Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
seadave
Contributor III

FortiClient SSO Mobility Agent

Is anyone using this with FAC?  Reading:

http://docs.fortinet.com/uploaded/files/1937/fortigate-authentication-52.pdf  (specifically page 112)

It sounds like you need to assign a FQDN to the FAC and expose to the net for external users?  Interested in how others are using this.  I feel like there are not too many currently[&:]

 

I'm running FAC 4.0 on a FAC200.

3 REPLIES 3
Carl_Windsor_FTNT

**I recommend you register for FUSE going forwards**

 

SSOMA is used in some of our biggest ForiAuthenticator FSSO deployments due to its scalability, ability to detect log offs and IP changes when moving from wired to wireless.

 

Did you have a specific question on it?

Dr. Carl Windsor Field Chief Technology Officer Fortinet

seadave

Yes.  So first off, not so happy with Fuse because we aren't able to use Aliases.  Seems like a data mining tool for bad guys when lots of us are describing our infrastructure in detail here.  Are these forums going away?  That would be a shame as lots of good users and content here.  But I digress:

 

I think part of my problem is understanding where SSOMA fits.  We have a FD500D and FAC200D.  I'm making my FAC at Intermediate CA (boy that is a fun process) and will use it to issue certs to users and devices.  I'd like to allow my users with domain joined laptops to be able to launch FortiClient 5.4, have it pass their cached domain creds, and then trigger 2FA via Fortitoken.  I'm licensed for all of that, just had a heck of a time figuring out how to do that.  Another question is regarding FSSO.  Right now we have the domain based FSSO agent installed talking to our FG for assigning users to policies.  Now that we have a FAC, can we remove the FSSO agents on the DC and point the FAC at the DCs and the FG500D at the FAC for FSSO queries.  The cookbooks are great but figuring out how all of this is supposed to work can be a real bear at times.  I'm working with a vendor but even they appear to be stumped when it comes to these setups.

 

Thanks for your time.

Carl_Windsor_FTNT

Regarding the FUSE comments, I have passed them back to the FUSE administrator.

 

dfollis wrote:

I'd like to allow my users with domain joined laptops to be able to launch FortiClient 5.4, have it pass their cached domain creds, and then trigger 2FA via Fortitoken.

 

The first part (FortiClient SSOMA passing domain credentials back to FAC), is OK, but I am unsure what you are referring to when you mean by "....and then trigger 2FA via FortiToken".

 

2FA either takes place before SSOMA at domain login using the Microsoft Windows Agent or after SSOMA when logging into a FGT VPN, third party device etc. 

 

dfollis wrote:

Right now we have the domain based FSSO agent installed talking to our FG for assigning users to policies.  Now that we have a FAC, can we remove the FSSO agents on the DC and point the FAC at the DCs and the FG500D at the FAC for FSSO queries.

 

 

Yes, that is exactly how it works.  Test this out before you remove the DC Agents by:

[ul]
  • Pointing the FortiClient SSOMA at the FAC and ensuring all the users appear in the FSSO Monitor
  • Pointing FGT at the FAC for FSSO instead of the DC Agent[/ul]

    Once tested and working, you can remove the DC Agent.

     

    dfollis wrote:

    The cookbooks are great but figuring out how all of this is supposed to work can be a real bear at times.  I'm working with a vendor but even they appear to be stumped when it comes to these setups.

     

     

    Have you Found the FSSO Authentication User Guide yet?  Docs has a large number of guides for configuring various features.  Take a look at previous versions as well as we are in the process of updating several docs to the new release but the old docs are still contain valuable info.

  • Dr. Carl Windsor Field Chief Technology Officer Fortinet

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors