Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
suporte_dohler
New Contributor

Authentication Fortinet Single Sign-On (FSSO) in MACOS HIGH SIERRA

I am with a issue with the authentication with AD, FORTIGATE and MACOS HIGH SIERRA. I can't surf internet. I need help to resolve this problem.

 

6 REPLIES 6
maiconp340
New Contributor

Hello, I think you have a certification inspection issue. try on bypass that URL from SSL Inspection.

check in Monitor > Firewall User Monitor and check whether that user is authenticate, if it is there so your authenticate with AD it is working.

suporte_dohler

the user is not there.

The is happening, is that after login the mac show a windows for me, where it's ordering the user and password my firewall and after fill out show error the connection with the firewall.

 

maiconp340

check whether "Redirect HTTP Port" to HTTPS is Enable in System > Settings, if yes please desable it and try on.

 

suporte_dohler

the user is connect in NTLM, but don´t in FSSO, where i can't surf internet.

suporte_dohler

 

i can't suft in internet, but macos is connected.

xsilver_FTNT

Hi,

 

your initial screenshot points more towards SSL cert issues, probably due to deep inspection.

If you resolved that and your MAC is inside domain, but your AD logon is not seen in FSSO on FGT, like in 'diag debug auth fsso list' , or in firewall (this part is checked in policies) ' diag fire auth list'.

Then it might be caused by FGT not knowing about your user from FSSO.

Check if you do have connected Collector agent via ..

diag debug en diag debug authd fsso server-status

 

Also, standalone collector is able to set which logon events it is processing. As during logon to domain there is whole lot of events, like 15, and for FSSO is useful just one or two of those.

In the past I seen that MacOS computers generated 4624 EventId types during their authentication to domain.

Therefore make sure your standalone collector has Advanced Settings > General > Windows Security Event Logs > Event IDs to poll = "2".

 

If you not have standalone collector, usual and cheapest way, then maybe let us know with more details about your setup.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors