1. Configuring an LDAP directory on the FortiAuthenticator |
|
|
Go to Authentication > User Management > Local Users to create a user list. Make sure to enable Allow LDAP browsing. |
 |
|
Go to Authentication > User Management > User Groups to create a user group and add users to it. “FortiOS_Writers” user group is used in this example. |
 |
|
Go to Authentication > LDAP Service > Directory tree and configure the LDAP directory tree. |
 |
2. Integrating the FortiGate with the FortiAuthenticator |
|
| On the FortiGate, go to User & Device > LDAP Servers to configure the LDAP server. |  |
3. Installing FSSO agent on the Windows DC |
|
|
Accept the license and follow the Wizard. Enter the Windows AD administrator password. |
|
|
Select the Advanced access method for Windows Directory. |
 |
|
In the Collector Agent IP address field, enter the IP address of the Windows AD server. |
 |
| Select the domain you wish to monitor. |  |
| Next, select the users you do not wish to monitor. |  |
| Under Working Mode, select DC Agent Mode. |  |
| When prompted, select Yes to reboot the Domain Controller. |  |
|
Upon reboot, the collector agent will start up. You can choose to Require authenticated connection from FortiGate and set a Password which will be used in step 4. |
 |
4. Configuring Single Sign-On on the FortiGate |
|
|
Go to User & Device > Single Sign-On and create a new SSO server. In the Primary Agent IP/Name field, enter the Collector Agent IP Address used in step 3. Likewise, enter the Password required for authentication. Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS_Writers” group is used. |
 |
5. Adding a user group to the FortiGate |
|
|
Go to User & Device > User Groups to create new user group. Under Remote groups, add the remote LDAP server created earlier in the FortiAuthenticator (in this example it’s called “FAC_LDAP”). |
 |
6. Adding a policy to the FortiGate |
|
|
Go to Policy & Objects > IPv4 Policy and create a policy allowing “FortiOS_Writers” to navigate the Internet with appropriate security profiles. The default Web Filter security profile is used in this example. |
 |
7. Results |
|
| Have users log on to the domain, go to the FSSO agent, and select Show Logon Users. |  |
| From the FortiGate, go to Dashboard to look for the CLI Console widget and type this command for more detail about current FSSO logons: |
|
| Have users belonging to the “FortiOS_Writers” user group navigate the Internet. An authentication portal is presented to allow only authorized users. Security profiles will be applied accordingly. |
|
|
Upon successful authentication, from the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons. |
 |
|
Go to Log & Report > Forward Traffic to verify the log. |
 |
| Select an entry for details. |  |
The post Single Sign-On using FSSO agent in advanced mode and FortiAuthenticator (Expert) appeared first on Fortinet Cookbook.