Agent-based FSSO

Configuring FSSO on FortiGate units

To configure your FortiGate unit to operate with agent-based FSSO, you l Configure any access to LDAP servers that might be necessary. Skip this step if you are using FSSO Standard mode. See Configuring LDAP server access on page 175.

  • Specify the Collector agent or Novell eDirectory agent that will provide user logon information. See Specifying your Collector agents or Novell eDirectory agents on page 177.
  • Add Active Directory user groups to FortiGate user groups. See Creating Fortinet Single Sign-On (FSSO) user groups on page 178.
  • Create security policies for FSSO-authenticated groups. See Creating security policies on page 179.
  • Optionally, specify a guest security policy to allow guest access. See Enabling guest access through FSSO security policies on page 180.

Configuring LDAP server access

LDAP access is required if your network has a Novell eDirectory agent or a Collector agent using Windows Advanced AD access mode. If you are using FSSO Standard mode, go to Specifying your Collector agents or Novell eDirectory agents on page 177.

  1. Go to User & Device > LDAP Servers and select Create New.
  2. Enter the Server IP/Name and Server Port (default 389).

175

  1. In the Common Name Identifier field, enter sAMAccountName.The default common name identifier is cn. This is correct for most LDAP servers. However some servers use other identifiers such as uid.
  2. In the Distinguished Name field, enter your organization distinguished name. In this example, Distinguished Name is dc=techdoc,dc=local
  3. Select Fetch DN, this will fetch the Windows AD directory.
  4. Set Bind Type to
  5. In the User DN field, enter the administrative account name that you created for FSSO. For example, if the account is administrator, enter “administrator@techdoc.local”.
  6. Enter the administrative account password in the Password
  7. Optionally select Secure Connection.

l In the Protocol field, select LDAPS or STARTTLS. l In the Certificate field, select the appropriate certificate for authentication.

Note that you need to configure the Windows AD for secure connection accordingly.

  1. Select OK.
  2. Test your configuration by selecting the Test A successful message confirming the right settings appears.

To configure LDAP for FSSO – CLI example:

config user ldap edit LDAP set server 10.10.20.3 set cnid sAMAccountName set dn dc=techdoc,dc=local set type regular

set username administrator@techdoc.local set password <your_password>

next

end

Specifying your Collector agents or Novell eDirectory agents

You need to configure the FortiGate unit to access at least one Collector agent or Novell eDirectory agent. You can specify up to five servers on which you have installed a Collector or eDirectory agent. The FortiGate unit accesses these servers in the order that they appear in the list. If a server becomes unavailable, the next one in the list is tried.

To specify Collector agents – web-based manager:

  1. Go to User & Device > Single Sign-On and select Create New.
  2. In Type, select Fortinet Single-Sign-On Agent.
  3. Enter a Name for the Windows AD server. This name appears in the list of Windows AD servers when you create user groups.
  4. Enter the following information for each of up to five collector agents and select OK:
Agent IP/Name Enter the IP address or the name of the server where this agent is installed. Maximum name length is 63 characters.

If the TCP port used for FSSO is not the default, 8000, you can change the setting in the CLI using the config user fsso command.

See Configuring Collector agent settings on page 157.

Password Enter the password for the Collector agent or eDirectory agent. For the Collector agent, this is required only if you configured the agent to require authenticated access.
  1. For Novell eDirectory or Windows AD with Collector agent in Advanced AD access mode select the LDAP Server you configured previously. See Configuring LDAP server access on page 175.
  2. In Users/Groups, select the Users or Groups or Organizational Units tab and then select the users or groups or OU that you want to monitor.
  3. Select OK.

To specify the FSSO Collector agent – CLI:

In this example, the SSO server name is techdoc and the LDAP server is LDAP.

config user fsso edit techdoc set ldap-server LDAP set password <your_password> set server 10.10.20.3 set port 8000

end

Creating Fortinet Single Sign-On (FSSO) user groups

You cannot use Windows or Novell groups directly in FortiGate security policies. You must create FortiGate user groups of the FSSO type and add Windows or Novell groups to them.

To create a user group for FSSO authentication – web-based manager:

  1. Go to User & Device > User Groups.
  2. Select Create New.

The New User Group dialog box opens.

  1. In the Name box, enter a name for the group, FSSO_Internet_users for example.
  2. In Type, select Fortinet Single Sign-On (FSSO).
  3. In Members, select the required FSSO
  4. Select OK.

To create the FSSO_Internet-users user group – CLI :

config user group edit FSSO_Internet_users set group-type fsso-service

set member CN=Engineering,cn=users,dc=office,dc=example,dc=com

CN=Sales,cn=users,dc=office,dc=example,dc=com end

Creating security policies

Policies that require FSSO authentication are very similar to other security policies. Using identity-based policies, you can configure access that depends on the FSSO user group. This allows each FSSO user group to have its own level of access to its own group of services

In this situation, Example.com is a company that has its employees and authentication servers on an internal network. The FortiGate unit intercepts all traffic leaving the internal network and requires FSSO authentication to access network resources on the Internet. The following procedure configures the security policy for FSSO authentication. FSSO is installed and configured including the RADIUS server, FSSO Collector agent, and user groups on the FortiGate

For the following procedure, the internal interface is port1 and the external interface connected to the Internet is port2. There is an address group for the internal network called company_network. The FSSO user group is called fsso_group, and the FSSO RADIUS server is fsso_rad_server.

To configure an FSSO authentication security policy – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information.
Incoming Interface port1
Source Address company_network
Source User(s) fsso_group
Outgoing Interface port2
Destination Address all
Schedule always
Service HTTP, HTTPS, FTP, and Telnet
Action ACCEPT
NAT ON
UTM Security Profiles ON for AntiVirus, IPS, Web Filter, and Email Filter, all using default profiles.
Log Allowed Traffic ON. Select Security Events.
  1. Select OK.
  2. Ensure the FSSO authentication policy is higher in the policy list than more general policies for the same interfaces.

To create a security policy for FSSO authentication – CLI:

config firewall policy edit 0 set srcintf port1 set dstintf port2

set srcaddr company_network

set dstaddr all set action accept set groups fsso_group set schedule always set service HTTP HTTPS FTP TELNET set nat enable

end

Here is an example of how this FSSO authentication policy is used. Example.com employee on the internal company network logs on to the internal network using their RADIUS username and password. When that user attempts to access the Internet, which requires FSSO authentication, the FortiGate authentication security policy intercepts the session, checks with the FSSO Collector agent to verify the user’s identity and credentials, and then if everything is verified the user is allowed access to the Internet.

Users belonging to multiple groups

Before FSSO 4.0 MR3, if a user belonged to multiple user groups, the first security policy to match any group that user belonged too was the only security policy applied. If that specific group did not have access to this protocol or resource where another group did, the user was still denied access. For example, test_user belongs to group1 and group2. There are two FSSO authentication policies — one matches group1 to authenticate FTP traffic and one matches group2 to authenticate email traffic. The group1 policy is at the top of the list of policies. If test_user wants to access an email server, the first policy encountered for a group test_user belongs to is the group1 policy which does not allow email access and test_user is denied access. This is despite the next policy allowing access to email. If the order was reversed in this case, the traffic would be matched and the user’s traffic would be allowed through the firewall. However if the policy order was reversed, FTP traffic would not be matched.

As of FSSO 4.0 MR3, if a user belongs to multiple groups multiple then attempts to match the group are attempted if applicable. Using the above example, when the attempt to match the group1 policy is made and fails, the next policy with a group that test_user is a member of is attempted. In this case, the next policy is matched and access is granted to the email server.

When configuring this example the only difference between the policies is the services that are listed and the FSSO user group name.

Authenticating through multiple groups allows administrators to assign groups for specific services, and users who are members of each group have access to those services. For example there could be an FTP group, an email group, and a Telnet group.

Enabling guest access through FSSO security policies

You can enable guest users to access FSSO security policies. Guests are users who are unknown to the Windows AD or Novell network and servers that do not logon to a Windows AD domain.

To enable guest access in your FSSO security policy, add an identity-based policy assigned to the built-in user group SSO_Guest_Users. Specify the services, schedule and protection profile that apply to guest users — typically guests receive reduced access to a reduced set of services. Creating security policies on page 179

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Agent-based FSSO

  1. Stewart Myles

    Thanks I find your site useful, I have followed these instructions and we have a issue where users are not detected by the Fortinet agent if they move from wireless to LAN and vice versa, also if user come out of sleep mode they won’t have any internet, any ideas were to look?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.