Hi guys, I will do my best to explain to your why this is needed on my end. Sorry for the delay but, you know, holidays off work and all that haha.
Fortigate : We bought this product to leverage its ability to use Active Directory Security Groups to filter firewall policies dynamically based on user memberships instead of devices/IPs (old school Firewall).
Having the Fortigate Single Sign-On Agent (FSSO) configured on our network makes the magic happen for all wired devices joined to our AD Domain. The Agent scans the Event Logs on Domain Controllers and , in real time, knows who is connected on what device and applies the right FW Policies according to AD group membership.
This makes it easy for FW policy management as it is simply "another AD group" to add to the user instead of relying on the network guys to make changes directly in the firewall and maintain device names linked to users, etc.
That part I believe you knew and understood.
Wifi : It was extremely easy to make this work for all (Domain joined or not) WiFi clients with Clearpass. Simply Forward the Radius Accounting to the FSSO Agent and voilà the Fortigate now knows that Device X belongs to user Y and all existing policies for the wired devices now also work with the wireless devices for the same users/groups.
Logically, from home with the VPN, it should be the same way don't you think? Even more so this year since everybody is working from Home and the goal is to be as close to the office environment as possible. So there was my goal for fall 2020 : Make Fortigate's SSL VPN work with AD Group membership for FW Policies.
All white papers and documents describe how to "send to Fortigate" a group name and use that on the Fortigate side of things to separate users like employes, guests, etc. This is all well and easy to use but this is not the solution I needed. I needed the "big guns" with AD authentication and all group memberships in the same way I use them for wired and wireless.
While Fortigate's VPN requires a different set of Firewall Rules than wired/wireless at least I can reuse the same logic and groups to give access to our remote workers.
Now that this is working it is incredibly smooth to work from home on our own PCs without even being "domain joined". It is a joy to administer and, so far, the tests are conclusive that this is a much better way to "remote work" than the old "remote desktop to your work PC to do your things".
Don't hesitate if you need more info on any part of this.
happy new year to all of you!
------------------------------
Alex Beaudet
Network/Sysadmin
Université du Québec à Trois-Rivières
Quebec, Canada
------------------------------
Original Message:
Sent: Dec 21, 2020 06:19 AM
From: Alexis La Goutte
Subject: CPPM + Fortimanager + FSSO
+1 with GoAruba
or may it is for auth on another firewall ?
------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..
ACEP / ACMX #107 / ACDX #1281
Original Message:
Sent: Dec 20, 2020 06:34 AM
From: Alper Kurt
Subject: CPPM + Fortimanager + FSSO
hi alex
i am investigating this topic and scenario
i did not understand that why you need a sso from ssl vpn users policy
when somebody connect via forticlient fortigate itself can detect user group and we make a policy with this