FortiOS 5.2 Expert Recipe: Single Sign-On using LDAP and FSSO agent in advanced mode

Source: Internet
Author: User
Keywords LDAP FSSO
Tags forticloud fortios fortiauthenticator fortigate fsso polling mode fortigate ldap authentication policy

This recipe illustrates FortiGate user authentication with FSSO. In this example, user authentication controls Internet access and applies different security profiles for different users.

1. Integrating the FortiGate with the LDAP server

Go to User & Device > Authentication > LDAP Servers to configure the LDAP server.

2. Installing FSSO agent on Windows AD server

Accept the license and follow the Wizard.

Enter the Windows AD administrator password.

Select the Advanced Access method.

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

Select the domain you wish to monitor.

Next, select the users you do not wish to monitor.

Under Working Mode, select DC Agent mode.

Reboot the Domain Controller.

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

3. Configuring Single Sign-On on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

Under Groups tab, select the user groups to be monitored. In this example, “FortiOS Writers” group is used.

4. Creating a user group in the FortiGate

Go to User & Device > User > User Groups to create a new FSSO user group.

Under Members, select the “FortiOS_Writers” group created earlier.

5. Adding a policy in the FortiGate

Go to Policy & Objects > Policy > IPv4 and create a policy allowing  “FortiOS_writers” to navigate the Internet with appropriate security profiles.

default Web Filter security profile is used in this example.

9. Results

Have users log on to the domain, go to the FSSO agent, and select Show Logon Users.

From the FortiGate, go to System > Status to look for the CLI Console widget and type this command for more detail about current FSSO logons:

diagnose debug authd fsso list
----FSSO logons----
IP: 10.10.20.3  User: ADMINISTRATOR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers
IP: 10.10.20.7  User: TELBAR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

From the FortiGate, go to User & Device > Monitor > Firewall and verify FSSO Logons.

Have users go to the Internet and the security profiles will be applied accordingly.

Go to Log & Report > Traffic Log > Forward Traffic to verify the log. 

Select an entry for details

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.