To specify the FSSO Collector agent – CLI:

In this example, the SSO server name is techdoc and the LDAP server is LDAP.

config user fsso edit techdoc

set ldap-server LDAP

set password <your_password>

set server 10.10.20.3 set port 8000

end

 

Creating Fortinet Single Sign-On (FSSO) user groups

You cannot use Windows or Novell groups directly in FortiGate security policies. You must create FortiGate user groups of the FSSO type and add Windows or Novell groups to them.

 

To create a user group for FSSO authentication – web-based manager:

1. Go to User & Device > User > User Groups.

2. Select Create New.

The New User Group dialog box opens.

3. In the Name box, enter a name for the group, FSSO_Internet_users for example.

4. In Type, select Fortinet Single Sign-On (FSSO).

5. In Members, select the required FSSO groups.

6. Select OK.

 

 

To create the FSSO_Internet-users user group – CLI :

config user group

edit FSSO_Internet_users

set group-type fsso-service

set member CN=Engineering,cn=users,dc=office,dc=example,dc=com

CN=Sales,cn=users,dc=office,dc=example,dc=com

end

 

Creating security policies

Policies that require FSSO authentication are very similar to other security policies. Using identity-based policies, you can configure access that depends on the FSSO user group. This allows each FSSO user group to have its own level of access to its own group of services

In this situation, Example.com is a company that has its employees and authentication servers on an internal network. The FortiGate unit intercepts all traffic leaving the internal network and requires FSSO authentication to access network resources on the Internet. The following procedure configures the security policy for FSSO authentication. FSSO is installed and configured including the RADIUS server, FSSO Collector agent, and user groups on the FortiGate

For the following procedure, the internal interface is port1 and the external interface connected to the Internet is port2. There is an address group for the internal network called company_network. The FSSO user group is called fsso_group, and the FSSO RADIUS server is fsso_rad_server.

 

To configure an FSSO authentication security policy – web-based manager:

1. Go to Policy & Objects > Policy > IP4 and select Create New.

2. Enter the following information.

Incoming Interface                   port1

Source Address                        company_network

Source User(s)                          fsso_group

Outgoing Interface                   port2

Destination Address                 all

Schedule                                    always

Service                                       HTTP, HTTPS, FTP, and Telnet

Action                                         ACCEPT

NAT                                             ON

UTM Security Profiles              ON for AntiVirus, IPS, Web Filter, and Email Filter, all using default pro- files.

Log Allowed Traffic                  ON. Select Security Events.

3. Select OK.

4. Ensure the FSSO authentication policy is higher in the policy list than more general policies for the same interfaces.

 

To create a security policy for FSSO authentication – CLI:

config firewall policy edit 0

set srcintf port1

set dstintf port2

set srcaddr company_network set dstaddr all

set action accept

set groups fsso_group set schedule always

set service HTTP HTTPS FTP TELNET

set nat enable end

Here is an example of how this FSSO authentication policy is used. Example.com employee on the internal company network logs on to the internal network using their RADIUS username and password. When that user attempts to access the Internet, which requires FSSO authentication, the FortiGate authentication security policy intercepts the session, checks with the FSSO Collector agent to verify the user’s identity and credentials, and then if everything is verified the user is allowed access to the Internet.

 

Users belonging to multiple groups

Before FSSO 4.0 MR3, if a user belonged to multiple user groups, the first security policy to match any group that user belonged too was the only security policy applied. If that specific group did not have access to this protocol or resource where another group did, the user was still denied access. For example, test_user belongs to group1 and group2. There are two FSSO authentication policies — one matches group1 to authenticate FTP traffic and one matches group2 to authenticate email traffic. The group1 policy is at the top of the list of policies. If test_user wants to access an email server, the first policy encountered for a group test_user belongs to is the group1 policy which does not allow email access and test_user is denied access. This is despite the next policy allowing access to email. If the order was reversed in this case, the traffic would be matched and the user’s traffic would be allowed through the firewall. However if the policy order was reversed, FTP traffic would not be matched.

As of FSSO 4.0 MR3, if a user belongs to multiple groups multiple then attempts to match the group are attempted if applicable. Using the above example, when the attempt to match the group1 policy is made and fails, the next policy with a group that test_user is a member of is attempted. In this case, the next policy is matched and access is granted to the email server.

When configuring this example the only difference between the policies is the services that are listed and the FSSO user group name.

Authenticating through multiple groups allows administrators to assign groups for specific services, and users who are members of each group have access to those services. For example there could be an FTP group, an email group, and a Telnet group.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!