Single Sign-On using FSSO agent in advanced mode and FortiAuthenticator (Expert)

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This recipe demonstrates FortiGate user authentication with FSSO agent installed on a Windows Domain Controller, and the use of a FortiAuthenticator as an LDAP server. In this example, user authentication controls Internet access.

 1. Configuring an LDAP directory on the FortiAuthenticator

Go to Authentication > User Management > Local Users to create a user list. Make sure to enable Allow LDAP browsing.

Go to Authentication > User Management  > User Groups to create a user group and add users to it. “FortiOS_Writers”  user group is used in this example.

Go to Authentication > LDAP Service > Directory tree and configure the LDAP directory tree.

2. Integrating the FortiGate with the FortiAuthenticator

On the FortiGate, go to User & Device > LDAP Servers to configure the LDAP server.

3. Installing FSSO agent on the Windows DC

Accept the license and follow the Wizard.

Enter the Windows AD administrator password.

CA step1

Select the Advanced access method for Windows Directory.

CA step2

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

CA step3
Select the domain you wish to monitor. CA step4
Next, select the users you do not wish to monitor. CA step5
Under Working Mode, select DC Agent Mode. CA step6
When prompted, select Yes to reboot the Domain Controller. CA step7

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password which will be used in step 4.

CA step8

 4. Configuring Single Sign-On on the FortiGate

Go to User & Device > Single Sign-On and create a new SSO server. In the Primary Agent IP/Name field, enter the Collector Agent IP Address used in step 3. Likewise, enter the Password required for authentication.

Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS_Writers” group is used.

5. Adding a user group to the FortiGate

Go to User & Device > User Groups to create new user group. Under Remote groups, add the remote LDAP server created earlier in the FortiAuthenticator (in this example it’s called “FAC_LDAP”).

6. Adding a policy to the FortiGate

Go to Policy & Objects > IPv4 Policy and create a policy allowing  “FortiOS_Writers” to navigate the Internet with appropriate security profiles.

The default Web Filter security profile is used in this example.

 7. Results

Have users log on to the domain, go to the FSSO agent, and select Show Logon Users.
From the FortiGate, go to Dashboard to look for the CLI Console widget and type this command for more detail about current FSSO logons:

diagnose debug authd fsso list

----FSSO logons----
IP: 10.10.20.3  User: ADMINISTRATOR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers
IP: 10.10.20.7  User: TELBAR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

Have users belonging to the “FortiOS_Writers” user group navigate the Internet. An authentication portal is presented to allow only authorized users. Security profiles will be applied accordingly.

 FAC-authentication

Upon successful authentication, from the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons.

Go to Log & Report > Forward Traffic to verify the log. 

Select an entry for details.

 

Taher Elbar

Taher Elbar

Technical Product Specialist at Fortinet
After a Bachelor degree in Telecommunications from university of Geneva, Taher began his career in software development, then moved to System/Network administration followed by Security Support Engineer. With over 10 years of experience, Taher is writing various Technical documentation for Fortinet.
Taher Elbar
  • Was this helpful?
  • Yes   No