FortiOS 5.2 Authentication: FSSO in Polling mode

Source: Internet
Author: User
Keywords FSSO Polling
Tags forticloud fortios fortiauthenticator fortigate fsso polling mode fortigate authentication

This example uses Active Directory polling to establish FSSO for a Windows AD Domain Controller, without requiring a FortiAuthenticator or a collector agent to act as an intermediary between the FortiGate and the domain.

1. Adding LDAP authentication to the FortiGate

In the FortiGate web interface, go to User & Device > Authentication > LDAP Servers. Create a new LDAP object that points to the Windows AD server.

For the Server IP/Name enter the server’s fully qualified domain name or the IP address.

Set the Bind Type to Regular and enter a User DN and Password.

Click Fetch DN to retrieve your Distinguished Name.

Click Test and verify that your connection is successful.

2. Configuring the FortiGate unit to poll the Active Directory

Next, go to User & Device > Authentication > Single Sign-On and add a new Single Sign-On Server.

For the Type, select Poll Active Directory Server. Enter the Server IP/Name, User, and Password, then select the Server you added previously. Make sure Enable Polling is checked. Add a test user group of your choice. 

3. Adding a firewall address for the Internal network

Go to Policy & Objects > Objects > Addresses and create an internal network address to be used by your security policy.

4. One-step FSSO configuration in the security policy

Go to Policy & Objects > Policy > IPv4 and edit a security policy with access to the Internet. Set the Source Address to the Local_LAN address created in Step 3.

Under Source User(s) scroll down past the dropdown menu, and select Create Users/Groups wizard.  

For the User/Group Type, select FSSO and then click Next.  

For the Remote Group, select the appropriate FSSO Agent from the dropdown menu.

Select the Groups tab and right-click on the user groups you would like to add.

Go to the Selected tab. In this example, Standard_User_Group and Admin_User_Group are shown.

Click Next.

Select Create New and name your new FSSO user group. 

Click Create.

The groups selected have been added to the new FSSO group, My_Windows_AD_Group.

Ensure you enable logging and select All Sessions.

In the Global View your completed policy should look similar to the screenshot shown on the right.

If necessary, select the policy by clicking on the far left column, and move it as close as possible to the top of the list.

5. Results

Go to Log & Report > Traffic Log > Forward Traffic.

When users log into the Windows AD network, the FortiGate will automatically poll the domain for their account information and record their traffic. 

Select an entry for more information. 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.