Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

User detection on private devices

Hello, I would like to ask you one thing.
I have web filtering policies ready and focused on AD groups and I use only FortiGate.
I would like to apply these policies to the personal devices of users who authenticate via NPS on Windows Server.
Is there any way for fortigate to know that a wifi user on mobile has logged in, where the user in question is a member of the appropriate AD group for which there are certain restrictions within the policy?

I hope I have explained the problem clearly.
Thank you in advance.


Hi @Kubajs,


I believe you need FSSO agent. FSSO agent gets user group/IP information from DC and forwards it  to FortiGate so that FortiGate can allow/block traffic based on AD group. Please refer to




Hey Kubajs,

I'm not sure if NPS login activity on a Windows Server can be picked up with FSSO; FSSO uses either lsass.exe (domain pcs use this to authenticate their users, essentially) or polls event logs on Domain Controllers (usually events generated by Kerberos or NTLM login activity, not NPS/RADIUS).

I'm not too familiar with what logs/activity is generated by NPS in either event logs or lsass.exe; if some activity does show up, FSSO should be able to pick up on it and users (and IPs) would be authenticated.

If this is NOT the case, you could instead use RSSO; the NPS server (or its RADIUS client) would have to send RADIUS Accounting messages to FortiGate, FortiGate can parse the attributes for username and group information, and consider users authenticated that way.

For example:

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Top Kudoed Authors