Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
voducduy
New Contributor

Created on ‎03-25-2022 03:57 AM

how to create Internet Access with AD Account

Hi everybody, 

In now, I need create Policy internet access with AD account. I already Ldap with AD Server but when create policy then can not access. 

After that, I read document and create windows polling group, add user group with FSSO and test but user can not access internet

voducduy_0-1648205625269.png

 

I think, must install FSSO Agent. But I have questions below:

 

 FSSO Agent must install on AD Server or I can install at other server with collect/polling mode ?

 

Thanks

 

 

 

Labels:
2580
0 Kudos
1 Solution
mturic
Staff
Staff

Created on ‎03-25-2022 06:18 AM

Hi,

 

if you would like to use FSSO for passive user authentication, you have two options:
- Active Directory Connector would be for direct FSSO polling from the FortiGate, where the FGT connects directly to your AD server and retrieves Windows Security Logon Event IDs

- FSSO Agent on Windows AD: this is used for the connection towards the FSSO Collector Agent

On the FSSO CA you have the choice also between polling mode or DC-Agent mode:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Comparison-between-DC-Agent-mode-...

If the user does not have internet access, if everything is configured correctly, you can try to check the following over CLI:
- diag firewall auth list | grep -A6 -B1 x.x.x.x -> replace x.x.x.x with the IP address of the IP of the workstation used for the test

- if the user is shown as correctly authenticated in the firewall auth list with the correct IP, please verify the groups the user is shown as a member of, and if they match the FSSO group set in the firewall policy you expect the user to go through

 

You can also check the following articles for further info:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/615946/agent-based-fsso-for-windows-ad

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FSSO-CA-initial-troubleshooting/ta-p...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-polling-connector-agent-configuration...

View solution in original post

2564
0 Kudos
2 REPLIES 2
mturic
Staff
Staff

Created on ‎03-25-2022 06:18 AM

Hi,

 

if you would like to use FSSO for passive user authentication, you have two options:
- Active Directory Connector would be for direct FSSO polling from the FortiGate, where the FGT connects directly to your AD server and retrieves Windows Security Logon Event IDs

- FSSO Agent on Windows AD: this is used for the connection towards the FSSO Collector Agent

On the FSSO CA you have the choice also between polling mode or DC-Agent mode:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Comparison-between-DC-Agent-mode-...

If the user does not have internet access, if everything is configured correctly, you can try to check the following over CLI:
- diag firewall auth list | grep -A6 -B1 x.x.x.x -> replace x.x.x.x with the IP address of the IP of the workstation used for the test

- if the user is shown as correctly authenticated in the firewall auth list with the correct IP, please verify the groups the user is shown as a member of, and if they match the FSSO group set in the firewall policy you expect the user to go through

 

You can also check the following articles for further info:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/615946/agent-based-fsso-for-windows-ad

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FSSO-CA-initial-troubleshooting/ta-p...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-polling-connector-agent-configuration...

2565
0 Kudos
voducduy
New Contributor
In response to mturic

Created on ‎03-28-2022 07:10 PM

Thanks for your support. I have already fixed this problem

 

2407
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.