Hi,
I want to implement Internet Access Authentication with FSSO polling mode. I have follow the cookbook
http://cookbook.fortinet.com/fsso-polling-mode/
But still not success. Even My PC is join domain it still prompt for username/password
could anyone suggest what I can check for next step ?
Thank you
Mhee
Hi Mhee,
for the sake of your own sanity, please don't use Fortigate's polling mode, unless it's really necessary. There are numerous limitations compared to standalone FSSO CA design. Just from top of my head: - NTLM is not supported
- only few events are monitored
- workstation check is not implemented
- has performance limitations
There are many success stories with standalone FSSO CA, while so few with Fortigate FSSO polling, if you know what I mean. Should I position Fortigate's polling mode in usage, I would mention extra-small designs and demonstration purposes.
If you still need to troubleshoot fsso polling mode (or you are just brave and adventurous), please be sure that you have security events audit enabled on all DC servers, and configured LDAP is really reachable.
If still no success, you can get the idea what's wrong also from your own troubleshooting; for example with debug commands:
# various debug outputs related to fssod daemon
diagnose debug fsso-polling ?
# enable continuous debug
diagnose debug console timestamp enable
diagnose debug application fssod -1 diagnose debug enable
# disable continuous debug
diagnose debug reset
diagnose debug disable
Cheers,
Fishbone )(
smithproxy hacker - www.smithproxy.org
Hi Fishbone,
Thank you for your information. I implement this in test environment. this solution will deploy for small size office, so I start with polling mode.
I try the debug from your command as below output
-------------------------------------------------------------
Fortigate-100D # diagnose debug fsso-polling detail AD Server Status: ID=1, name(x.x.x.x),ip=x.x.x.x,source(security),users(0) port=auto username=Admin read log offset=764539828, latest logon timestamp: Mon May 2 13:27:14 2016 polling frequency: every 10 second(s) success(50432), fail(0) LDAP query: success(2), fail(0) LDAP max group query period(seconds): 1 most recent connection status: connected Group Filter:
The LDAP connection to server seem to be normal. Could you please suggest next step to analyze this ?
Thanks
Millibhu
Make sure you have Audit account logon events turned on your domain controllers.
I've been told that this kind of polling is only good for less than 20 users and only one or two domain controllers. More than that and the system will miss events or struggle with performance.
Hope this helps,
J
Hello,
WHich version of windows domain controller are you using?
Regards,
Louis
Hello.
I have this issue after install Antivirus on DCs.
Hi, can someone tell me, what diagnose debug fsso-polling refresh-user actually do?
Does it only display some status information and statistic with polls or
refreshes user group information from any server that is connected to firewall with some collector agent?
Does everyone still agree (here in late 2018 and on 6.0.2) that fsso-polling is not the way to go in a larger environment? I have about 750 users across four domain controllers. Everything seems to be working "fair" but seems like it's not showing all of the users yet. I've only had it working for about 6 hours and only around half of the users are showing in a "diag debug fsso-polling" query.
If I go back to the collector agent, will the groups that I already have populated and pointing to the FSSO still work w/o modification? Lastly, how does the unit handle both FSSO with CA and FSSO with polling? Does it just use both? Seems like both would be hard to troubleshoot
Thanks!
dt
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.