Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fred339
Contributor

Populating Fortigate User Groups from Domain User Groups, LDAP and/or FSSO.

Fortigate 80F 6.4.10

I have LDAP working on the domain DCs and, I believe, I have FSSO also working (but now I'm not sure why).

The objective is to set up domain user groups as usual - and use those as user groups in the Fortigate.

Then any changes in users and organization would flow from the domain settings into the Fortigate.

That's the idea.

 

There's been good progress with this and it appears that I've actually been focused on LDAP.

If I look at User Definition, I see Type=LDAP, Status=Enabled and Groups is empty!

In User Groups, I have a Group Name list that consists of both "Firewall" and "Fortinet FSSO" entries.

The Firewall entries show Members as the DC names.

The FSSO entries show Members as CN=[domain user group name],OU=xxx,OU=yyy, DC=localname,DC=domain,DC=com.

I don't know why I should care which format is used as long as we can meet our objective.

I only mention this because it may affect which of these group types might be selected or used getting to Users on the Fortigate.

 

So now, I would think that the User definition would include all the Group memberships under "Groups" .. but it doesn't.  
I believe that, at one point, I added a Domain User Group of All Users and the Fortigate User Definition table showed this for each user under Groups.  That seemed right.  

 

I can see that one can manually add a User to a Group on the Fortigate.  But that defeats the purpose of using domain user groups.

What am I missing?  

 

 

 

Fred Marshall
Fred Marshall
6 REPLIES 6
kiri
Staff
Staff

Hi Fred,

It's a bit unclear to me what are you after.
Can you give me some screenshots?

fred339

User w-o User Groups.png

So, here in Edit User, I have selected User Group and clicked on "+".

This causes the Select Entries to appear and it is empty.

As I said:

 I would think that the User definition would include all the Group memberships under "Groups" .. but it doesn't.  

Fred Marshall
Fred Marshall
kiri

Hi Fred,

If I understand correctly, you'd like to see in "Select entries" the LDAP groups the user is a member of.
It is not designed like that.
In "Select entries" you can add the groups defined on the Fortigate, left-hand side of my screenshot.

The actual LDAP groups can be defined/configured separately, right-hand side of my screenshot.
Then you can link them together, as I did.
Let me know if this answers your question.

ldap.jpg

fred339

@kiri Thank you!  
I've made progress on this (I think) but my setup is a bit different.
First, my current User Groups are all FSSO Type - so they have FQDN member entries which point to AD Groups. 

In contrast, using a Firewall type, the Remote Groups each points to a single DC which then points to an FQDN Group Name.  In my case here, there are 3 DCs - so I can make 3 entries:

one entry for each DC and each of those entries pointing to the same FQDN Groupname.

The first on (FSSO Type) looks like this:

fred339_1-1666028839383.png

And the second one (Firewall Type) looks like this:

 

fred339_0-1666028735755.png

Other than the precise differences as shown, I don't understand the important functional differences between these yet.  What are they?  Is one better than the other?  

 

Fred Marshall
Fred Marshall
Markus_M

Hi Fred,

 

FSSO and LDAP groups are different from each other. FSSO groups are gathered via polling the domain controllers for logon events, either directly, or I recommend using a Collector Agent. You collect the users on the FGT and have them passively available in case a user IP comes through, known as that user.

 

LDAP groups are matching groups on a policy that a user is unknown to be matching, hence must be actively asked to authenticate with a captive portal.

 

Typically, FSSO is favored as it has no user interaction, but the collection of the users is required and muss be correct prior a user even creating traffic.

If the Firewall user list (in the dashboard, or in 6.2 and older in the Monitor section) is not having the IP of the user - it won't work. Your FSSO is then to be fixed first. If you are for using FSSO, you will not require to setup the LDAP groups.

Active LDAP groups for authentication are a good setting on SSLVPN users, unrelated and incompatible with FSSO.

FSSO has a very good read here:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso

In short:

- user logs on to domain machine

- creates a logon event on DC (which DC, see echo %logonserver%)

- FSSO Collector reads the security event logs for log on like username+workstation (and looks up group and IP)

- Collector filters against your selected FSSO groups (groups selected there, users collected must be member of these groups)

- FGT receives the users with IP and groups. These can be used in firewall policies.

 

The FGT, Collector and FortiAuthenticator understand these Event IDs from the security event log:

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-event-IDs-used-by-FSSO-in...

 

Best regards,

 

Markus

fred339

@Markus_M 

I see that earlier you were trying to figure out what I was after.

In the broadest sense,

- I want to be able to make best and most efficient use of AD User Groups in setting up Firewall Policies and associated web filters, etc.  

- I want to be able to change membership in the AD User Groups without touching the Fortigate.

- I want to be able to add AD User Groups without touching the Fortigate (although I can see how this might not be possible).

- I don't care much HOW this is done but it has to work.  

I hope this helps.

 

Thanks

Fred Marshall
Fred Marshall
Labels
Top Kudoed Authors