This recipe illustrates FortiGate user authentication with FSSO. In this example, user authentication controls Internet access and applies different security profiles for different users.
1. Integrating the FortiGate with the LDAP server
Go to User & Device > Authentication > LDAP Servers to configure the LDAP server.
2. Installing FSSO agent on Windows AD server
Accept the license and follow the Wizard.
Enter the Windows AD administrator password.
Select the Advanced Access method.
In the Collector Agent IP address field, enter the IP address of the Windows AD server.
Select the domain you wish to monitor.
Next, select the users you do not wish to monitor.
Under Working Mode, select DC Agent mode.
Reboot the Domain Controller.
Upon reboot, the collector agent will start up.
You can choose to Require authenticated connection from FortiGate and set a Password.
3. Configuring Single Sign-On on the FortiGate
Go to User & Device > Authentication > Single Sign-On and create a new SSO server.
Under Groups tab, select the user groups to be monitored. In this example, “FortiOS Writers” group is used.
4. Creating a user group in the FortiGate
Go to User & Device > User > User Groups to create a new FSSO user group.
Under Members, select the “FortiOS_Writers” group created earlier.
5. Adding a policy in the FortiGate
Go to Policy & Objects > Policy > IPv4 and create a policy allowing “FortiOS_writers” to navigate the Internet with appropriate security profiles.
default Web Filter security profile is used in this example.
9. Results
Have users log on to the domain, go to the FSSO agent, and select Show Logon Users.
From the FortiGate, go to System > Status to look for the CLI Console widget and type this command for more detail about current FSSO logons:
diagnose debug authd fsso list
----FSSO logons----
IP: 10.10.20.3 User: ADMINISTRATOR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers
IP: 10.10.20.7 User: TELBAR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----
From the FortiGate, go to User & Device > Monitor > Firewall and verify FSSO Logons.
Have users go to the Internet and the security profiles will be applied accordingly.
Go to Log & Report > Traffic Log > Forward Traffic to verify the log.
Select an entry for details