Configuring FSSO on FortiGate units
To configure your FortiGate unit to operate with agent-based FSSO, you l Configure any access to LDAP servers that might be necessary. Skip this step if you are using FSSO Standard mode. See Configuring LDAP server access on page 181.
- Specify the Collector agent or Novell eDirectory agent that will provide user logon information. See Specifying your collector agents or Novell eDirectory agents on page 183.
- Add Active Directory user groups to FortiGate user groups. See Creating FSSO user groups on page 184. l Create security policies for FSSO-authenticated groups. See Creating security policies on page 185.
- Optionally, specify a guest security policy to allow guest access. See Enabling guest access through FSSO security policies on page 186.
Configuring LDAP server access
LDAP access is required if your network has a Novell eDirectory agent or a Collector agent using Windows Advanced AD access mode. If you are using FSSO Standard mode, go to Specifying your collector agents or Novell eDirectory agents on page 183.
- Go to User & Device > LDAP Servers and select Create New.
- Enter the Server IP/Name and Server Port (default 389).
- In the Common Name Identifier field, enter sAMAccountName.The default common name identifier is cn.
This is correct for most LDAP servers. However some servers use other identifiers such as uid.
- In the Distinguished Name field, enter your organization distinguished name. In this example, Distinguished Name is dc=techdoc,dc=local
- Select Fetch DN, this will fetch the Windows AD directory.
- Set Bind Type to
- In the User DN field, enter the administrative account name that you created for FSSO. For example, if the account is administrator, enter “administrator@techdoc.local”.
- Enter the administrative account password in the Password
- Optionally select Secure Connection.
l In the Protocol field, select LDAPS or STARTTLS. l In the Certificate field, select the appropriate certificate for authentication.
Note that you need to configure the Windows AD for secure connection accordingly.
- Select OK.
- Test your configuration by selecting the Test A successful message confirming the right settings appears.
To configure LDAP for FSSO – CLI example:
config user ldap edit LDAP set server 10.10.20.3 set cnid sAMAccountName set dn dc=techdoc,dc=local set type regular
set username administrator@techdoc.local set password <your_password>
next
end
Specifying your collector agents or Novell eDirectory agents
You need to configure the FortiGate unit to access at least one Collector agent or Novell eDirectory agent. You can specify up to five servers on which you have installed a Collector or eDirectory agent. The FortiGate unit accesses these servers in the order that they appear in the list. If a server becomes unavailable, the next one in the list is tried.
To specify Collector agents – web-based manager:
- Go to Security Fabric > Fabric Connectors and select Create New.
- Under SSO/Identity, select Fortinet Single Sign-On Agent.
- Enter a Name for the Windows AD server. This name appears in the list of Windows AD servers when you create user groups.
- Enter the Server IP/Name and Password of the server where this agent is installed. Maximum name length is 63 characters. For the collector agent, passwords are only required only if you configured the agent to require authenticated access.
If the TCP port used for FSSO is not the default, 8000, you can change the setting in the CLI using the config user fsso command. See Configuring collector agent settings on page 162.
- Set Collector Agent AD access mode to Advanced, and select the LDAP Server you configured previously. See Configuring LDAP server access on page 181.
- Select the Users or Groups or Organizational Units tab to select the users, groups, OU that you want to monitor.
- Select OK.
To specify the FSSO collector agent – CLI:
In this example, the SSO server name is techdoc and the LDAP server is LDAP.
config user fsso edit techdoc set ldap-server LDAP set password <your_password> set server 10.10.20.3 set port 8000
end
Creating FSSO user groups
You cannot use Windows or Novell groups directly in FortiGate security policies. You must create FortiGate user groups of the FSSO type and add Windows or Novell groups to them.
To create a user group for FSSO authentication – web-based manager:
- Go to User & Device > User Groups.
- Select Create New.
The New User Group dialog box opens.
- In the Name box, enter a name for the group, FSSO_Internet_users for example.
- In Type, select Fortinet Single Sign-On (FSSO).
- In Members, select the required FSSO
- Select OK.
To create the FSSO_Internet-users user group – CLI :
config user group edit FSSO_Internet_users set group-type fsso-service
set member CN=Engineering,cn=users,dc=office,dc=example,dc=com
CN=Sales,cn=users,dc=office,dc=example,dc=com end
Creating security policies
Policies that require FSSO authentication are very similar to other security policies. Using identity-based policies, you can configure access that depends on the FSSO user group. This allows each FSSO user group to have its own level of access to its own group of services
In this situation, Example.com is a company that has its employees and authentication servers on an internal network. The FortiGate unit intercepts all traffic leaving the internal network and requires FSSO authentication to access network resources on the Internet. The following procedure configures the security policy for FSSO authentication. FSSO is installed and configured including the RADIUS server, FSSO Collector agent, and user groups on the FortiGate
For the following procedure, the internal interface is port1 and the external interface connected to the Internet is port2. There is an address group for the internal network called company_network. The FSSO user group is called fsso_group, and the FSSO RADIUS server is fsso_rad_server.
To configure an FSSO authentication security policy – web-based manager:
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter the following information.
Incoming Interface | port1 |
Source Address | company_network |
Source User(s) | fsso_group |
Outgoing Interface | port2 |
Destination Address | all |
Schedule | always |
Service | HTTP, HTTPS, FTP, and Telnet |
Action | ACCEPT |
NAT | ON |
UTM Security Profiles | ON for AntiVirus, IPS, Web Filter, and Email Filter, all using default profiles. |
Log Allowed Traffic | ON. Select Security Events. |
- Select OK.
- Ensure the FSSO authentication policy is higher in the policy list than more general policies for the same interfaces.
To create a security policy for FSSO authentication – CLI:
config firewall policy edit 0 set srcintf port1
set dstintf port2 set srcaddr company_network
set dstaddr all set action accept set groups fsso_group set schedule always set service HTTP HTTPS FTP TELNET set nat enable
end
Here is an example of how this FSSO authentication policy is used. Example.com employee on the internal company network logs on to the internal network using their RADIUS username and password. When that user attempts to access the Internet, which requires FSSO authentication, the FortiGate authentication security policy intercepts the session, checks with the FSSO Collector agent to verify the user’s identity and credentials, and then if everything is verified the user is allowed access to the Internet.
Users belonging to multiple groups
Before FSSO 4.0 MR3, if a user belonged to multiple user groups, the first security policy to match any group that user belonged too was the only security policy applied. If that specific group did not have access to this protocol or resource where another group did, the user was still denied access. For example, test_user belongs to group1 and group2. There are two FSSO authentication policies — one matches group1 to authenticate FTP traffic and one matches group2 to authenticate email traffic. The group1 policy is at the top of the list of policies. If test_user wants to access an email server, the first policy encountered for a group test_user belongs to is the group1 policy which does not allow email access and test_user is denied access. This is despite the next policy allowing access to email. If the order was reversed in this case, the traffic would be matched and the user’s traffic would be allowed through the firewall. However if the policy order was reversed, FTP traffic would not be matched.
As of FSSO 4.0 MR3, if a user belongs to multiple groups multiple then attempts to match the group are attempted if applicable. Using the above example, when the attempt to match the group1 policy is made and fails, the next policy with a group that test_user is a member of is attempted. In this case, the next policy is matched and access is granted to the email server.
When configuring this example the only difference between the policies is the services that are listed and the FSSO user group name.
Authenticating through multiple groups allows administrators to assign groups for specific services, and users who are members of each group have access to those services. For example there could be an FTP group, an email group, and a Telnet group.
Enabling guest access through FSSO security policies
You can enable guest users to access FSSO security policies. Guests are users who are unknown to the Windows AD or Novell network and servers that do not logon to a Windows AD domain.
To enable guest access in your FSSO security policy, add an identity-based policy assigned to the built-in user group SSO_Guest_Users. Specify the services, schedule and protection profile that apply to guest users — typically guests receive reduced access to a reduced set of services.
IPv6 support for FSSO
FortiGate FSSO supports connecting to an FSSO agent over IPv6 and collecting and sending IPv6 details about endpoints. This is enforced in the same manner as IPv4 FSSO traffic.
Syntax
config user fsso edit <fsso agent name>
set source-ip6 <IPv6 address for source>
end