Hi guys,
Sorry if you cannot understand, because my english very bad.
I have a issue.
I setup FSSO on fortigate 100D with my AD. But when user belong AD login on 1 PC has join domain, fortigate request Authenticated Requies on browser.
I need:
- Authenticated Requies on browser only show if the device or the user does not belong AD.
- If user belong AD and login on device has join domain, not show Authenticated Requies on browser. That user will access internet with Policy on firewall.
Thanks for support. Please help me :(
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi NothingKai,
Have you tried to follow the steps in the FSSO Cookbook?
http://cookbook.fortinet.com/tag/fsso/
heskez wrote:Yes, I tried it, but cannot :(Hi NothingKai,
Have you tried to follow the steps in the FSSO Cookbook?
http://cookbook.fortinet.com/tag/fsso/
Hi NothingKai,
if I got your situation correctly then .. - you have working FSSO, user's logon to workstation is spotted and propagated to FortiGate, and when user browse the protected resources (Internet access probably), then is seen by FSSO user group in policy, policy applied and passive authentication is done and traffic allowed without any active auth request (pop-up for auth on user's browser).
- then you have non-domain users which you'd like to authenticate. But for this I do not have any idea where you can authenticate those. For simplicity you can use local FortiGate users or Guest Management on FortiGate for visitors. For those make a firewall group similar to step 4. in following guide. Then make firewall policy for this group as in step 5. but make sure it's placed bellow your FSSO policy. FortiOS 5.2 and 5.4 has implicit fall through for unauthenticated users, so next user identity policy will be tried. Pay attention to fact that if there is any non-identity (pure IP based) policy handling the same traffic pattern (src/dst/ports) then it will be tried and used first. So if it blocks/allow traffic then there will be no identity check at all.
Guide I was referring to is here : http://cookbook.fortinet.com/providing-single-sign-using-ldap-fsso-agent-advanced-mode-expert/
Best regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.