I'll try adding the flow of FSSO from FortiGate backwards.
1) FortiGate gets user+IP (and maybe group info) ahead of the actual traffic and can use these in policies. Practical case: FortiGate receives a packet for policy evaluation and sees on the policy there is a group it has to match additionally. "Do I have a group that matches the srcip of that packet in my user list?" - the user list is easy in CLI with:
diag firewall auth list
filter the list with "grep"
diag firewall auth list | grep -A7 -i <user or IP>
2) To get this you either need an RSSO (radius accounting) or FSSO connector.
3) The FSSO connector is ideally pointing towards the Collector Agent or a FortiAuthenticator (working as collector). There is a "local agent" on the FortiGate which I would simply avoid as it is less flexible.
4) The Collector will, hence the name, collect events.
It can collect via:
- RADIUS accounting
- polling of a domain controller (for user logon events)
- DCAgent (pushes user logon events from a DC to the collector)
- Exchange server events
- Terminal server agents (TSAgent)
- in case of FortiAuthenticator, also FortiClients SSO Mobility agent (needs license)
The FortiGate will not care from where the events come, all will be "FSSO".
The FortiGate also has an accounting connector that simply processes RADIUS accounting messages directly, instead of a collector. Works the same, but should be clear when troubleshooting. If the FortiGate processes RADIUS Accounting directly, FortiGate knows this as "RSSO".
In order for your scenario to work you will need info about an event for your machine event with IP+Username and maybe group for scaling (add one group on policy vs 325 machines).
The processed logon events are only for users. Hence, the recommendation is RADIUS accounting or syslog.
RADIUS Accounting and syslog however are flexible and can supply that information. It depends on your respective server to serve that info.
On FortiGate, Collector Agent and FortiAuthenticator you can map for RADIUS Accounting what Accounting attribute contains the username value, which is the IP and which is the group.
With Collector Agent and FortiAuthenticator you can do the same with syslog.