Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NothingKai
New Contributor

[Help] FSSO Authenticated with User Domain

Hi guys,

 

Sorry if you cannot understand, because my english very bad.

 

I have a issue.

 

I setup FSSO on fortigate 100D with my AD. But when user belong AD login on 1 PC has join domain, fortigate request Authenticated Requies on browser.

 

I need:

 

- Authenticated Requies on browser only show if the device or the user does not belong AD.

- If user belong AD and login on device has join domain, not show Authenticated Requies on browser. That user will access internet with Policy on firewall.

 

Thanks for support. Please help me :(

3 REPLIES 3
heskez
New Contributor III

Hi NothingKai, 

 

Have you tried to follow the steps in the FSSO Cookbook? 

http://cookbook.fortinet.com/tag/fsso/

 

 

NothingKai

heskez wrote:

Hi NothingKai, 

 

Have you tried to follow the steps in the FSSO Cookbook? 

http://cookbook.fortinet.com/tag/fsso/

 

 

Yes, I tried it, but cannot :(

xsilver_FTNT

Hi NothingKai,

if I got your situation correctly then .. - you have working FSSO, user's logon to workstation is spotted and propagated to FortiGate, and when user browse the protected resources (Internet access probably), then is seen by FSSO user group in policy, policy applied and passive authentication is done and traffic allowed without any active auth request (pop-up for auth on user's browser).

- then you have non-domain users which you'd like to authenticate. But for this I do not have any idea where you can authenticate those. For simplicity you can use local FortiGate users or Guest Management on FortiGate for visitors. For those make a firewall group similar to step 4. in following guide. Then make firewall policy for this group as in step 5. but make sure it's placed bellow your FSSO policy. FortiOS 5.2 and 5.4 has implicit fall through for unauthenticated users, so next user identity policy will be tried. Pay attention to fact that if there is any non-identity (pure IP based) policy handling the same traffic pattern (src/dst/ports) then it will be tried and used first. So if it blocks/allow traffic then there will be no identity check at all.

 

Guide I was referring to is here : http://cookbook.fortinet.com/providing-single-sign-using-ldap-fsso-agent-advanced-mode-expert/

 

Best regards, Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors