1 Solution
Hey viisanches7,
I think there is some confusion as to how FSSO and VPN authentication work.
In particular:
-> FSSO is primarily a solution that collects login information from AD and shares that with FortiGate
-> there is a specific group type associated with FSSO
-> this may look like LDAP syntax, but is NOT a group that references the LDAP server as member!
LDAP group:
FSSO group:
In addition:
-> Depending on how you configured IPsec VPN (set the related user group in tunnel, or in policy), FortiGate may not be caching the user login from VPN.
-> IPSec VPN only works if you set a user group in EITHER the policy or the tunnel, but not both!
-> if you set the user group in tunnel, FortiGate will verify the credentials during tunnel setup, but not store the login details, and groups cannot be used in policies to enforce which user is allowed access to what resource.
You can find more details here: Technical Tip: A guide to Dial-Up IPSec VPN Authentication and Policy Matching
Also, relating to FSSO:
- as mentioned above, FSSO relies primarily on domain logins
-> FortiGate verifying user credentials for a VPN connection is NOT a domain login, even if it uses domain credentials!
- users connecting to VPN will not, by default, immediately appear in FSSO!
- there are ways around this (FortiGate can share the vpn logins to the Collector Agent via syslog, for example, and the collector Agent can turn them into FSSO sessions and share back to the FortiGate), but these are finicky to configure
-> VPN users will at some point perform some activity that counts as a domain login, and FSSO will pick up on them from that point onward, but not before
- depending on your VPN and policy configuration, your VPN users might not be able to reach domain controllers to actually perform domain logins, meaning FSSO would never pick up on those users
Essentially, there are two main potential issues:
1. Is your VPN authentication configured properly?
2. VPN logins do not immediately turn into FSSO sessions
Usually, VPN and FSSO are kept separate; FSSO for on-net users, and VPN-related rules and authentication for remote users, exactly because FSSO does not handle VPN logins particularly well due to its nature. There IS a FortiClient feature set (FSSO mobility agent) that lets FortiClient report user login and be turned into an FSSO login, but this requires a FortiAuthenticator with a specific additional license.
Cheers,
Deborah
Hey viisanches7,
I think there is some confusion as to how FSSO and VPN authentication work.
In particular:
-> FSSO is primarily a solution that collects login information from AD and shares that with FortiGate
-> there is a specific group type associated with FSSO
-> this may look like LDAP syntax, but is NOT a group that references the LDAP server as member!
LDAP group:
FSSO group:
In addition:
-> Depending on how you configured IPsec VPN (set the related user group in tunnel, or in policy), FortiGate may not be caching the user login from VPN.
-> IPSec VPN only works if you set a user group in EITHER the policy or the tunnel, but not both!
-> if you set the user group in tunnel, FortiGate will verify the credentials during tunnel setup, but not store the login details, and groups cannot be used in policies to enforce which user is allowed access to what resource.
You can find more details here: Technical Tip: A guide to Dial-Up IPSec VPN Authentication and Policy Matching
Also, relating to FSSO:
- as mentioned above, FSSO relies primarily on domain logins
-> FortiGate verifying user credentials for a VPN connection is NOT a domain login, even if it uses domain credentials!
- users connecting to VPN will not, by default, immediately appear in FSSO!
- there are ways around this (FortiGate can share the vpn logins to the Collector Agent via syslog, for example, and the collector Agent can turn them into FSSO sessions and share back to the FortiGate), but these are finicky to configure
-> VPN users will at some point perform some activity that counts as a domain login, and FSSO will pick up on them from that point onward, but not before
- depending on your VPN and policy configuration, your VPN users might not be able to reach domain controllers to actually perform domain logins, meaning FSSO would never pick up on those users
Essentially, there are two main potential issues:
1. Is your VPN authentication configured properly?
2. VPN logins do not immediately turn into FSSO sessions
Usually, VPN and FSSO are kept separate; FSSO for on-net users, and VPN-related rules and authentication for remote users, exactly because FSSO does not handle VPN logins particularly well due to its nature. There IS a FortiClient feature set (FSSO mobility agent) that lets FortiClient report user login and be turned into an FSSO login, but this requires a FortiAuthenticator with a specific additional license.
Cheers,
Deborah
