Single Sign-On using LDAP and FSSO agent in advanced mode (Expert)

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin
This recipe illustrates FortiGate user authentication with FSSO. In this example, user authentication controls Internet access and applies different security profiles for different users.
 

1. Integrating the FortiGate with the LDAP server

Go to User & Device > Authentication > LDAP Servers to configure the LDAP server.

 ldap

2. Installing FSSO agent on Windows AD server

Accept the license and follow the Wizard.

Enter the Windows AD administrator password.

 CA step1

Select the Advanced Access method.

 CA step2

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

 CA step3
Select the domain you wish to monitor.  CA step4
Next, select the users you do not wish to monitor.  CA step5
Under Working Mode, select DC Agent mode.  CA step6
Reboot the Domain Controller.  CA step7

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

 CA step8

3. Configuring Single Sign-On on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

Under Groups tab, select the user groups to be monitored. In this example, “FortiOS Writers” group is used.

4. Creating a user group in the FortiGate

Go to User & Device > User > User Groups to create a new FSSO user group.

Under Members, select the “FortiOS_Writers” group created earlier.

user group

5. Adding a policy in the FortiGate

Go to Policy & Objects > Policy > IPv4 and create a policy allowing  “FortiOS_writers” to navigate the Internet with appropriate security profiles.

default Web Filter security profile is used in this example.

policy

9. Results

Have users log on to the domain, go to the FSSO agent, and select Show Logon Users.   result1
From the FortiGate, go to System > Status to look for the CLI Console widget and type this command for more detail about current FSSO logons:

diagnose debug authd fsso list

----FSSO logons----
IP: 10.10.20.3  User: ADMINISTRATOR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers
IP: 10.10.20.7  User: TELBAR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

From the FortiGate, go to User & Device > Monitor > Firewall and verify FSSO Logons.

 result2

Have users go to the Internet and the security profiles will be applied accordingly.

Go to Log & Report > Traffic Log > Forward Traffic to verify the log. 

log1

Select an entry for details. log2
Taher Elbar

Taher Elbar

Technical Product Specialist at Fortinet
After a Bachelor degree in Telecommunications from university of Geneva, Taher began his career in software development, then moved to System/Network administration followed by Security Support Engineer. With over 10 years of experience, Taher is writing various Technical documentation for Fortinet.
Taher Elbar
  • Was this helpful?
  • Yes   No
  • محمد حسن

    Hello ,

    I am using DC-agent , i had installed FSSO on all AD servers(2Dc) ,
    its working fine ,but if the main DC (domain controller) has been restarted or goes down no one able to use internet.

    Note that I can see all users under logon users list on another server .Status OK and verified. but no one can access internet until main DC start again.

    any advise for my case

  • HBG

    Hello,
    is this manual also valid for 5.4.4 and 5.6 ?

  • Belal Adel

    hi i have problem when used fsso old users authentication fail but when create new user on active directory this user worked fin

  • sub7even

    Hi Gurus,

    Does it work as like follow;

    1. End user authenticate via captive portal links with their AD server based on Group?
    2. I can’t add user on the group inside interface / VLAN with captive portal, it only show local firewall user

    Please advise, thank you

    Regards,
    Steve

  • Naveed Usman

    I have 25 vlans in my network i want to use fotigate port 1 for 1-5 vlans traffic to internet and others same pot 2 port 3 and so is it possible please help i have fortigate 500d

  • Rohit Sharma

    Hi,

    I have fortigate 200D, And I want to do web content filtering by AD Users and Groups as DHCP is Enable in my office. Can Anyone help me how it can be done.

  • John

    Hi Taher

    I hope you can help with a few questions I have, as you seem to be the only person that understands this.

    I am currently trialling a Fortigate and would like test FSSO, we have 3 Domain Controllers, 3000 Windows endpoints and 500 OSX endpoints which we need to authenticate.

    We have been advised to install the windows dc agent and collector on a DC but after reading the very limited documentation is states we need to use polling mode when using OSX and not the agent, is this correct?

    There also seems to be 2 different ways to setup polling,

    1) create a new sso server in Poll Active Directory Server mode on the Fortigate for each DC.

    2) install the collector on a server to collect logs from the DC’s and then point the Fortigate at the collector.

    Could you please tell me what the difference is with each polling method and which would be best for our environment?

    With any method or polling or FSSO how do we provide redundancy for the ldap server?

    Are there any differences when using FSSO in a ipv4 policy or in the explicit web proxy?

    Thanks

    John

    • Adam Bristow

      Hello John,

      – With a network the size of yours (3,500), Polling mode would not be a viable option; it serves well for SOHO environments of approximately 100 users. Having said this, much of that number depends on the number and frequency of logon events that you are anticipating.

      – Because of your high-user count, and especially if they’re a spread-out network (i.e. across the globe), then we’d suggest you use Collector Agent on DC – even for non native clients like MacOS.

      – In regards to your last query about the difference between using FSSO in a policy vs. explicit web proxy, two-factor authentication is not possible in an explicit web proxy configuration.

      – As for creating redundancy for the LDAP server, I recommend you contact support at support.fortinet.com

      In case you haven’t seen our other documentation that discuss FSSO and more on this subject, I would recommend checking out both the FortiAuthenticator Admin Guide and the Authentication chapter (see links below):
      http://docs.fortinet.com/d/fortiauthenticator-4.2.1-administration-guide
      http://docs.fortinet.com/d/fortigate-authentication-2

      Thank you very much for your questions and I hope I was of assistance.

      Regards,

      Adam

      • John

        Hi Adam

        Thanks for your reply

        I would say we would have at least 500 to 1000 unique users logons to computers an hour when lessons change. I don’t know how this would relate to the event logs for polling.

        The reason we went with the polling method because in the authentication document you referenced, it clearly states to use this method if you have OSX clients.

        So this is not the case??

        How do the OSX clients authenticate??

        Can I ask why I would need to open a support ticket for LDAP redundancy?? Surely this is a common request and would I have expected this to be documented/supported? As I said we are currently trailing the product so this doesn’t look good.

        We have looked at number of the documents and I must say the documentation is a very poor compared with other vendors, lacking key technical information and in some cases just wrong with cli syntax etc. This does not look very good to potential customers such as ourselves.

        I have not looked into or been told about the FortiAuthenticator, what is this product and what is it used for?

        I do appreciate you taking the time to respond and answer my questions. I hope this will help others who also have similar questions.

        Thanks

        John

        • Adam Bristow

          Hello John,

          If you raise the issue with support, our network engineers can help you much more effectively than we can. They can also escalate the issue so as to have the appropriate documentation updated accordingly. This helps us technical writers deliver a much more complete product and service.

          Would you kindly point out to us what documentation you are looking at? I would be happy to review the content that refers to Polling for OS X clients, but I’m unable to find that information (pertaining to it being a necessity) in our Authentication handbook.

          The FortiAuthenticator Admin Guide does make reference to it (see page 117), however I believe this is meant to be conveyed as a suggestion; it’s not imperative to use for Mac OS X systems.

          Incidentally, FortiAuthenticator is our user identity management platform that handles user authentication via FSSO, LDAP, RADIUS, Captive Portal, incorporating two-factor authentication and more:

          https://www.fortinet.com/products/identify-and-access-management/network-authentication/fortiauthenticator.html

          Again, I strongly recommend contacting our support team also, as their efforts directly contribute to the accuracy of our work.

          Best regards,

          Adam

          • John

            Hi Adam

            Thanks for the response again.

            The extract below is straight out of the latest Fortigate Authentication Document

            “Event log polling may run a bit slower, but will not miss events, even when the installation site has many users that require authentication. It does not have the 10 second limit on NetAPI polling. Event log polling requires fast network links. Event log polling is required if there are Mac OS users logging into Windows AD.”

            Thanks

            John

  • nicolas zafiriou

    i have a question for Taher.
    I have 3 domain controllers in my network and have installed the dc agents on all 3. However on the firewall sso pane, only 1 agent is in bald which also reflects on “Show service status” of the agent. Only the 1 agent has connected with the firewall

  • Den Arrow

    Hi, I am currently using NetAPI polling in polling mode and working fine. However some new iMac user request to use FSSO but failed. I know it is required to change from NetAPI to Event log polling but I am concerning if there is any impact for current user? What is the impact
    after change? Should users need to
    reboot PC /iMac to apply new authentication session?

    • Taher Elbar

      Hi Den,
      Technically, users needs to re-authenticate, no reboot is required.
      Regards,
      Taher.

  • Darrel Towndrow

    Hi. I know from experience setting up FSSO in polling mode that I have to poll all domain controllers. Does this apply to the FSSO Agent, or does one agent on one domain controller catch all logins regardless of which DC authenticates the user?

    • Taher Elbar

      Hi Darrel,
      IntroducedinFortiOS5.0, Single Sign-On( SSO) support provided by FortiGate polling of domain controllers is simpler than the earlier method that relies on agent software installed on Windows AD network servers. No Fortinet software needs to be installed on the Windows network. The FortiGate unit needs access only tot he Windows AD global catalog and event log.
      Regards,
      Taher.

  • Eddie

    It may be helpful for those trying to wrap their heads around this type of setup to know that the Fortigate never uses an LDAP user n’or a group directly in it’s policy. Instead, It only uses users and groups that are local to the Fortigate. The process for FSSO allows the collector to collect logons which are sent to the fortigate and added to a LOCAL group. You can see this happening in step 4. Step 4 takes the FSSO information you’ve setup and you create a new local group on the Fortigate and add the FSSO information into it. Therefore you are using a local group (local to the Fortigate that is) which contains the FSSO setup and potentially Radius or local users as well. The point being: Don’t expect your AD groups to show up as an available policy option, you will first need to put those AD groups into a local Fortigate group, then add the Fortigate group to your policy.

    Hope that helps someone.

    • Taher Elbar

      See answer in previous comments.
      Regards,
      Taher.

  • Eddie

    Great recipe, but if that’s an “Expert” setup, perhaps I should write a recipe on fault tolerant collectors, including how to handle multiple sites in AD and filter groups and make it “super expert”. In this recipe, I’m struggling to find out what the step 1 LDAP connection does. FSSO doesn’t rely on this so it seems rather insignificant and unused.

    • Taher Elbar

      Hello Eddie,
      – Step1 is where to configure the FortiGate to fetch groups and users from your external LDAP server.
      – When you set SSO in step 3, you call this LDAP server as you see in the screen shot of step 3, all LDAP groups/users are showing up in the FortiGate, and there you can select which groups to monitor if you need to.
      – Now the user group set in step 4 contain the selected groups/users from step 3. It’s not local to the Fortigate, it’s still fetching the groups/users from your external LDAP server.
      Please feel free to ask if you still do not understand some thing in this recipe.
      Regards,
      Taher.

      • Eddie

        I understand what you’re saying, but it doesn’t work the way this article suggests. You setup an LDAP server in step 1 that isn’t actually used. And I know it isn’t used because my FSSO setup works flawlessly without it. I actually have an LDAP server added for the VPN tunnel connections, but my Single Sign-On setup has “Click to set” listed under LDAP Server. My LDAP Server setup is independent from my Single Sign-On. …and of course it would work without this because all the negotiations for LDAP happen on the collector which polls AD and sends the information back to the Fortigate. All users and groups populate without the LDAP Server settings set because the collector does it. You stated that “Step1 is where to configure the FortiGate to fetch groups and users from you external LDAP server” But it’s the FSSO agent/collector that does that, not the LDAP setup. So again, what does this do? Nothing from what I can tell.

  • Sulaiman Al Darmaki

    Hi,
    I’m trying to setup Fortigate with FSSO, when i login on another machine, the logon is not showing using the command

    dia de authd fsso list
    when i run

    dia de fsso-polling detail

    i get this output
    fsso daemon is not running.
    and on my webUI on Single Sign On Tab i get (X) mark and says disconnected.
    i followed the same steps, as in this article, and i didn’t get any errors
    any idea whats wrong?
    Sulaiman

    • Franciele Ongaratto

      Hi Sulaiman,

      Any news about this problem?
      I am also the same status disconnected.
      Appreciate your help.

      Regards,

      Franciele

  • Farhan Ashraf

    Dear Sir,
    I am having an Issue with my fortiget 100D.
    I have configured 100D and alos integrated it with Windows AD.All the AD groups present are fetched into my Fortigate 100D but I want to apply policy to individual user of individual AD group.
    For Example:Suppose there is a dept of Maintenance and 10 Users are present in Maintenance AD 6 are managers and 4 are workers and I want to give full access to only the managers of that dept and limit internet access to other 4 workers.
    We have more then 1000 Users and I can’t create individual Policies for each user.
    Is there any way I can apply policy on Individual Users of any Active Directory group.

    • Kerrie Newton

      Hello Farhan,

      In order to apply filtering to individual users you would need to have the users defined as Remote LDAP Users.
      Then create a User Identity policy and select the desired users as Source Users along with the required Security Profiles.
      NOTE: this policy must be above any other User Identity Policies using Groups which the desired user are also member of.

      Regards,
      Kerrie

  • Ali Jassim

    Dear Sir , I have one Question, what about users not on domain like Iphone or laptop not in domain ? how can they access to internet ? as I know from v5.0 we can use FSSO_Guest_users Group and then they can access ? what about this version ? it same or different ?

    • Kerrie Newton

      Hello Ali,

      For users who are not member of a domain. The Fortigate will authenticate them as Guests. FSSO_Guest_Users still exists in v5.2 now called SSO_Guest_Users.
      You would create a User Identity Policy with Source Users set to SSO_Guest_Users and pply the required Security Profiles.

      Regards,
      Kerrie

  • Mohammed Khan

    Hi Taher,

    what about wireless phones and tablets as they are not joined to domain for SSO. how can we give them internet?

    Regards,
    Mohammed Shahnawaz Khan

    • Adam Bristow

      Hello Mohammed, I’ll hopefully answer your question on Taher’s behalf.

      When installing the FSSO agent on Windows AD server in step 2, the Advanced access method is chosen, which allows LDAP access to Windows AD to retrieve user/group information from the FortiGate.
      Wireless users who wish to authenticate themselves can be joined to the domain for SSO by being added as a Remote LDAP User on the FortiGate, as the LDAP server is configured to the SSO server.

      For more information on how to do this, see http://docs.fortinet.com/uploaded/files/1937/fortigate-authentication-52.pdf (on page 47).
      I hope this answers your question.

      Regards,
      Adam

      • Eddie

        Adam. I love your answer, however, you’ll notice in your setup that FSSO doesn’t function of course because a wireless phone or tablet user can’t SSO. So this configuration would require a user to have to manually authenticate. Which at that point, wouldn’t it be easier to just create a device based policy for these users? I create a device policy and put all my iPhones and Androids in it. I then apply the same security policies as my SSO. Keep the device policy above the user policy and voila!

  • Nishit Patel

    Hi Taher,
    If a user connects his personal device say an iPhone to the network via wifi, what webfilter policy it applies to? Here there is no user logon/logoff events because user is not authenticated using ldap.

    • Adam Bristow

      Hello Nishit, I’ll hopefully answer your question on Taher’s behalf.

      Wireless users who wish to authenticate themselves can authenticate using LDAP, but they must first be added to the FortiGate as a Remote LDAP User on the FortiGate.
      To see how to do this, see http://docs.fortinet.com/uploaded/files/1937/fortigate-authentication-52.pdf (on page 47).

      As a result, the default Web Filter profile will still be applied to this user, once added and authenticated.
      I hope this answers your question.

      Regards,
      Adam

    • Adam Bristow

      Wireless users who wish to authenticate themselves can do so using LDAP, but they must first be added as Remote LDAP Users in the FortiGate.
      To see how to do this, see http://docs.fortinet.com/uploa… (on page 47).

      Since the user will be added and authenticate, the Web Filter policy will apply to these users in the same way.
      I hope this answers your question.

      Regards,
      Adam

  • Haytham Gaber

    Hello Taher, I want to know the difference between Fortinet single-sign on server and Poll active directory server.

    • Taher Elbar

      Hi Haytham,

      FSSO can be deployed in DC agent mode or polling mode.

      In Polling mode there are three options—NetAPI polling, Event log polling, and Event log using WMI. All share the advantages of being transparent and agentless. NetAPI polling is used to retrieve server logon sessions. This includes the logon event information for the Controller agent. NetAPI runs faster than Event log polling but it may miss some user logon events under heavy system load. It requires a query round trip time of less than 10 seconds.

      Event log polling may run a bit slower, but will not miss events, even when the installation site has many users that require authentication. It does not have the 10 second limit on NetAPI polling. Event log polling requires fast network links. Event log polling is required if there are Mac OS users logging in to Windows AD.

      Event log using WMI polling: WMI is a Windows API to get system information from a Windows server, CA is a WMI client and sends WMI queries for user logon events to DC, which in this case is a WMI server. Main advantage in this mode is that CA does not need to search security event logs on DC for user logon events, instead, DC returns all requested logon events via WMI. This also reduces network load between CA and DC.

      In Polling mode, the Collector agent polls port 445of each domain controller for user logon information every few seconds and forwards it to the FortiGate unit. There are no DC Agents installed, so the Collector agent polls the domain controllers directly.

      Regards,
      Taher.

      • Haytham Gaber

        Dear Taher;
        Thanks for your valued support.
        when we use FSSO in Poll Active Directory server mode , we don’t have to install FSSO agent on AD. Is that right?

        BR

        • Taher Elbar

          Correct.
          Regards,
          Taher.

          • Haytham Gaber

            Dear Taher;
            Another question please.

            When we use FSSO agent in advanced mode can we refer to OUs instead of referring to user by user.

            BR

  • John Stoker

    Does FSSO also support machine/device auth based off OU groups or just user auth? I don’t see any documentation of workstation auth support, however, it’s captured in the same windows logon/logoff events and should be easy to enable I would think.

    • Taher Elbar

      Hi John,

      FortiGate supports device authentication, useful information following this link :
      http://docs.fortinet.com/d/fortigate-managing-devices-for-fortios-5.2

      FSSO supports only user authentication since the user is suppose to authenticate in multiple resources using just one set of credentials (Single Sign-On) and not the machine. Also FSSO gathers logon/logoff information from Windows security event logs which has not an event log for device logon/logoff. It depends from the OS version, but here is an example of security events log:
      https://support.microsoft.com/en-us/kb/977519
      Regards,
      Taher.

      • John Stoker

        Thank you for the reply and great clarification Taher!

  • flavien

    Hello Taher. I don’t understand the difference when selecting or not a LDAP server in the FSSO server. Which new feature become available when it’s done ?
    It seems I can achieve the same result with FSSO authentication without selecting a LDAP server.

    • Taher Elbar

      Hi Flavien,

      Correct, you can achieve the same results without an LDAP server, that’s the standard mode.
      The main difference between Standard and Advanced mode is the naming convention for identifying groups:
      Standard mode uses the regular Windows convention: DomainUsername
      Advanced mode uses LDAP: CN=User, OU=Name, DC=Domain

      Standard mode will provide same level of functionality as Advanced mode except for Advanced mode supports nested groups. This means that users may be a member of multiple monitored groups. Standard mode does not support nested groups so a user must be a direct member of the group being monitored.
      Regards,
      Taher.

      • flavien

        Helo Taher,

        I was not talking about changing AD access mode in the collector agent from standard to advanced.
        I was talking about selecting a previously created LDAP server when you configure the FSSO server on the FortiGate config.
        I do not see any difference or new feature when you select a LDAP server.
        Best regards.

        • Taher Elbar

          Hi Flavien,
          Adding the LDAP server when you configure the FSSO server on the FortiGate allows you to manage nested users as explained in previous comments.
          To do this, Collector Agent has to be set to Advanced mode.
          Regards,
          Taher.

          • flavien

            Taher,
            Should I understand that selecting a LDAP server in the FSSO config in the FortiGate is mandatory when you set AD access mode to Advanced in the collector agent ?

          • Taher Elbar

            Hi Flavien,
            It’s not mandatory, you can set Collector Agent to Advanced mode and not to choose LDAP server in the FSSO settings, but this has no benefit.
            To take advantage of supporting nested users, you need to set Collector Agent to Advanced mode and choose LDAP server in the FSSO config in the FortiGate.
            Regards,
            Taher.

          • flavien

            Taher,
            Thank you for your answer, it starts to be clear now !
            So you confirm that those 2 settings do not provide any advantage when there are not used concurrently ?
            Best regards.

          • Taher Elbar

            Correct.
            Taher.