New to Fortigate devices, so I'm hoping I can find some help here. I did search through the forum first, and found similar issues, but nothing that could help me.
Using a Fortigate 60E running 5.4.1 and using the GUI to set this up. These are the steps I took:
1. Configured LDAP server (it is connecting to Windows 2008 R2).
2. Configured single sign on
3. Created FSSO group pointing to a Distribution Group on the Windows box.
The Fortigate device does connect correctly to LDAP as I am able to read AD with no problems. I then used the VPN wizard to set up a remote access VPN using the FortiClient. When I get to the point where I select users, I can only select local Fortigate user groups; the FSSO group I made was not an option.
4. I then made a local group where the member is the FSSO group.
5. When creating the VPN, I chose the local group (which contains the FSSO group).
Even though the Fortigate sees the AD stuff and I was able to choose a Dist Group within it, I still get a wrong credentials error when I try to connect. I tried other settings within the FortiClient as well, but to no avail.
What am I missing?
Shouldn't it be a security group instead of a distro group?
Mike Pruett
@MikePruett - I was wrong, it is a security group. Sorry about the bad info.
@silver - "As you have DC/AD acting as an LDAP server, then I would suggest to use LDAP based user group to authenticate VPN users." - I was hoping to set this up so that when a remote user attempted to connect with the FortiClient, that it could look at a group on the AD server and use those credentials (if the user is a member) to authenticate them to the VPN. I tried the following with no success...
1. Make firewall user group that points to a remote LDAP server.
2. Select correct Security Group from LDAP selection.
From everything I have read in the manual and online, the above should work, but I still receive the wrong credentials error.
Hi jbickel,
I think you are probably missing the tech background on FSSO. The users appear in FSSO user list (diag debug authd fsso list) AFTER they authenticate to MSFT Domain.
As the user authenticate against the DC, that logon is spotted by FSSO environment (either via agent or polling), processed and shortly AFTER the FortiGate is notified that such user and his SOURCE IP is authenticated. As FSSO is basically source-ip pre-authentication. Therefore any traffic from that source is then considered as authenticated by that user.
If the user is trying to connect to LAN via VPN, and therefore haven't been authenticated against DC as he has no chance to reach DC, yet, then he cannot be on FSSO user list, yet.
Hope it's clear at least a tiny bit more, now.
As you have DC/AD acting as an LDAP server, then I would suggest to use LDAP based user group to authenticate VPN users.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
User | Count |
---|---|
2675 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.