This recipe illustrates FortiGate user authentication with FSSO and a Windows DC LDAP server. In this example, user authentication controls Internet access.
Go to User & Device > LDAP Servers to configure the LDAP server.
Accept the license and follow the Wizard.
Enter the Windows AD administrator password.
Select the Advanced Access method.
In the Collector Agent IP address field, enter the IP address of the Windows AD server.
Select the domain you wish to monitor.
Next, select the users you do not wish to monitor.
Under Working Mode, select DC AgentMode.
Reboot the Domain Controller.
Upon reboot, the collector agent will start up.
You can choose to Require authenticated connection from FortiGate and set a Password.
Go to User & Device > Single Sign-On and create a new SSO server.
Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS Writers” group is used.
Go to User & Device > User Groups to create a new FSSO user group.
Under Members, select the “FortiOS Writers” group.
Go to Policy & Objects > IPv4 Policy and create a policy allowing “FortiOS_Writers” to navigate the Internet with appropriate security profiles.
The default Web Filter security profile is used in this example.
Have users log on to the domain, go to the FSSO agent, and select Show Logon Users.
From the FortiGate, go to Dashboard to look for the CLI Console widget and type this command for more detail about current FSSO logons:
# diagnose debug authd fsso list ----FSSO logons---- IP: 10.10.20.3 User: ADMINISTRATOR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers IP: 10.10.20.7 User: TELBAR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers Total number of logons listed: 2, filtered: 0 ----end of FSSO logons----
From the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons.
Have users go to the Internet and the security profiles will be applied accordingly.
Go to Log & Report > Forward Traffic to verify the log.
Select an entry for details.