Single Sign-On using LDAP and FSSO agent in advanced mode (Expert)

1. Integrating the FortiGate with the Windows DC LDAP server

2. Installing FSSO agent on the Windows DC server

Accept the license and follow the Wizard.

Enter the Windows AD administrator password.

Select the Advanced Access method.

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

3. Configuring Single Sign-On on the FortiGate

Go to User & Device > Single Sign-On and create a new SSO server.

Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS Writers” group is used.

4. Adding a user group to the FortiGate

Go to User & Device > User Groups to create a new FSSO user group.

Under Members, select the “FortiOS Writers” group.

5. Adding a policy to the FortiGate

Go to Policy & Objects > IPv4 Policy and create a policy allowing  “FortiOS_Writers” to navigate the Internet with appropriate security profiles.

The default Web Filter security profile is used in this example.

9. Results

diagnose debug authd fsso list

----FSSO logons----
IP: 10.10.20.3  User: ADMINISTRATOR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers
IP: 10.10.20.7  User: TELBAR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

From the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons.

Have users go to the Internet and the security profiles will be applied accordingly.

Go to Log & Report > Forward Traffic to verify the log.