Single Sign-On using FSSO agent in advanced mode and FortiAuthenticator (Expert)

This recipe demonstrates FortiGate user authentication with FSSO and the use of FortiAuthenticator as an LDAP server. In this example, user authentication controls Internet access and applies different security profiles for different users.
 

 1. Configuring an LDAP directory on the FortiAuthenticator

Go to Authentication > User Management > Local Users to create a users list. Make sure to enable Allow LDAP browsing.

Go to Authentication > User Management  > User Groups to create a user group and add users to it. “FortiOS_Writers”  user group is used in this example.

FAC-usergroup

Go to Authentication > LDAP Service > Directory tree and configure the LDAP directory tree.

 FAC-directorytree

2. Integrating the FortiGate with the FortiAuthenticator

Go to User & Device > Authentication > LDAP Servers and configure the LDAP server.

 FGT-LDAP

3. Installing the FSSO agent on the Windows AD server

Accept the license and follow the Wizard.

Enter the Windows AD administrator password.

CA step1

Select the Advanced Access method.

CA step2

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

CA step3
Select the domain you wish to monitor. CA step4
Next, select the users you do not wish to monitor. CA step5
Under Working Mode, select DC Agent mode. CA step6
Reboot the Domain Controller. CA step7

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

CA step8

 4. Configuring Single Sign-On on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

Under Groups tab, select the user groups to be monitored. In this example, “FortiOS_Writers” group is used.

5. Creating a user group in the FortiGate

Go to User & Device > User > User Groups to create new user group. Under Remote groups, add the remote LDAP server created earlier in the FortiAuthenticator (in this example it’s called “FAC_LDAP”).

FGT-usergroup

6. Adding a policy in the FortiGate

Go to Policy & Objects > Policy > IPv4 and create a policy allowing  “FortiOS_writers” to navigate the Internet with appropriate security profiles.

default Web Filter security profile is used in this example.

policy

 7. Results

Have users log on to the domain, go to the FSSO  agent, and select Show Logon Users.   result1
From the FortiGate, go to System > Status to look for the CLI Console widget and type this command for more detail about current FSSO logons:

diagnose debug authd fsso list

----FSSO logons----
IP: 10.10.20.3  User: ADMINISTRATOR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers
IP: 10.10.20.7  User: TELBAR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

Have users belonging to the “FortiOS_Writes” user group navigate the Internet. An authentication portal is  presented to allow only authorized users. Security profiles will be applied accordingly.

 FAC-authentication

Upon successful authentication, from the FortiGate, go to User & Device > Monitor > Firewall and verify FSSO Logons.

 FGT-monitorFirewall

Go to Log & Report > Traffic Log > Forward Traffic to verify the log. 

 FGT-log
Select an entry for details. FGT-enry

 

Taher Elbar

Taher Elbar

Technical Product Specialist at Fortinet
After a Bachelor degree in Telecommunications from university of Geneva, Taher began his career in software development, then moved to System/Network administration followed by Security Support Engineer. With over 10 years of experience, Taher is writing various Technical documentation for Fortinet.
Taher Elbar

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.