fortigate FW (ver 6.4.7) I configured the Endpoint/Identity to connect to FSSO Agent.

 

I also configured LDAP server to be able to gather the Groups Names from our LDAP Server.

In "User & Authentication" Menu I created a goup which is based on "Fortinet Single Sign-On (FSSO)" and I selected one of the AD group fetched from FSSO.

 

At the END I simply added the Group to a rule in the source

 

 

It looks like that the policy doesn't recognize my user to be part of the Group selected.

 

Is there something else I have to enable to be able to use AD Group on policy ?

Where the user to Group membership is done at FW level (Is a Table somewhere) ?

 

How can I debug why the user is not part of the group defined in the FW ?

 

 

1 REPLY 1
supportombm
New Contributor III

I dont understand what's the problem, 

Is this policy ignored or not working?

 

BTW you can troubleshoot with this CLI Command:

"diagnose test authserver ldap <LDAP server_name> <username> <password>"

With this you can authenticate the user and check what it returns

You can troubleshoot the results with these commands too:

FGT# diagnose debug enable FGT# diagnose debug application fnbamd 255
FGT# diagnose debug application fnbamd 0
FGT# diag test authserver ldap AD_LDAP user1 password

https://kb.fortinet.com/k....do?externalID=FD46419

Top Kudoed Authors