- Not all group types are supported. AD supports filtering groups only from:
- Security Groups
- Universal Groups
- Groups inside OUs
- Local or universal groups that contain universal groups from child domains
- All FortiGate configurations include a suer group called SSO_Guest_Users
- When only passive authentication is used, all the users that do not belong to any FSSO group are automatically included in this guest group
- This allows an admin to configure limited network access to guest users that do not belong to the Windows AD domain
- But if both passive and active authentication are enabled for specific traffic you cant use
SSO_Guest_Users
- This is bcs traffic from IP addresses not on the FSSO user list must be prompted to enter their credentials