Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Groups & AD Users

Groups & AD Users

To configure the Groups & AD Users tab:
  1. Create a new profile or edit an existing one:
    1. Go to Configuration > Profiles.
    2. Click Create or edit an existing profile.
    3. In the Name field, enter the desired name of the endpoint profile.
  2. On the Groups & AD Users tab, you can select Active Directory (AD) users, non-AD groups, or AD groups to assign the endpoint profile to. By default, FortiSASE adds Non-AD Groups to the table. You may want to keep this group or select it and delete it accordingly.
    Note

    Viewing users and groups from an AD server requires an LDAP server configuration. See Configuring FortiSASE with an LDAP server for remote user authentication in endpoint mode.

    Note

    If you have an existing LDAP server configured prior to FortiSASE 23.4, the custom endpoint profile cannot use it immediately. First, you must synchronize the LDAP server settings with the FortiSASE Endpoint Management Service using these steps:

    1. From Configuration > LDAP, Edit the existing LDAP server.
    2. Click Back twice to get back to the first page, Set up server.
    3. On the Set up server page, click Next.
    4. On the Authenticate page, select the Bind type, reenter the LDAP administrator credentials, and click Next.
    5. On the Review page, click Submit.
    Note

    The FortiSASE Endpoint Management Service does not support importing LDAP subdomains if you have already imported the LDAP parent domain previously into it.

    Note

    FortiSASE can connect to DNS, RADIUS, or LDAP servers with internal IP addresses or FQDNs if you set Access Type to Private in the RADIUS or LDAP server settings, internal servers are located behind a secure private access (SPA) hub, and the SPA hub in FortiSASE has been configured with BGP per overlay.

    When the FortiSASE Endpoint Management Service uses LDAP servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs with Access Type set to Public in the LDAP server settings and may require some configuration or topology changes.

    See Network restrictions removed.

  3. Click Add and select AD Users or Groups as per your requirements:
    • When selecting AD Users, a slide-in appears, which allows you to view the domains corresponding to configured LDAP servers. You can collapse the LDAP domain and select AD users from the list of AD users.
    • When selecting Groups, do one of the following:

      Group type

      Description

      AD groups

      A slide-in appears that allows you to view the domains corresponding to configured LDAP servers and select AD groups. To select AD user groups, you can collapse the LDAP domain using the + button and select the required AD groups from a tree view of groups using the toggle.

      Non-AD groups

      A slide-in appears that allows you to create nested non-AD user groups under Non-AD Groups and assign endpoints to the group. To configure a non-AD user group and add endpoints to the newly created non-AD group, do the following:

      1. Collapse Non-AD Groups using the + button.
      2. Select the group under that you want to create a group under and click Create sub-group.
      3. Enter the Name of the group as desired.
      4. Select the available non-AD endpoints to add to the group. Click Add selected.
      5. Click OK.
      6. Only enable the toggle of the specific group to assign the profile to.
      7. Click OK.
  4. Click OK.
  5. Repeat step 3 to add more groups and AD users. If you add more groups to the list, the endpoint user must be a part of at least one group for FortiSASE to assign the profile to the endpoint.
  6. Click OK to save the endpoint profile.
  7. To view the endpoints that are assigned to a profile, click the profile and select View Endpoints from the tool bar.
Previous
Next

Groups & AD Users

To configure the Groups & AD Users tab:
  1. Create a new profile or edit an existing one:
    1. Go to Configuration > Profiles.
    2. Click Create or edit an existing profile.
    3. In the Name field, enter the desired name of the endpoint profile.
  2. On the Groups & AD Users tab, you can select Active Directory (AD) users, non-AD groups, or AD groups to assign the endpoint profile to. By default, FortiSASE adds Non-AD Groups to the table. You may want to keep this group or select it and delete it accordingly.
    Note

    Viewing users and groups from an AD server requires an LDAP server configuration. See Configuring FortiSASE with an LDAP server for remote user authentication in endpoint mode.

    Note

    If you have an existing LDAP server configured prior to FortiSASE 23.4, the custom endpoint profile cannot use it immediately. First, you must synchronize the LDAP server settings with the FortiSASE Endpoint Management Service using these steps:

    1. From Configuration > LDAP, Edit the existing LDAP server.
    2. Click Back twice to get back to the first page, Set up server.
    3. On the Set up server page, click Next.
    4. On the Authenticate page, select the Bind type, reenter the LDAP administrator credentials, and click Next.
    5. On the Review page, click Submit.
    Note

    The FortiSASE Endpoint Management Service does not support importing LDAP subdomains if you have already imported the LDAP parent domain previously into it.

    Note

    FortiSASE can connect to DNS, RADIUS, or LDAP servers with internal IP addresses or FQDNs if you set Access Type to Private in the RADIUS or LDAP server settings, internal servers are located behind a secure private access (SPA) hub, and the SPA hub in FortiSASE has been configured with BGP per overlay.

    When the FortiSASE Endpoint Management Service uses LDAP servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs with Access Type set to Public in the LDAP server settings and may require some configuration or topology changes.

    See Network restrictions removed.

  3. Click Add and select AD Users or Groups as per your requirements:
    • When selecting AD Users, a slide-in appears, which allows you to view the domains corresponding to configured LDAP servers. You can collapse the LDAP domain and select AD users from the list of AD users.
    • When selecting Groups, do one of the following:

      Group type

      Description

      AD groups

      A slide-in appears that allows you to view the domains corresponding to configured LDAP servers and select AD groups. To select AD user groups, you can collapse the LDAP domain using the + button and select the required AD groups from a tree view of groups using the toggle.

      Non-AD groups

      A slide-in appears that allows you to create nested non-AD user groups under Non-AD Groups and assign endpoints to the group. To configure a non-AD user group and add endpoints to the newly created non-AD group, do the following:

      1. Collapse Non-AD Groups using the + button.
      2. Select the group under that you want to create a group under and click Create sub-group.
      3. Enter the Name of the group as desired.
      4. Select the available non-AD endpoints to add to the group. Click Add selected.
      5. Click OK.
      6. Only enable the toggle of the specific group to assign the profile to.
      7. Click OK.
  4. Click OK.
  5. Repeat step 3 to add more groups and AD users. If you add more groups to the list, the endpoint user must be a part of at least one group for FortiSASE to assign the profile to the endpoint.
  6. Click OK to save the endpoint profile.
  7. To view the endpoints that are assigned to a profile, click the profile and select View Endpoints from the tool bar.
Previous
Next