Single Sign-On using FSSO agent in advanced mode and FortiAuthenticator (Expert)
This recipe demonstrates FortiGate user authentication with FSSO agent installed on a Windows Domain Controller, and the use of a FortiAuthenticator as an LDAP server. In this example, user authentication controls Internet access.
1. Configuring an LDAP directory on the FortiAuthenticator
Go to Authentication > User Management > Local Users to create a user list. Make sure to enable Allow LDAP browsing.
Go to Authentication > User Management > User Groups to create a user group and add users to it. “FortiOS_Writers” user group is used in this example.
Go to Authentication > LDAP Service > Directory tree and configure the LDAP directory tree.
2. Integrating the FortiGate with the FortiAuthenticator
On the FortiGate, go to User & Device > LDAP Servers to configure the LDAP server.
3. Installing FSSO agent on the Windows DC
Accept the license and follow the Wizard.
Enter the Windows AD administrator password.
Select the Advanced access method for Windows Directory.
In the Collector Agent IP address field, enter the IP address of the Windows AD server.
Select the domain you wish to monitor.
Next, select the users you do not wish to monitor.
Under Working Mode, select DC AgentMode.
When prompted, select Yes to reboot the Domain Controller.
Upon reboot, the collector agent will start up.
You can choose to Require authenticated connection from FortiGate and set a Password which will be used in step 4.
4. Configuring Single Sign-On on the FortiGate
Go to User & Device > Single Sign-On and create a new SSO server. In the Primary Agent IP/Name field, enter the Collector Agent IP Address used in step 3. Likewise, enter the Password required for authentication.
Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS_Writers” group is used.
5. Adding a user group to the FortiGate
Go to User & Device > User Groups to create new user group. Under Remote groups, add the remote LDAP server created earlier in the FortiAuthenticator (in this example it's called “FAC_LDAP”).
6. Adding a policy to the FortiGate
Go to Policy & Objects > IPv4 Policy and create a policy allowing “FortiOS_Writers” to navigate the Internet with appropriate security profiles.
The default Web Filter security profile is used in this example.
7. Results
Have users log on to the domain, go to the FSSO agent, and select Show Logon Users.
From the FortiGate, go to Dashboard to look for the CLI Console widget and type this command for more detail about current FSSO logons:
# diagnose debug authd fsso list ----FSSO logons---- IP: 10.10.20.3 User: ADMINISTRATOR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers IP: 10.10.20.7 User: TELBAR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers Total number of logons listed: 2, filtered: 0 ----end of FSSO logons----
Have users belonging to the “FortiOS_Writers” user group navigate the Internet. An authentication portal is presented to allow only authorized users. Security profiles will be applied accordingly.
Upon successful authentication, from the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons.
Go to Log & Report > Forward Traffic to verify the log.
Select an entry for details.