Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DamianLozano
New Contributor

Sync with AD troubleshooting

Hello people,

 

Happy new year!!

This is a Fortigate 60F with latest firmware: 6.4.4

I could setup the fortigate to sync with AD without the agent, using the polling method, with an external connector, it is working.

If I go to "Dashboard -> FortiView Sources", I can see if each PC has an AD user, I also can check for a machine, which IPv4 policies is using, so I can know which policy is it matching.

But I wonder if there is another method to know if that synchronization is working fine or if an specific user has any kind of problem with this, from the Fortigate (cli or gui)

If a user does not match any IPv4 policy that it is supposed that should this match, how can I check why?

 

Thanks in advance

Regards,

Damián

 

 

6 REPLIES 6
Alivo__FTNT
Staff
Staff

Hello Damián,

 

You can setup firewall policy without fsso user group from same src/dst and all as it is configured for

the actual fsso policy and place it below the fsso policies. Any IP matching this new policy is one

not being authenticated. That's an example.

 

Best Regards, Alivo

 

livo

Yurisk
Valued Contributor

- To see what policy is being matched for a user (after all, FSSO etc. are just means to map AD username to IP address, the security policies work with IPs, not usernames), the universal for any policy-related debug goes:

diagnose debug flow filter <filtering param>

diagnose debug flow show function-name enable

diagnose debug flow trace start

diagnose debug enable

 

- With any external server authentication, regardless what it is:

diagnose debug app fnbamd -1

diagnose deb enable

This will give the details of "chat" session of Fortigate with external server.

 

- For general health status of Fortigate connection to the AD DC (look for local Agent status):

diagnose debug authd fsso server-status

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
DamianLozano

Thank you for sharing your knowledge,

 

For the first list of commands, I did know about "diagnose debug flow" but I din not know about this line:

diagnose debug flow show function-name enable

Thanks, I think I will use "FortiView Sources - Policies" from the gui

 

About the second list of commands, I assume that this should show the dialog between the fortigate unit and the domain controller on this case, I cannot understand anything of the output

 

"diagnose debug authd fsso server-status" works and show me this:

Server Name - Connection Status - Version - Address ----------- ----------------- ------- ------- Local FSSO Agent - connected - FSAE server 1.1 - 127.0.0.1

 

I think this is like the gren arrow up or the red arrow down in the gui, I am right?

 

Regards,

Damián

Yurisk
Valued Contributor

DamianLozano wrote:

"diagnose debug authd fsso server-status" works and show me this:

Server Name - Connection Status - Version - Address ----------- ----------------- ------- ------- Local FSSO Agent - connected - FSAE server 1.1 - 127.0.0.1

 I think this is like the gren arrow up or the red arrow down in the gui, I am right?

 

Yes, it is

 

Regarding output of the authentication daemon debug - I don't use much AD Logs polling for FSSO, so cannot say what you should see there. But with LDAP/Radius authentication, you see there how FGT does binding to via LDAP to AD DC using configured username/pass, then you see what search query is sent to DC, then you see the answer from DC - authorized or not, DC Groups returned for a user.  At the end of the post I brought example debug session for Radius authentication.

 

 

ANother command worth mentioning for FSSO is diagnose debug authd fsso list which shows mapped users, something like that:

# diagnose debug authd fsso list

----FSSO logons---- IP: 192.168.13.147 User: TARA Groups: CN=TARA ADDISON,OU=SALES,DC=NSE8,DC=COM+CN=GROUPA,DC=NSE8,DC=COM Workstation: WIN10AD MemberOf: FSAE1_Group Total number of logons listed: 1, filtered: 0

----end of FSSO logons---- And finally found in my notes for FFSO Polling: 

diagnose debug fsso-polling detail 1

 

Example debug ouput for RADIUS authentication against Windows 2016 NPS:

FG2 # [2254] handle_req-Rcvd auth req 1609450405 for tara in SSL-VPN-RADIUS opt=00100520 prot=10   USER "TARA" is trying to authenticate for VPN SSL
[406] __compose_group_list_from_req-Group 'SSL-VPN-RADIUS' <-- LOCAL AUTHENTICATION GROUP THAT CONTAINS RADIUS SERVER AS ONLY MEMBER
[615] fnbamd_pop3_start-tara
[607] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'DC-2016-RADIUS' for usergroup 'SSL-VPN-RADIUS' (8) <- RADIUS SERVER OBJECT REFERENCED IN THE GROUP ABOVE
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[1305] fnbamd_rad_dns_cb-192.168.13.82->192.168.13.82 <- IP OF THE RADIUS SERVER (NPS WINDOWS 2016)
[1280] __fnbamd_rad_send-Sent radius req to server 'DC-2016-RADIUS': fd=15, IP=192.168.13.82(192.168.13.82:1812) code=1 id=24 len=172 user="tara" using MS-CHAPv2
[282] radius_server_auth-Timer of rad 'DC-2016-RADIUS' is added
[718] auth_tac_plus_start-Didn't find tac_plus servers (0) <- FGT CHECKS IF ANY OTHER SERVERS ARE INSIDE THIS GROUP, HERE NONE
[439] ldap_start-Didn't find ldap servers (0)
[565] create_auth_session-Total 1 server(s) to try
[2515] fnbamd_auth_handle_radius_result-Timer of rad 'DC-2016-RADIUS' is deleted
[1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[305] extract_success_vsas-FORTINET attr, type 1, val VPNSSLgroup <- THIS IS VENDOR RADIUS ATTRIBUTE I SET IN NPS MANUALLY TO SEND TO FGT GROUP NAME THE USER BELONGS TO
[2541] fnbamd_auth_handle_radius_result-->Result for radius svr 'DC-2016-RADIUS' 192.168.13.82(1) is 0
[2471] fnbamd_radius_group_match-Skipping group matching <- IN NORMAL CIRCUMSTANCES I'D SET MATCH GROUP NAME CONDITION ON FGT SIDE, HERE I SKIPPED SUCH CONDITION
[331] fnbamd_framed_ip_add_ip-Added IP 172.19.4.4
[993] find_matched_usr_grps-Skipped group matching
[181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 1609450405
[719] destroy_auth_session-delete session 1609450405
[2717] handle_req-Rcvd 7 req
[300] fnbamd_acct_start_START-Error getting radius server
[1445] create_acct_session-Error start acct type 7
[2731] handle_req-Error creating acct session 7
[84] fnbamd_framed_ip_backup-Backing up vfid 0
[90] fnbamd_framed_ip_backup-Backing up IP 172.19.4.4 for svc 5 <- IP ADDRESS ASSIGNED TO VPN SSL CLIENT FROM RADIUS SERVER FOR THIS (TARA) USER
Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
DamianLozano

Thank you Yuri!!!

DamianLozano

Just another question related.

Sometimes I saw that some IP stuck with the same user, although the user logged out and other user logged in.

Is there another way to refresh that user than close all their sessions?

 

Thanks

Regards,

Damián

Labels
Top Kudoed Authors