Fortinet black logo

Cookbook

Single Sign-On using LDAP and FSSO agent in advanced mode (Expert)

Copy Link
Copy Doc ID 598118ae-ea1f-11e9-8977-00505692583a:366887
Download PDF

Single Sign-On using LDAP and FSSO agent in advanced mode (Expert)

This recipe illustrates FortiGate user authentication with FSSO and a Windows DC LDAP server. In this example, user authentication controls Internet access.

1. Integrating the FortiGate with the Windows DC LDAP server

Go to User & Device > LDAP Servers to configure the LDAP server.

2. Installing FSSO agent on the Windows DC server

Accept the license and follow the Wizard.

Enter the Windows AD administrator password.

Select the Advanced Access method.

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

Select the domain you wish to monitor.

Next, select the users you do not wish to monitor.

Under Working Mode, select DC AgentMode.

Reboot the Domain Controller.

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

3. Configuring Single Sign-On on the FortiGate

Go to User & Device > Single Sign-On and create a new SSO server.

Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS Writers” group is used.

4. Adding a user group to the FortiGate

Go to User & Device > User Groups to create a new FSSO user group.

Under Members, select the “FortiOS Writers” group.

5. Adding a policy to the FortiGate

Go to Policy & Objects > IPv4 Policy and create a policy allowing “FortiOS_Writers” to navigate the Internet with appropriate security profiles.

The default Web Filter security profile is used in this example.

Results

Have users log on to the domain, go to the FSSO agent, and select Show Logon Users.

From the FortiGate, go to Dashboard to look for the CLI Console widget and type this command for more detail about current FSSO logons:

# diagnose debug authd fsso list
----FSSO logons----
IP: 10.10.20.3 User: ADMINISTRATOR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers
IP: 10.10.20.7 User: TELBAR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

From the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons.

Have users go to the Internet and the security profiles will be applied accordingly.

Go to Log & Report > Forward Traffic to verify the log.

Select an entry for details.

Single Sign-On using LDAP and FSSO agent in advanced mode (Expert)

This recipe illustrates FortiGate user authentication with FSSO and a Windows DC LDAP server. In this example, user authentication controls Internet access.

1. Integrating the FortiGate with the Windows DC LDAP server

Go to User & Device > LDAP Servers to configure the LDAP server.

2. Installing FSSO agent on the Windows DC server

Accept the license and follow the Wizard.

Enter the Windows AD administrator password.

Select the Advanced Access method.

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

Select the domain you wish to monitor.

Next, select the users you do not wish to monitor.

Under Working Mode, select DC AgentMode.

Reboot the Domain Controller.

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

3. Configuring Single Sign-On on the FortiGate

Go to User & Device > Single Sign-On and create a new SSO server.

Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS Writers” group is used.

4. Adding a user group to the FortiGate

Go to User & Device > User Groups to create a new FSSO user group.

Under Members, select the “FortiOS Writers” group.

5. Adding a policy to the FortiGate

Go to Policy & Objects > IPv4 Policy and create a policy allowing “FortiOS_Writers” to navigate the Internet with appropriate security profiles.

The default Web Filter security profile is used in this example.

Results

Have users log on to the domain, go to the FSSO agent, and select Show Logon Users.

From the FortiGate, go to Dashboard to look for the CLI Console widget and type this command for more detail about current FSSO logons:

# diagnose debug authd fsso list
----FSSO logons----
IP: 10.10.20.3 User: ADMINISTRATOR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers
IP: 10.10.20.7 User: TELBAR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

From the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons.

Have users go to the Internet and the security profiles will be applied accordingly.

Go to Log & Report > Forward Traffic to verify the log.

Select an entry for details.