Wednesday, March 5, 2014

All Fortigate FSSO users are placed in the FSSO_guest_users group

Getting AD authentication going on a Fortigate is a slightly finicky, but well documented process and once you get it working it works well.  If it’s something you battle with, leave a comment and I’ll do a HowTo.

That said I recently had an issue with a Fortigate unit that absolutely insisted on putting all FSSO users in the FSSO_guest_users group, which means none of my Policies using authentication was working.  This is what the Fortigate saw my logged on users as:

image

The fix in the end was fairly simple, turns out that on the Fortigate I had the groups configured in Advanced mode, like so: CN=Internet Access,OU=Security Groups,OU=Head Office,DC=corp,DC=root. 

The Collector Agent, however, was configured to use Standard mode.  The fix was to switch the FSSO Collector Agent Directory Access Mode to Advanced Mode.
image

Once the change was made I refreshed the FSSO groups on the Fortigate via the “execute fsso refresh” command and all was well again.

For those of you keeping notes, the Fortigate was running FortiOS v5 Patch 6 and the FSSO agent was v4.0 MR3 B0151