Hello
Has anyone tried integrate FreeIPA with FSSO, like by sending syslog from the LDAP to FSSO agent or FortiAuthenticator, or any other method?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Syslog can potentially work fully indepedently (taking both username and group from the message), or do membership lookup via relatively configurable LDAP lookups (collector Agent has separate LDAP config for Syslog), so I would expect both to work with Syslog.
Just keep in mind that there will be no dynamic IP change detection or logout detection. This will fully rely on the Syslog source sending these updates too.
Another possibility could be translating RADIUS accounting messages into FSSO. Same workflow as with Syslog: Receive > process (optionally LDAP group lookup) > generate FSSO session.
Other MS AD-integrated methods are not expected to work at all. (event log scraping, DC Agents, FSSOMA).
Thanks Minarik
Any document describing the procedure?
You could try this doc to get an idea of how to configure it: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-Fortinet-Single-Sign-On-FSSO-for...
The core is getting a sample of the Syslog messages and setting up the parsing rules for them. Then you need to decide if you can use the message itself for learning user groups, or whether to use LDAP for group lookups (in which case you will need to configure the LDAP portion, which is done similarly as with FortiGate/FAC being configured as LDAP clients - need to know how your LDAP tracks group membership, and then set the filters/objectClasses for it in the config).
There is a test-field in Collector/FAC so you can paste in the Syslog message and directly test if the filters match and extract the values correctly.
Thanks again Minarik, I appreciate your help.
There is also this: https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/492458/fsso-using-syslog-as-...
While it is located in FGT 7.6.0 documentation, it does apply to any FSSO Collector Agent newer than version 5.0.0291.
Thanks Debbie. I'll try do the same for my FreeIPA.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.