Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
594 views23 pages

FSSO Based Authentication

This document summarizes Fortinet Single Sign-On (FSSO) authentication. FSSO allows users to automatically log into network resources after initial identification without additional logins. It works by having FSSO agents identify user IP addresses and group memberships during directory service logins, then sending this information to Fortigates. The document describes different directory service and agent modes, including Active Directory domain controller and collector agent configurations, and Novell eDirectory. It also covers NTLM fallback and FSSO timer settings.

Uploaded by

Kalaivanisubramanian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
594 views23 pages

FSSO Based Authentication

This document summarizes Fortinet Single Sign-On (FSSO) authentication. FSSO allows users to automatically log into network resources after initial identification without additional logins. It works by having FSSO agents identify user IP addresses and group memberships during directory service logins, then sending this information to Fortigates. The document describes different directory service and agent modes, including Active Directory domain controller and collector agent configurations, and Novell eDirectory. It also covers NTLM fallback and FSSO timer settings.

Uploaded by

Kalaivanisubramanian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 23

FSSO based Authentication

Fortinet Single-Sign On [FSSO]


 It’s a Passive authentication
 Users don’t need to logon each time they
access a different network resource
i.e. it allows users to be automatically logged into every application
afterr being identified, regardless of the platform, technology and
domain
 FSSO software identifies users source IP
address
 When user logs into Directory service the
FSSO agent sends to Fortigate the users IP
address and the name of the user groups to
which the user belongs to
Directory Service Type
 MicroSoft Active Directory
--Domain Controller Agent mode
--Polling mode
--Controller agent based
--agent less
--TS agent mode
--for citrix and Terminal services
--collector agent based
 Novell eDirectory
--eDirectory agent mode
--uses Novell API or LDAP setting
DC Agent Mode
 Standard mode for FSSO
 One DC agent installed on each windows
Domain Controller
 DC agents monitor and forwards user login
events to the collector agent
 Handles DNS lookups
 Collector agent is another component installed
on windows server
 One or more CA are installed in the windows
server

DC---UDP 8002---CA---TCP 8000---FGT


Collector Agent Based Polling Mode
 Only CA installed on the windows server
 No DC agent installed
 Generates unnecessary traffic when there are no
login events
 CA polls the Windows DC for user login events
every few seconds
 Event logging must be enabled on the DC’s
 More CPU and memory is required by the CA
Collector Agent based polling mode
Flow
 User authenticates with DC
 CA fequently polls DC’s to get user logon
events
 CA forwards logons to Fortigate
 Users need not authenticate

DC---TCP 445---CA---TCP 8000---FGT


CA polling mode options

 NetAPI--polls temporary sessions created on


the DC when user logins or logouts every 9sec
or less
 WinSec Log--polls all the security events on
the DC every 10 sec or more
 WMI–a windows API that gets info from a
windows server and the DC returns all the
requested login events every 3 sec
Agent Less polling mode
 Similar to agent based, but Fortigate does
the polling
 Fortigate polls the DC’s directly, instead
of receiving login info indirectly from CA
 Requires more system resources and it
does not scale easily
 Less available features than collector
agent based polling mode
Agent Less polling mode Flow
 Fortigate frequently polls DC to get the
user login events
 User authenticates with the DC
--fortigate will discover the login event in
the next poll
 Users do not need to authenticate as
fortigate knows whose traffic that is
DC---TCP 445---FGT
NT LAN Manager [NTLM]
 FSSO can also work with NTLM
 Which is a suite of Microsoft Security protocols
that provides authentication, integrity and
confidentiality
 Many web browsers support NTLM
 Its useful when
--users logged into DC’s not being monitored by
the collector
--communication blocked or down between the
Collector and DC
 NTLM authentication is best used as a backup
of FSSO
NTLM Flow
 NTLM is triggered when FGT receives traffic
from an unknown IP address
 Users attempt to access internet with the
browser [whose IP is not in the active FSSO
list]
 Fortigate requests the credentials
[domain/username and password]
 Users browser sends the details to fortigate
 Fortigate validates the credentials and group
membership with CA [TCP 8000]
 Access granted based on membership
FSSO timers
 Workstation Verify interval
--it verifies if the user still logged in
--the status of the user changes to “Not Verified” if it cannot
connect to workstation
--default5min

 Dead entry Timeout interval


--setting applies only to entities with an unverified status
--is used to age out the entry
--when timer expires, the entry is removed from the CA
--default480min [8hrs]
FSSO timers
 IP address change interval
--checks the IP address of logged in users and updates the
Fortigate when users IP address change
--prevents users from being locked out if they change IP
address
--default60sec

 Cache users group


--caches the user group membership for a defined period of
time
AD Access Mode Config
 Standard access mode
--Netbios modeUsername\password
--UTM profile applied to only user group
--nested group is not supported

 Advanced mode
--LDAP convention cn=___, ou=___, dc=__
--UTM profiles applied to both users and groups
--supports nested groups
Troubleshooting
 Info that needs to be collected on the PC

ipconfig /all
echo %logonserver%
echo %username%
net use
time /T
date /T
Questions

You might also like