The network we manage currently only has users connecting remotely via SSL VPN with authentication via LDAP back to Active Directory. This allows all group memberships to be fetched and used in firewall rules.
Each user might be a member of several groups depending on what projects they work on. Firewall policies each have a group on them to allow access only if the user is in the correct group.
We now have a requirement to integrate WiFi into the system for users. We have an existing UniFi system which uses WPA-802.1X Radius/NPS to authenticate to Active Directory but this does not fetch all the users groups. Is there a way to use RSSO or FSSO to make this behave similar to in the VPN case, so when a user connects via WiFi they get access to the correct servers based on all their groups?
Ideally I would like to create a zone with wifi interface and VPN interface and apply a single firewall policy to both but I don't know if this is possible either.
User1 is in groups A,B,C,D
User2 is in groups B,C,F
Firewall policy if user in group B they can access serverB.
Firewall policy if user in group F they can access serverF.
If these machines are domain joined, and you've setup FSSO properly based off the guide below, then all of the corresponding AD groups would be available within the FortiGate to use for policy creation.
Fortinet Single Sign-On (FSSO), through agents installed on the network, monitors user logons and passes that information to the FortiGate unit. When a user logs on at a workstation in a monitored domain, FSSO:
Detects the logon event and records the workstation name, domain, and user,
Resolves the workstation name to an IP address,
Determines which user groups the user belongs to,
Sends the user logon information, including IP address and groups list, to the FortiGate unit, and
Creates one or more log entries on the FortiGate unit for this logon event as appropriate.
When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups associated with that policy then the connection is allowed, otherwise the connection is denied.
If the authentication against NPS triggers a Windows Event Log, then there is a good chance that FSSO can catch the login.
However, with RADIUS authentication you have another option, in particular RADIUS accounting. If your WiFi solution sends RADIUS accounting messages to FortiGate, then FortiGate can add the users to its logged-on user list.
If you do have an FSSO setup already, you could also have the wireless controller send accounting messages to the Collector Agent. The Collector Agent does perform a lookup against the domain to get group information, and forwards the user and group information to FortiGate as an FSSO login.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.