Re: LDAP Web Filtering Authentication
The way FSSO works is that there is an agent on a machine that talks to domain controllers on the firewall's behalf. If you have one or two DCs, the firewall itself can do all the heavy lifting without separate agents. The domain controllers log all user login activity and the IP address it came from. The FSSO agent looks for those logs and assigns a user to an IP address dynamically. The firewall connects to the agent and gets this list of ip/user mappings to apply to rules. If a device on a specific IP doesn't log in to anything then it doesn't get a user assigned to it. There is caching, so when a new user logs in, they might get the policy applied to the previous user for a few minutes. You could set a rule for authenticated users with one policy and then a catch-all rule afterwards with internet access policy for non-authenticated devices or force those users to a login portal.
As far as the bind for the ldap users, try posting the output of "show user ldap", that is more helpful. feel free to strip out anything private. for example- here's one of mine...
config user ldap
edit <ldap name>
set server <server1>
set secondary-server <server2>
set tertiary-server <server3>
set cnid "sAMAccountName"
set dn "cn=users,dc=<domain>,dc=<local>"
set type regular
set username "CN=<user>,OU=<some OU>,DC=<domain>,DC=<local>"
set password enc <password>
set secure ldaps
set port 636
Some FGT500Es, 500Ds, 60Ds at work
FWF60E, FWF80CM at home