#Fortigate 80_F 6.4.
In Users and Devices, an entire subnet of users is missing.
There are 3 subnets: 1,2 and 3.
There is a DC on each of them.
The Fortinet is on subnet 1. I'm using FSSO Method.
I don't see any User Names from subnet 1 where I'd expect quite a few!
Any notion why subnet 1 users aren't on the list? I've checked settings, etc. and see no differences in the Fortigate settings. These subnets and their devices intercommunicate nicely.
PS:
The routing table in the Fortigate looks just as it should. I did see one device from subnet 1 which is the Domain Controller and one of the FG FSSO Agents. I conclude this isn't a routing problem.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Fred,
Is the CA installed on the DC? Does the agent shows the users from subnet1 in its show logon users list?
Best regards,
Jin
Created on 10-19-2022 01:28 AM Edited on 10-19-2022 01:33 AM
@jintrah_FTNT : Thank you!
Yes the Fortinet Single Sign On Agent is installed on the DC in question; on all the DCs.
This is DC1 on subnet 1:
Show logon users shows the same kind of thing with other subnet users and the local DC user and no other local subnet computers/users - even though I'm currently logged on to one of them and another is logged on with another user.
DC2 on subnet 2 is showing no logon users even though DC1 is showing 3 subnet 2 computers/users.
DC3 on subnet 3 is showing one computer/ user on subnet 3, the local DC3, DC1 but not DC2.
So, it appears that you're onto something here but I don't know what action to take quite yet!
I also notice that there are no entries in Show Service Status nor in Set Group Filters on any of the agent configurations. But this doesn't seem to have affected users being listed on subnet 2 and 3.
Hi Fred,
This means, we should check on the FSSO settings and configurations/implementation corrected first, and get the details of users in this list which would then subsequently get forwarded to FortiGate.
If user is not shown in the Show User List, enable Log level to Debug, try a new logon event and verify if user related logon information is in the log.
If no information for user is shown in the log, run the following command in the Windows CMD on the User’s workstation: echo %logonserver%.
The output will provide information which DC has served the logon event.
Verify on the DC in question if there is a logon event for that user and with which Windows Security Event ID. Please see FSSO CA initial troubleshooting (fortinet.com)
best regards,
Jin
@jintrah_FTNT : Thank you! I've done everything and don't see much, if any, improvement at the Fortigate.
I followed all the instructions I believe - including assuring that all the passwords are the same.
I don't know how to do this part:
"enable Log level to Debug, try a new logon event and verify if user related logon information is in the log."
I don't know where to look. Nothing comes up on the CLI console.
#diag debug auth fsso server-status ..... puts nothing on the CLI console.
I'm still seeing NO users from subnet 1 on the Fortigate dashboard / Users.
I'm still seeing NO users on DC2 / Logon users list in FSSO Agent Configuration.
I believe perhaps ALL users are showing up on DC3 / Logon user list in FSSO Agent Configuration. At least this is encouraging.
I changed the LDAP server for each User in Fortigate User Definition to be the local DC IP address. Many of them NOT LOCAL to DC3 were listing DC3. Is perhaps DC3 in a special role? Otherwise, I'm not sure this matters.
Hi Fred,
If you do not see any users in one of the the FSSO Collector Agents under "Show Logon Users", but see them on the other DC on the other FSSO CA, then probably there is an issue with reading/receiving logon events.
For FSSO to work as expected, ALL DCs in the network would need to be monitored for logon events. There maybe lays one part of the issue.
Regarding the debug previously mentioned, in the FSSO Collector Agent GUI you would have a log level that can be changed from the default Information to Debug level, which should then log much more useful info for this case.
As for the FGT debug commands, there is a slight catch:
diag debug reset
diag debug enable
diag debug auth fsso server-status
should show you the info to which FSSO CA is your FGT currently connected. Reset is for removing any other previously active debugs that might spam your CLI output, and for the server status to be seen, debug needs to be enabled first.
You can check the following articles also for some FSSO troubleshooting steps:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FSSO-CA-initial-troubleshooting/ta-p...
https://community.fortinet.com/t5/FortiGate/TroubleshootingTip-General-troubleshooting-for-FSSO/ta-p...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Useful-FSSO-Commands/ta-p/195830
Alternatively, if nothing else works, you can feel free to submit a TAC ticket and we can take a look at the setup over a remote session.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.