This example uses Active Directory polling to establish FSSO for a Windows AD Domain Controller, without requiring a FortiAuthenticator or a collector agent to act as an intermediary between the FortiGate and the domain.
1. Adding LDAP authentication to the FortiGate
In the FortiGate web interface, go to User & Device > Authentication > LDAP Servers. Create a new LDAP object that points to the Windows AD server.
For the Server IP/Name enter the server’s fully qualified domain name or the IP address.
Set the Bind Type to Regular and enter a User DN and Password.
Click Fetch DN to retrieve your Distinguished Name.
Click Test and verify that your connection is successful.
2. Configuring the FortiGate unit to poll the Active Directory
Next, go to User & Device > Authentication > Single Sign-On and add a new Single Sign-On Server.
For the Type, select Poll Active Directory Server. Enter the Server IP/Name, User, and Password, then select the Server you added previously. Make sure Enable Polling is checked. Add a test user group of your choice.
3. Adding a firewall address for the Internal network
Go to Policy & Objects > Objects > Addresses and create an internal network address to be used by your security policy.
4. One-step FSSO configuration in the security policy
Go to Policy & Objects > Policy > IPv4 and edit a security policy with access to the Internet. Set the Source Address to the Local_LAN address created in Step 3.
Under Source User(s) scroll down past the dropdown menu, and select Create Users/Groups wizard.
For the User/Group Type, select FSSO and then click Next.
For the Remote Group, select the appropriate FSSO Agent from the dropdown menu.
Select the Groups tab and right-click on the user groups you would like to add.
Go to the Selected tab. In this example, Standard_User_Group and Admin_User_Group are shown.
Click Next.
Select Create New and name your new FSSO user group.
Click Create.
The groups selected have been added to the new FSSO group, My_Windows_AD_Group.
Ensure you enable logging and select All Sessions.
In the Global View your completed policy should look similar to the screenshot shown on the right.
If necessary, select the policy by clicking on the far left column, and move it as close as possible to the top of the list.
5. Results
Go to Log & Report > Traffic Log > Forward Traffic.
When users log into the Windows AD network, the FortiGate will automatically poll the domain for their account information and record their traffic.
Select an entry for more information.