Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Example: Configuring a custom endpoint profile applied to an AD group

Example: Configuring a custom endpoint profile applied to an AD group

This example demonstrates how to configure a custom endpoint profile applied to an Active Directory (AD) group. It demonstrates how to configure an LDAP server that allows group matching, configure a custom endpoint profile to use this LDAP server to select a specific AD group with which this profile will be applied, and test that the correct profile is applied to an AD user within the selected AD group.

This example makes the following assumptions:

  • The LDAP server has already been configured with AD services, AD users, and AD groups. The AD user johnlocus is a member of the Finance-Employees AD group.
  • You have already configured SSO authentication on the SSO provider side and in FortiSASE.
  • The endpoint used for testing the AD group matching is on-net, that is, locally on the same network as the LDAP server and joined to the LDAP domain.
  • Default endpoint profile has been configured with Authenticate with SSO disabled to ensure that the configuration uses LDAP for VPN user authentication.
Note

When using custom endpoint profiles with FortiSASE Endpoint Management Service, LDAP servers must use public IP addresses or publicly accessible FQDNs and may require some configuration or topology changes.
To configure an LDAP server:
  1. Go to Configuration > LDAP and click Create.
  2. Configure the LDAP server settings to match those on your LDAP server. Modify these to match your setup:

    Field

    Value

    Server IP/Name

    <LDAP server IP address or name>

    Server Port

    389

    Common Name Identifier

    sAMAccountName

    Distinguished Name

    dc=financial, dc=local

    Secure Connection

    Disabled

    Advanced Group Matching

    Disabled

    Note

    If desired, you can enable Advanced Group Matching, where you can further configure Group Member Check, Group Filter/Group Object Filter, Group Search Base, and Member Attribute. This configuration does not require Advanced Group Matching.

  3. Configure the bind type and administrator credentials:
    1. Bind Type: Regular
    2. Username: administrator@financial.local
    3. Password: < Password >
  4. Review the settings. Observe a notification that the LDAP server is successfully configured.
  5. Click Submit.
  6. Observe that a new LDAP server entry has been added to the table, noting that Custom Endpoint Profiles shows Successful.
To configure a custom endpoint profile applied to an AD group:
  1. Go to Configuration > Profiles and click Create.
  2. Add a name to the profile. For this example, use FinanceEmployees.
  3. Go to the Settings tab and configure these settings:
    1. Enable Show tags on FortiClient.
    2. Enable Notify endpoint of VPN connectivity issues.
    3. Enable Authenticate with SSO.
  4. Go to the Connection tab and configure these settings:
    1. Enable Connect to FortiSASE.
    2. Disable Disable disconnect from VPN.
  5. Go to the Groups & AD Users tab to configure the AD group that the custom endpoint profile will apply to:
    1. Select Non-AD Groups and click Delete. Click OK to confirm the deletion.
    2. Click Add > AD Groups. The LDAP domain and non-AD groups will be visible in the slide in window.
    3. To select the AD group, collapse the LDAP domain and select the desired AD group.

    4. Click OK.
    5. Review the selected AD group.
    6. Click OK.
    7. Observe that the newly created endpoint profile has an associated AD group and is enabled.
To test the custom endpoint profile is correctly assigned:
  1. Log into the domain-joined endpoint using an AD user.
  2. Go to Configuration > Profiles, select the custom endpoint profile just created, and click View Endpoints. The Managed Endpoints view filtered with endpoints using the selected profile displays.

  3. Alternatively, you can view all endpoints with different profiles using Network > Managed Endpoints under the Endpoints tab.

  4. Establish a VPN connection on the test endpoint using SSO authentication.
  5. Go to Network > Managed Endpoints under the Endpoints tab and observe the test endpoint VPN username indicates SSO authentication while another endpoint shows a VPN username indicating LDAP authentication. This demonstrates that SSO authentication and LDAP authentication can be used for VPN authentication of endpoints with different profiles.

Previous
Next

Example: Configuring a custom endpoint profile applied to an AD group

This example demonstrates how to configure a custom endpoint profile applied to an Active Directory (AD) group. It demonstrates how to configure an LDAP server that allows group matching, configure a custom endpoint profile to use this LDAP server to select a specific AD group with which this profile will be applied, and test that the correct profile is applied to an AD user within the selected AD group.

This example makes the following assumptions:

  • The LDAP server has already been configured with AD services, AD users, and AD groups. The AD user johnlocus is a member of the Finance-Employees AD group.
  • You have already configured SSO authentication on the SSO provider side and in FortiSASE.
  • The endpoint used for testing the AD group matching is on-net, that is, locally on the same network as the LDAP server and joined to the LDAP domain.
  • Default endpoint profile has been configured with Authenticate with SSO disabled to ensure that the configuration uses LDAP for VPN user authentication.
Note

When using custom endpoint profiles with FortiSASE Endpoint Management Service, LDAP servers must use public IP addresses or publicly accessible FQDNs and may require some configuration or topology changes.
To configure an LDAP server:
  1. Go to Configuration > LDAP and click Create.
  2. Configure the LDAP server settings to match those on your LDAP server. Modify these to match your setup:

    Field

    Value

    Server IP/Name

    <LDAP server IP address or name>

    Server Port

    389

    Common Name Identifier

    sAMAccountName

    Distinguished Name

    dc=financial, dc=local

    Secure Connection

    Disabled

    Advanced Group Matching

    Disabled

    Note

    If desired, you can enable Advanced Group Matching, where you can further configure Group Member Check, Group Filter/Group Object Filter, Group Search Base, and Member Attribute. This configuration does not require Advanced Group Matching.

  3. Configure the bind type and administrator credentials:
    1. Bind Type: Regular
    2. Username: administrator@financial.local
    3. Password: < Password >
  4. Review the settings. Observe a notification that the LDAP server is successfully configured.
  5. Click Submit.
  6. Observe that a new LDAP server entry has been added to the table, noting that Custom Endpoint Profiles shows Successful.
To configure a custom endpoint profile applied to an AD group:
  1. Go to Configuration > Profiles and click Create.
  2. Add a name to the profile. For this example, use FinanceEmployees.
  3. Go to the Settings tab and configure these settings:
    1. Enable Show tags on FortiClient.
    2. Enable Notify endpoint of VPN connectivity issues.
    3. Enable Authenticate with SSO.
  4. Go to the Connection tab and configure these settings:
    1. Enable Connect to FortiSASE.
    2. Disable Disable disconnect from VPN.
  5. Go to the Groups & AD Users tab to configure the AD group that the custom endpoint profile will apply to:
    1. Select Non-AD Groups and click Delete. Click OK to confirm the deletion.
    2. Click Add > AD Groups. The LDAP domain and non-AD groups will be visible in the slide in window.
    3. To select the AD group, collapse the LDAP domain and select the desired AD group.

    4. Click OK.
    5. Review the selected AD group.
    6. Click OK.
    7. Observe that the newly created endpoint profile has an associated AD group and is enabled.
To test the custom endpoint profile is correctly assigned:
  1. Log into the domain-joined endpoint using an AD user.
  2. Go to Configuration > Profiles, select the custom endpoint profile just created, and click View Endpoints. The Managed Endpoints view filtered with endpoints using the selected profile displays.

  3. Alternatively, you can view all endpoints with different profiles using Network > Managed Endpoints under the Endpoints tab.

  4. Establish a VPN connection on the test endpoint using SSO authentication.
  5. Go to Network > Managed Endpoints under the Endpoints tab and observe the test endpoint VPN username indicates SSO authentication while another endpoint shows a VPN username indicating LDAP authentication. This demonstrates that SSO authentication and LDAP authentication can be used for VPN authentication of endpoints with different profiles.

Previous
Next