Hot!LDAP Connected but I cannot assign in Firewall any AD groups

Author
Tutek
Silver Member
  • Total Posts : 75
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/16 08:23:40
  • Status: offline
2021/03/23 12:43:08 (permalink)
0

LDAP Connected but I cannot assign in Firewall any AD groups

Hi,
I have addedd my AD LDAP it have status connected, now I would like to create firewall policy with source as AD users groups, but I have not here any group from AD listed, how could I troubleshoot this?
#1

17 Replies Related Threads

    Alivo_ FTNT
    Expert Member
    • Total Posts : 122
    • Scores: 61
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/24 03:01:53 (permalink)
    0
    Hello Tutek,
     
    Have you added the AD groups in a user group(s)?
    The user groups should then be visible in firewall policies.
    Best Regards,
    Alivo
    #2
    Tutek
    Silver Member
    • Total Posts : 75
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/24 03:34:30 (permalink)
    0
    Hi, I created local groups and assign this group to remote NPS server the same name group.
     

    post edited by Tutek - 2021/03/24 03:36:17
    #3
    Yurisk
    Platinum Member
    • Total Posts : 244
    • Scores: 45
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Location: Israel
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/24 04:55:25 (permalink)
    0
    You can't mix local and LDAP users in the same group. Create new user group and put there as member the LDAP object you created, then use this group in src in rules.
     

    Yuri
    https://yurisk.info/ blog: All things Fortinet, no ads.
    #4
    Tutek
    Silver Member
    • Total Posts : 75
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/24 05:01:58 (permalink)
    0
    I did like that:

     
    because I would SSL VPN authenticate users that are in NPS VPN-Admins group
    post edited by Tutek - 2021/03/24 05:04:10
    #5
    Tutek
    Silver Member
    • Total Posts : 75
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/24 23:14:29 (permalink)
    0
    as you can see regarding this KB:
    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/795593/use-active-directory-objects-directly-in-policies
    is possible to choose AD groups in firewall policy.
    When I create firewall policy in users then select entry-->User here I don't have listed my AD groups, why?
    #6
    Alivo_ FTNT
    Expert Member
    • Total Posts : 122
    • Scores: 61
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/25 22:54:47 (permalink)
    0
    Hello Tutek,

    The doc is about fsso. Not LDAP. Although you may see it as LDAP groups which in fact these are,
    they belong to different table in FortiGate > adgrp. This is used for passive authentication > Fortinet Single Sign On.
    Since you added LDAP groups, as you wrote in your initial post, you have chosen active authentication > meaning users will be prompted for their credentials.
    What is your goal exactly?

    Best Regards,
    Alivo
    #7
    Tutek
    Silver Member
    • Total Posts : 75
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/26 00:03:20 (permalink)
    0
    I would have ability choose my pooled AD group directly in firewall policy, as shown here 
    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/795593/use-active-directory-objects-directly-in-policies
    I have configured agentleess pooling to my domain controller, and checked two AD group to pool, but when create firewall policy when i click source then Select Entry "User", but I don't see here any of my AD groups.

    post edited by Tutek - 2021/03/26 00:07:21
    #8
    Alivo_ FTNT
    Expert Member
    • Total Posts : 122
    • Scores: 61
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/26 01:01:16 (permalink)
    0
    Hello Tutek,
    1. which firmware are you using?
    2. What is the source interface in the policy
    3. what is the output of: sh us adgrp
     
    Thank you.
    Best Regards,
    Alivo
     
    #9
    Tutek
    Silver Member
    • Total Posts : 75
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/26 02:14:58 (permalink)
    0
    1.v6.4.5 build5653 (GA)
    2.I want to restrict Internet access only to pooled from AD "Domain users", so source interface is my LAN.
    3.
    FGT # sh us adgrp
    config user adgrp
    end
    #10
    Alivo_ FTNT
    Expert Member
    • Total Posts : 122
    • Scores: 61
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/26 03:56:04 (permalink)
    0
    Hello,
    Thank you.
    There is nothing in adgrp > the reason you do not see anything in policy in regards of the AD groups.
    That needs to be fixed.
    I suggest to edit the fabric connector you have for polling, > select edit groups > on the panel whosing you AD groups right click on desired group and select Add. Hit OK.
    Then the: sh us adgrp should show you the ldap groups

    Best Regards,
    Alivo
    #11
    Tutek
    Silver Member
    • Total Posts : 75
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/26 04:14:30 (permalink)
    0
    But I already did this, selected my two groups in agentlees pooler configuration:

     
    but after confirmation OK, then OK, when I enter configuration again I have Users/Groups = 0

    #12
    Alivo_ FTNT
    Expert Member
    • Total Posts : 122
    • Scores: 61
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/26 06:27:55 (permalink)
    0
    Hello Tutek,
    Thank you. It is a bug in FortiOS 6.4.5. I could reproduce it.
    It should show the selected groups after clicking on OK but it does not.
    As soon as you click ok again for example then the adgrp table is deleted.
    Workaround might be to:

    1. select the groups again, click ok and don't configure the groups again
    in: sh us adgrp    > the groups should be present
    2. use CLI to configure the groups:

    (Example with my ad groups)
     
    co user fsso-polling
    edit 1
    config adgrp
    edit "CN=Administrators,CN=Builtin,DC=alivo,DC=com"
    next
    edit "CN=users,CN=Builtin,DC=alivo,DC=com"
    end
    end
     
    Then check the policy. Any edit of fsso polling fabric connector will likely remove these groups again.

    3. use Agent base fsso
     
    Best Regards,
    Alivo
     
    #13
    Tutek
    Silver Member
    • Total Posts : 75
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/26 07:39:48 (permalink)
    0
    When I try to edit "config user fsso-pooling, then I see that I have here adgrp configured:

     
    so why I can't see it in my firewall policies?
    post edited by Tutek - 2021/03/26 07:56:34
    #14
    Alivo_ FTNT
    Expert Member
    • Total Posts : 122
    • Scores: 61
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/29 01:05:02 (permalink)
    0
    Hello Tutek,
     
    What is the source interface in the policy?

    Best Regards,
    Alivo
    #15
    Tutek
    Silver Member
    • Total Posts : 75
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/03/29 02:36:03 (permalink)
    0
    You mean firewall policy?
    I would like to set internet access only to group AD "Domain Users":
    source interface is my port17 (lan) 
    source is (all) then I click + to add my Domain Users groups, the clisk "Users" in Select Entry and I don't have any of my AD groups here.
    #16
    Alivo_ FTNT
    Expert Member
    • Total Posts : 122
    • Scores: 61
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/04/13 00:25:40 (permalink)
    0
    Hello Tutek,

    Is suggest opening support ticket.

    Best Regards,
    Alivo
    #17
    ATammam
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/08/04 02:57:42
    • Status: offline
    Re: LDAP Connected but I cannot assign in Firewall any AD groups 2021/08/04 03:39:04 (permalink)
    0
    I have the same problem and i cannot find a solution!
    #18
    Jump to:
    © 2021 APG vNext Commercial Version 5.5