FortiOS 6.0 Authentication: Agent-based FSSO for Windows AD (advanced mode)

This example uses the FSSO agent in advanced mode. The main difference between advanced and standard mode is the naming convention used when referring to username information. Standard mode uses Windows convention: Domain\Username. Advanced mode uses LDAP convention: CN=User, OU=Name, DC=Domain.

Advanced mode is required for multi-domains environments.

1. Installing the FSSO agent on the Windows AD server

Connect to the Windows AD server and download the FSSO agent from Fortinet Support.

To install the agent, open the installer file and use the installation wizard.

Set a User Name and Password for the FSSO domain administrator.

For the Install Options, select Advanced to use advanced mode instead of standard.

After installing the FSSO agent, run Install DC Agent.

Set the Collector Agent IP address and the Collector Agent listening port.

Select the domain you wish to monitor.

Exclude any users that you don’t want to monitor, including the administrator.

Set Working Mode to DC Agent Mode

Restart your server to apply all changes.

2. Configuring the FSSO agent

To configure the settings for your network, open the FSSO agent. You can use the default for most settings.

Select Set Directory Access Information. Set AD access mode to Advanced.

3. Setting up your FortiGate for FSSO

Because you have installed FSSSO in advanced mode, you need to configure LDAP to use with FSSO.

To configure the LDAP service, go to User & Device > LDAP Servers and select Create New.

Enter all information about your LDAP server. Select Test Connectivity. If your information is correct, Connection status is Successful.

Create a Fabric Connector to the FSSO agent by going to Security Fabric > Fabric Connectors and select + Create New.

Under SSO/Identity, select Fortinet Single Sign-On Agent.

Set the Name and enter the IP address and password for the Primary FSSO Agent.

Set Collector Agent AD access mode to Advanced and set LDAP Server to the new LDAP service.

Your FortiGate displays information retrieved from the AD server. Select Groups, then right-click the FSSO group and select + Add Selected.

Select Selected. The FSSO group is shown.

To create a user group for FSSO users, go to User & Device > User Groups and select Create New.

Enter a group Name and set Type to Fortinet Single Sign-On (FSSO). Add the FSSO users to Members.

To create a policy for FSSO users, go to Policy & Objects > IPv4 Policy and select Create New.

For Source, set User to the FSSO user group.

4. Results

Log into a computer on the domain and access the Internet. The FortiGate uses FSSO for authentication and doesn’t require your credentials to be entered again.

On the FortiGate, go to Monitor > Firewall User Monitor and select Show all FSSO Logons.