To specify the FSSO Collector agent – CLI:
In this example, the SSO server name is techdoc and the LDAP server is LDAP.
config user fsso edit techdoc
set ldap-server LDAP
set password <your_password>
set server 10.10.20.3 set port 8000
end
Creating Fortinet Single Sign-On (FSSO) user groups
You cannot use Windows or Novell groups directly in FortiGate security policies. You must create FortiGate user groups of the FSSO type and add Windows or Novell groups to them.
To create a user group for FSSO authentication – web-based manager:
1. Go to User & Device > User > User Groups.
2. Select Create New.
The New User Group dialog box opens.
3. In the Name box, enter a name for the group, FSSO_Internet_users for example.
4. In Type, select Fortinet Single Sign-On (FSSO).
5. In Members, select the required FSSO groups.
6. Select OK.
To create the FSSO_Internet-users user group – CLI :
config user group
edit FSSO_Internet_users
set group-type fsso-service
set member CN=Engineering,cn=users,dc=office,dc=example,dc=com
CN=Sales,cn=users,dc=office,dc=example,dc=com
end
Creating security policies
Policies that require FSSO authentication are very similar to other security policies. Using identity-based policies, you can configure access that depends on the FSSO user group. This allows each FSSO user group to have its own level of access to its own group of services
In this situation, Example.com is a company that has its employees and authentication servers on an internal network. The FortiGate unit intercepts all traffic leaving the internal network and requires FSSO authentication to access network resources on the Internet. The following procedure configures the security policy for FSSO authentication. FSSO is installed and configured including the RADIUS server, FSSO Collector agent, and user groups on the FortiGate
For the following procedure, the internal interface is port1 and the external interface connected to the Internet is port2. There is an address group for the internal network called company_network. The FSSO user group is called fsso_group, and the FSSO RADIUS server is fsso_rad_server.
To configure an FSSO authentication security policy – web-based manager:
1. Go to Policy & Objects > Policy > IP4 and select Create New.
2. Enter the following information.
Incoming Interface port1
Source Address company_network
Source User(s) fsso_group
Outgoing Interface port2
Destination Address all
Schedule always
Service HTTP, HTTPS, FTP, and Telnet
Action ACCEPT
NAT ON
UTM Security Profiles ON for AntiVirus, IPS, Web Filter, and Email Filter, all using default pro- files.
Log Allowed Traffic ON. Select Security Events.
3. Select OK.
4. Ensure the FSSO authentication policy is higher in the policy list than more general policies for the same interfaces.
To create a security policy for FSSO authentication – CLI:
config firewall policy edit 0
set srcintf port1
set dstintf port2
set srcaddr company_network set dstaddr all
set action accept
set groups fsso_group set schedule always
set service HTTP HTTPS FTP TELNET
set nat enable end
Here is an example of how this FSSO authentication policy is used. Example.com employee on the internal company network logs on to the internal network using their RADIUS username and password. When that user attempts to access the Internet, which requires FSSO authentication, the FortiGate authentication security policy intercepts the session, checks with the FSSO Collector agent to verify the user’s identity and credentials, and then if everything is verified the user is allowed access to the Internet.
Users belonging to multiple groups
Before FSSO 4.0 MR3, if a user belonged to multiple user groups, the first security policy to match any group that user belonged too was the only security policy applied. If that specific group did not have access to this protocol or resource where another group did, the user was still denied access. For example, test_user belongs to group1 and group2. There are two FSSO authentication policies — one matches group1 to authenticate FTP traffic and one matches group2 to authenticate email traffic. The group1 policy is at the top of the list of policies. If test_user wants to access an email server, the first policy encountered for a group test_user belongs to is the group1 policy which does not allow email access and test_user is denied access. This is despite the next policy allowing access to email. If the order was reversed in this case, the traffic would be matched and the user’s traffic would be allowed through the firewall. However if the policy order was reversed, FTP traffic would not be matched.
As of FSSO 4.0 MR3, if a user belongs to multiple groups multiple then attempts to match the group are attempted if applicable. Using the above example, when the attempt to match the group1 policy is made and fails, the next policy with a group that test_user is a member of is attempted. In this case, the next policy is matched and access is granted to the email server.
When configuring this example the only difference between the policies is the services that are listed and the FSSO user group name.
Authenticating through multiple groups allows administrators to assign groups for specific services, and users who are members of each group have access to those services. For example there could be an FTP group, an email group, and a Telnet group.