Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mikaellorenzo12
New Contributor

Created on ‎09-23-2019 12:50 AM

Policy not working on connected Zentyal LDAP server

We already connected the AD of Zentyal server using the LDAP, but the policy is not working for the users. We use FSSO client for the connection but the fsso client can't see the logged on users.

 

Can someone help me? Thanks!.

4287
0 Kudos
5 REPLIES 5
xsilver_FTNT
Staff
Staff

Created on ‎09-23-2019 02:06 AM

Hi,

how about some more complete config overview or config snippets?

It's completely unclear if your policy is normal firewall or explicit proxy policy. If group you have mentioned is LDAP or FSSO type. And also what is supposed to be authenticated with that group.

 

If it's FSSO, then you need connection first to get authenticated somewhere where SSO Agent or Collector can spot and process logon and create respective FSSO user record on collector and push it to connected FortiGates.

So if group is FSSO then you should have users in 'diag debug auth fsso list' and as fsso type in 'diag fire auth list'. If you do not have FSSO users, then there is problem in SSO setup.

 

If you use those groups in any active auth for VPN or WLC then those can not be SSO.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2647
0 Kudos
mikaellorenzo12
New Contributor
In response to xsilver_FTNT

Created on ‎09-24-2019 12:45 AM

i can see my DC so my fortigate and AD server are connected, but i cant see who is logged on. I only do in my fortigate is LDAP connection and i follow all tutorial online, i don't know why i can't see the users who logged in

Preview file
190 KB
2647
0 Kudos
xsilver_FTNT
Staff
Staff
In response to mikaellorenzo12

Created on ‎09-24-2019 06:55 AM

If you do have just one DC 192.168.3.13 then I would guess that you do not audit successful logons on DC.

If you do have more than this one DC 192.168.3.13 handling your domain and you run in DCAgent mode as presence of agent suggests, then you need DCAgents installed on all the DC servers.

If you do  ping -4 -n 2 %logonserver:~2%  from your workstation then you should see IP of the DC used by workstation for login verification. So if you do see 192.168.3.13 then logon server was chosen OK and you should see user logon data also in Windows Security Event log. If you do not see any logon event, then audit is disabled.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2647
0 Kudos
mikaellorenzo12
New Contributor
In response to xsilver_FTNT

Created on ‎09-24-2019 05:42 PM

I have 2 DC but i turned off the other DC so i'm working with 1 DC now, and i can ping my logon server using the command you gave. BTW i'm using Zentyal, a linux based server so i think i can't install DCagent in my DC

2647
0 Kudos
xsilver_FTNT
Staff
Staff
In response to mikaellorenzo12

Created on ‎09-25-2019 12:07 AM

wait a sec, that Zentyal is somehow emulating/doing DC job ?

If that is your domain controller, not a Microsoft Server, then I guess it also do not generate correct/expected logon events and so we have nothing to work with in FSSO.

FSSO with polling or in DCAgent mode is built to work with Microsoft Servers and list of compatible ones is part of FortiOS Release Notes compatibility/interoperability section. Anything else might work but is not tested, not guaranteed and not supported solution.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2647
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.