Using the FSSO polling mode (agentless)
You can use Fortinet single sign-on (FSSO) in polling mode to allow users to log in to the network once with their Windows Active Directory (AD) credentials and seamlessly access all appropriate network resources.
Step 1: Configure the FSSO active directory server for polling mode
config user fsso-polling
edit <id>
set server <LDAP_server_IPv4_address>
set user <user_name>
set password <password>
set ldap-server <LDAP_server_name>
config adgrp
edit "<LDAP_group_name>"
next
end
next
end
For example:
config user fsso-polling
edit 2
set server "10.1.1.204"
set user "fpxqa"
set password ENC UZ51IPmkCavcJ2o3nUiRhcLLMLCYB/pm0tujC8XE+hDpVNyI7jWQqeae55GMzsiPWTwQUMP8AHIXg1BakXXUf0y1UM+YcCRzW7BzAK4xq5B4IWA6L19jxeAWoVSk6L3y+dyF+uHTpNJlPbIR7IKVn18Eq3xySljlE71ySZNQZnxyR+AK4l+LknobHdoT8YoXDWITpA==
set ldap-server "fpxlab3"
config adgrp
edit "CN=Domain Users,CN=Users,DC=FPXLAB3,DC=local"
next
end
next
end
Step 2: Create the FSSO user group
config user group
edit <user_group_name>
set group-type fsso-service
set member "<list_of_user_group_members>"
next
end
For example:
config user group
edit "fsso_winsrv3"
set group-type fsso-service
set member "CN=Domain Users,CN=Users,DC=FPXLAB3,DC=local"
next
end
Step 3: Create an authentication scheme
config authentication scheme
edit <authentication_scheme_name>
set method fsso
next
end
For example:
config authentication scheme
edit "fsso"
set method fsso
next
end
Step 4: Create an authentication rule
config authentication rule
edit <authentication_rule_name>
set srcintf <list_of_incoming_interfaces>
set srcaddr <IPv4_addresses | all | none>
set dstaddr <IPv4_addresses | all | none>
set sso-auth-method <authentication_scheme_name>
next
end
For example:
config authentication rule
edit "fsso"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set sso-auth-method "fsso"
next
end
Step 5: Create a firewall policy
config firewall policy
edit <policy_identifier>
set type explicit-web
set explicit-web-proxy "web-proxy"
set dstintf <list_of_incoming_interfaces>
set srcaddr <IPv4_addresses | all | none>
set dstaddr <IPv4_addresses | all | none>
set action accept
set schedule "always"
set service "webproxy"
set groups <user_group_name>
set utm-status enable
next
end
For example:
config firewall policy
edit 1
set type explicit-web
set explicit-web-proxy "web-proxy"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set webcache enable
set groups "fsso_winsrv3"
set utm-status enable
next
end
Step 6: Verify that the user was authenticated
diagnose wad user list