Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mturic
Staff
Staff

Created on ‎12-13-2019 02:27 AM

Article Id 195703

Technical Tip: FSSO authentication for Mac OS users

Description
This article describes the necessary procedure to include Mac OS logon events in the FSSO authentication process.
Since FSSO is built around Microsoft Windows and Novell network authentication, the Mac OS would need to be included in one of the respective authentication processes.

Useful link:
Fortinet Documentation: https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/FSAE.htm

Scope
Fortinet Single Sign-On

Solution
In this scenario, the focus will be on a Mac OS user logs in over Windows Active Directory.

FSSO can be configured in two ways to collect user-workstation logon information from the AD: DC-Agent mode and Polling mode.
The DC-Agent mode collects information directly from the LSASS by monitoring for certain logon information, while Polling mode collects the information from Windows Security Event Logs.

As Mac OS logon would generate logon events on the DC, for successful Mac OS FSSO authentication Polling mode needs to be used.
EventID 4624 was added to the default polling event subset in 2018 for better support of MacOS and newer Windows server platforms.

When processing logon events from Mac users, note that workstation checks would fail as Mac OS workstations do not have a registry nor would be accessible over WMI to verify if the user is still logged on.
When the workstation check fails, the user would be de authenticated from FSSO after the dead entry timeout interval would expire, regardless if user is still logged on or not.

NTLM fallback for FSSO:

If the event logs are not seen in the AD, as a workaround NTLM fallback can be configured. 
This is a browser based authentication method that will require users to logon via the browser. 
The non-windows machines will get prompt to enter the AD user credentials. This is also a good fallback option for FSSO users if FSSO would fail in any time as users would be provided a simple way to continue with their work.

NTLM fallback can be configured as follows:
#config firewall policy
edit <policy_id>
set ntlm enable
end
General Troubleshooting - Mac OS X users can’t access external resources after waking from sleep mode

When client computers running Mac OS X (10.6.X and higher) wake up from sleep mode, the user must authenticate again to be able to access external resources.
If the user does not re-authenticate, the user will maintain access to internal web sites, but will be unable to access any external resources.

This issue is caused by Mac OS X not providing sufficient information to the FSSO. This results in the FortiGate blocking access to the user because they cannot be authenticated.

Solution:

The security settings on client computer(s) must be configured to require that a username and password be entered when exiting sleep mode or screen saver.
With this feature enabled in Mac OS X, the FortiGate will receive the authentication information it requires to authenticate the user and allow them access.

Note: If the user reverts the settings to disable the password requirement, this will cause the issue to reappear.

Related Articles

Technical Tip: Windows event IDs used by FSSO in WinSec polling mode

Labels:
10711
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.