Chapter 3 Authentication for FortiOS 5.0 : Examples and Troubleshooting : Firewall authentication example : Creating user groups : Creating the FSSO user group
  
Creating the FSSO user group
For this example, assume that FSSO has already been set up on the Windows network and that it uses Advanced mode, meaning that it uses LDAP to access user group information. You need to
configure LDAP access to the Windows AD global catalog
specify the collector agent that sends user logon information to the FortiGate unit
select Windows user groups to monitor
select and add the Engineering and Sales groups to an FSSO user group
To configure LDAP for FSSO - web-based manager
1. Go to User & Device > Authentication > LDAP Servers and select Create New.
2. Enter the following information:
Name
ADserver
Server Name / IP
10.11.101.160
Distinguished Name
dc=office,dc=example,dc=com
Bind Type
Regular
User DN
cn=FSSO_Admin,cn=users,dc=office,dc=example,dc=com
Password
set_a_secure_password
Leave other fields at their default values.
3. Select OK.
To configure LDAP for FSSO - CLI
config user ldap
edit "ADserver"
set server "10.11.101.160"
set dn "cn=users,dc=office,dc=example,dc=com"
set type regular
set username "cn=administrator,cn=users,dc=office,dc=example,dc=com"
set password set_a_secure_password
next
end
To specify the collector agent for FSSO - web-based manager
1. Go to User & Device > Authentication > Single Sign-On.
2. Select Fortinet Single Sign‑On Agent.
3. Enter the following information:
Name
WinGroups
Primary Agent IP/Name
10.11.101.160
Password
fortinet_canada
LDAP Server
ADserver
4. Select Apply & Refresh.
In a few minutes, the FortiGate unit downloads the list of user groups from the server.
To specify the collector agent for FSSO - CLI
config user fsso
edit "WinGroups"
set ldap-server "ADserver"
set password ENC G7GQV7NEqilCM9jKmVmJJFVvhQ2+wtNEe9T0iYA5Sa+EqT2J8zhOrbkJFDr0RmY3c4LaoXdsoBczA1dONmcGfthTxxwGsigzGpbJdC71spFlQYtj
set server "10.11.101.160"
end
To create the FSSO_Internet-users user group - web-based manager
1. Go to User & Device > User > User Groups and select Create New.
2. Enter the group name, FSSO_Internet_users.
3. Select Fortinet Single Sign-On (FSSO).
4. In the Available Members list, select the Engineering and Sales groups and then select the right arrow button to move them to the Members list.
5. Select OK.
To create the FSSO_Internet-users user group - CLI
config user group
edit FSSO_Internet_users
set group-type fsso-service
set member CN=Engineering,cn=users,dc=office,dc=example,dc=com CN=Sales,cn=users,dc=office,dc=example,dc=com
end