Configuring Single Sign On to Windows AD
On the FortiGate unit, security policies control access to network resources based on user groups. With Fortinet Single Sign On, this is also true but each FortiGate user group is associated with one or more Windows AD user groups. This is how Windows AD user groups get authenticated in the FortiGate security policy.
Fortinet Single Sign On sends information about Windows user logons to FortiGate units. If there are many users on your Windows AD domains, the large amount of information might affect the performance of the FortiGate unit.
To configure your FortiGate unit to operate with either a Windows AD or a Novell eDirectory FSSO install, you
- Configure LDAP access to the Windows AD global catalog. See Configuring LDAP server access on page 134.
- Configure the LDAP Server as a Single Sign-On server. See Configuring the LDAP Server as a Single Sign-On server on page 135.
- Add Active Directory user groups to FortiGate FSSO user groups. See Creating Fortinet Single Sign-On (FSSO) user groups on page 136.
- Create security policies for FSSO-authenticated groups. See Creating security policies on page 136.
- Optionally, specify a guest protection profile to allow guest access. See Enabling guest access through FSSO security policies on page 138
Configuring LDAP server access
The FortiGate unit needs access to the domain controller’s LDAP server to retrieve user group information.
The LDAP configuration on the FortiGate unit not only provides access to the LDAP server, it sets up the retrieval of Windows AD user groups for you to select in FSSO. The LDAP Server configuration, found under User & Device > LDAP Servers, includes a function to preview the LDAP server’s response to your distinguished name query. If you already know the appropriate Distinguished Name (DN) and User DN settings, you may be able to skip some of the following steps.
To add an LDAP server – web-based manager:
- Go to User & Device > LDAP Servers and select Create New.
- Enter the Server IP/Name and Server Port (default 389).
- In the Common Name Identifier field, enter sAMAccountName.The default common name identifier is cn. This is correct for most LDAP servers. However some servers use other identifiers such as uid.
- In the Distinguished Name field, enter your organization distinguished name. In this example, Distinguished Name is dc=techdoc,dc=local
- Select Fetch DN, this will fetch the Windows AD directory.
Configuring Single Sign On to Windows AD
- Set Bind Type to
- In the User DN field, enter the administrative account name that you created for FSSO. For example, if the account is administrator, enter “administrator@techdoc.local”.
- Enter the administrative account password in the Password
- Optionally select Secure Connection.
l In the Protocol field, select LDAPS or STARTTLS. l In the Certificate field, select the appropriate certificate for authentication.
Note that you need to configure the Windows AD for secure connection accordingly.
- Select OK.
- Test your configuration by selecting the Test A successful message confirming the right settings appears.
To configure LDAP for FSSO – CLI example:
config user ldap edit LDAP set server 10.10.20.3 set cnid sAMAccountName set dn dc=techdoc,dc=local set type regular
set username administrator@techdoc.local set password <your_password>
next
end
Configuring the LDAP Server as a Single Sign-On server
The LDAP server must be added to the FortiGate Single Sign-On configuration.
To add the LDAP server as a Single Sign-On server:
- Go to User & Device > Single Sign-On and select Create New.
- Enter
Type | Poll Active Directory Server | |
Server IP/Name | Server Name or IP address of the Domain Controller |
User | A Domain user name |
Password | The user’s password |
LDAP Server | Select the LDAP server you added earlier. |
Enable Polling | Select |
- Select OK.
Creating Fortinet Single Sign-On (FSSO) user groups
You cannot use Windows or Novell groups directly in FortiGate security policies. You must create FortiGate user groups of the FSSO type and add Windows or Novell groups to them.
To create a user group for FSSO authentication – web-based manager:
- Go to User & Device > User Groups and select Create New. The New User Group dialog box opens.
- In the Name box, enter a name for the group, FSSO_Internet_users for example.
- In Type, select Fortinet Single Sign-On (FSSO).
- In Members, select the required FSSO
- Select OK.
To create the FSSO_Internet-users user group – CLI
config user group edit FSSO_Internet_users set group-type fsso-service
set member CN=Engineering,cn=users,dc=office,dc=example,dc=com
CN=Sales,cn=users,dc=office,dc=example,dc=com end
Default FSSO group
SSO_Guest_users is a default user group enabled when FSSO is configured. It allows guest users on the network who do not have an FSSO account to authenticate and have access to network resources. See Enabling guest access through FSSO security policies on page 138.
Creating security policies
Policies that require FSSO authentication are very similar to other security policies. Using identity-based policies, you can configure access that depends on the FSSO user group. This allows each FSSO user group to have its own level of access to its own group of services
In this situation, Example.com is a company that has its employees and authentication servers on an internal network. The FortiGate unit intercepts all traffic leaving the internal network and requires FSSO authentication to access network resources on the Internet. The following procedure configures the security policy for FSSO authentication. FSSO is installed and configured including the RADIUS server, FSSO Collector agent, and user groups on the FortiGate
Configuring Single Sign On to Windows AD
For the following procedure, the internal interface is port1 and the external interface connected to the Internet is port2. There is an address group for the internal network called company_network. The FSSO user group is called fsso_group, and the FSSO RADIUS server is fsso_rad_server.
To configure an FSSO authentication security policy – web-based manager:
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter the following information.
Incoming Interface | port1 |
Source Address | company_network |
Source User(s) | fsso_group |
Outgoing Interface | port2 |
Destination Address | all |
Schedule | always |
Service | HTTP, HTTPS, FTP, and Telnet |
Action | ACCEPT |
NAT | ON |
UTM Security Profiles | ON for AntiVirus, IPS, Web Filter, and Email Filter, all using default profiles. |
Log Allowed Traffic | ON. Select Security Events. |
- Select OK.
- Ensure the FSSO authentication policy is higher in the policy list than more general policies for the same interfaces.
To create a security policy for FSSO authentication – CLI:
config firewall policy edit 0 set srcintf port1 set dstintf port2 set srcaddr company_network
set dstaddr all set action accept set groups fsso_group set schedule always set service HTTP HTTPS FTP TELNET set nat enable
end
Here is an example of how this FSSO authentication policy is used. Example.com employee on the internal company network logs on to the internal network using their RADIUS username and password. When that user attempts to access the Internet, which requires FSSO authentication, the FortiGate authentication security policy
FortiOS FSSO log messages
intercepts the session, checks with the FSSO Collector agent to verify the user’s identity and credentials, and then if everything is verified the user is allowed access to the Internet.
Enabling guest access through FSSO security policies
You can enable guest users to access FSSO security policies. Guests are users who are unknown to Windows AD and servers that do not logon to a Windows AD domain.
To enable guest access in your FSSO security policy, add an identity-based policy assigned to the built-in user group SSO_Guest_Users. Specify the services, schedule and UTM profiles that apply to guest users — typically guests have access to a reduced set of services. See Creating security policies on page 136.