Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
akala
New Contributor II

Fortigate Combining RSSO and FSSO

Hi All,

 

Is it possible to combine RSSO and FSSO on the sametime ?

 

I want to configure the policy using FSSO group becasue FSSO Group is more granular for the grouping as we can choose or retrieve the SG / OU on the AD which we want to add. And in the sametime i want fortigate to lookup on the RSSO authentication table list for IP to User mapping. Because RSSO is more reliable fof IP to User mapping. However i dont want to add attribute class on the Radius Server. So basically i just want to use RSSO to get the IP to user mapping information, and use FSSO group on the Policy.

 

Is it possible ? any advice ?

 

Thanks

akala

2 Solutions
akala
New Contributor II

Hi Debbie,

 

Thank you for the replies. That's great! that's the information i was looking for this couple days!

So instead of using RSSO, i can use Collector Agent, and send the Radius Accounting to Collector Agent.

Regarding the Collector Agent,

1. do i need to install the collector agent on the LDAP Server or i can install collector agent on any computer ? i red that installing collector agent requires to restart the host, is it correct ?

2. is there any configuration need to be done on the Collector Agent, so it can parse the radius accounting messages and add the users to FSSO user list? any reference for integration between radius and collecor agents?

 

Again, thank you for your advice.

View solution in original post

Debbie_FTNT

Hey akala,

 

apologies, I was under the impression you're already using Collector Agent for FSSO, and the integration would have been fairly easy then.

If you are not using Collector Agent, can you let me know if you're polling from FortiGate directly, or using FortiAuthenticator to collect and provide FSSO information?

If you use FortiAuthenticator, you can do essentially the same (send RADIUS accounting to FortiAuthenticator, turn that into FSSO and share with FortiGate), but if you're polling AD directly from FortiGate, this would in fact require setting up a Collector Agent (and you could consider shifting your polling from FortiGate to Collector Agent, as Collector Agent offers more configuration options for that, and load on FortiGate itself would be reduced).

In either case, for Collector Agent setup:
- it needs to run on a server in your AD environment (that server can't also host a FortiClient EMS application), but it doesn't have to be a domain controller

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/573568/installing-the-fsso-agent
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/615946/agent-based-fsso-for-windows-ad

-> there could be conflict if you have an NPS role on the same server as the default port of 1813 might overlap
- you need to enable RADIUS accounting in the advanced settings on Collector Agent:

Debbie_FTNT_0-1659707180586.png

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

10 REPLIES 10
Freak-On-Silicon

I have the same problem. I dont know what i have to do on the NPS

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors