FortiOS 5.2 Expert Recipe: Single Sign-On using FSSO agent in advanced mode and FortiAuthenticator

This recipe demonstrates FortiGate user authentication with FSSO and the use of FortiAuthenticator as an LDAP server. In this example, user authentication controls Internet access and applies different security profiles for different users. 

1. Configuring an LDAP directory on the FortiAuthenticator

Go to Authentication > User Management > Local Users to create a users list. Make sure to enable Allow LDAP browsing.

Go to Authentication > User Management  > User Groups to create a user group and add users to it. “FortiOS_Writers”  user group is used in this example.

Go to Authentication > LDAP Service > Directory tree and configure the LDAP directory tree.

2. Integrating the FortiGate with the FortiAuthenticator

Go to User & Device > Authentication > LDAP Servers and configure the LDAP server.

3. Installing the FSSO agent on the Windows AD server

Accept the license and follow the Wizard.

Enter the Windows AD administrator password.

Select the Advanced Access method.

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

Select the domain you wish to monitor.

Next, select the users you do not wish to monitor.

Under Working Mode, select DC Agent mode.

Reboot the Domain Controller.

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

4. Configuring Single Sign-On on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

Under Groups tab, select the user groups to be monitored. In this example, “FortiOS_Writers” group is used.

5. Creating a user group in the FortiGate

Go to User & Device > User > User Groups to create new user group. Under Remote groups, add the remote LDAP server created earlier in the FortiAuthenticator (in this example it’s called “FAC_LDAP”).

6. Adding a policy in the FortiGate

Go to Policy & Objects > Policy > IPv4 and create a policy allowing  “FortiOS_writers” to navigate the Internet with appropriate security profiles.

default Web Filter security profile is used in this example.

7. Results

Have users log on to the domain, go to the FSSO  agent, and select Show Logon Users.

From the FortiGate, go to System > Status to look for the CLI Console widget and type this command for more detail about current FSSO logons:

diagnose debug authd fsso list
----FSSO logons----
IP: 10.10.20.3  User: ADMINISTRATOR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers
IP: 10.10.20.7  User: TELBAR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

Have users belonging to the “FortiOS_Writes” user group navigate the Internet. An authentication portal is  presented to allow only authorized users. Security profiles will be applied accordingly.

Upon successful authentication, from the FortiGate, go to User & Device > Monitor > Firewall and verify FSSO Logons.

Go to Log & Report > Traffic Log > Forward Traffic to verify the log. 

Select an entry for details.