FW policy based on AD Group

New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/10/12 04:35:27
  • Status: offline
2021/10/12 04:53:39 (permalink)

FW policy based on AD Group

I'd like to configure a FW policy that is based on a users that belong to particular AD Group.
I Installed FSSO Agent to poll our domain DC and on Fortigate FW (ver 6.4.7) I configured the Endpoint/Identity to connect to FSSO Agent.
I also configured LDAP server to be able to gather the Groups Names from our LDAP Server.
In "User & Authentication" Menu I created a goup which is based on "Fortinet Single Sign-On (FSSO)" and I selected one of the AD group fetched from FSSO.
At the END I simply added the Group to a rule in the source

It looks like that the policy doesn't recognize my user to be part of the Group selected.
Is there something else I have to enable to be able to use AD Group on policy ?
Where the user to Group membership is done at FW level (Is a Table somewhere) ?
How can I debug why the user is not part of the group defined in the FW ?

Attached Image(s)


1 Reply Related Threads

    Bronze Member
    • Total Posts : 31
    • Scores: 2
    • Reward points: 0
    • Joined: 2019/12/02 06:20:45
    • Status: offline
    Re: FW policy based on AD Group 2021/10/14 00:00:55 (permalink)
    I dont understand what's the problem, 
    Is this policy ignored or not working?
    BTW you can troubleshoot with this CLI Command:
    "diagnose test authserver ldap <LDAP server_name> <username> <password>"
    With this you can authenticate the user and check what it returns
    You can troubleshoot the results with these commands too:
    FGT# diagnose debug enable
    FGT# diagnose debug application fnbamd 255
    FGT# diagnose debug application fnbamd 0
    FGT# diag test authserver ldap AD_LDAP user1 password
    Jump to:
    © 2021 APG vNext Commercial Version 5.5