Examples and Troubleshooting Authentication

To create a security policy for FSSO authentication – CLI:

config firewall policy edit 0

set srcintf port2 set dstintf port1

set srcaddr Windows_net set dstaddr all

set action accept

set groups FSSO_Internet_users set schedule always

set service ANY

set nat enable end

 

To create a security policy for local user authentication – web-based manager

1. Go to Policy & Objects > Policy > IPv4 and select Create New.

2. Enter the following information:

 

  Incoming Interface Port3
Source Address Internal_net
Source User(s) Internet_users
Outgoing Interface Port1
Destination Address all
Schedule always
Service ALL
NAT ON
Security Profiles Optionally, enable security profiles.
 

3.

 

Select OK.

 

 

To create a security policy for local user authentication – CLI

config firewall policy edit 0

set srcintf port3 set dstintf port1

set srcaddr internal_net set dstaddr all

set action accept set schedule always

set groups Internet_users set service ANY

set nat enable end

 

LDAP Dial-in using member-attribute example

In this example, users defined in MicroSoft Windows Active Directory (AD) are allowed to set up a VPN connection simply based on an attribute that is set to TRUE, instead of based on their user group. In AD the “Allow Dialin” property is activated in the user properties, and this sets the msNPAllowDialin attribute to “TRUE”.

This same procedure can be used for other member attributes, as your system requires.

To accomplish this with a FortiGate unit, member-attribute must be set. This can only be accomplished through the CLI – the option is not available through the web-based manager.

Before configuring the FortiGate unit, ensure the AD server has the msNPAllowDialin attribute set to “TRUE” for the users in question. If not, those users will not be able to authenticate.

 

To configure user LDAP member-attribute settings – CLI:

config user ldap

edit “ldap_server”

set server “192.168.201.3” set cnid “sAMAccountName”

set dn “DC=fortilabanz,DC=com,DC=au” set type regular

set username “fortigate@sample.com” set password ******

set member-attr “msNPAllowDialin” next

end

 

To configure LDAP group settings – CLI:

config user group edit “ldap_grp”

set member “ldap” config match

edit 1

set server-name “ldap” set group-name “TRUE”

next end

next end

Once these settings are in place, users that are a member of the ldap user group will be able to authenticate. To ensure your settings are correct, here is the sample output from a diag debug command that shows the authentication process.

When the “Allow Dial-in” attribute is set to “TRUE” the following will likely be in the output:

get_member_of_groups-Get the memberOf groups. get_member_of_groups- attr=’msNPAllowDialin’, found 1 values get_member_of_groups-val[0]=’TRUE’

fnbamd_ldap_get_result-Auth accepted fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS fnbamd_auth_poll_ldap-Passed group matching If the attribute is not set but it is expected, the following will likely be in the output:

get_member_of_groups-Get the memberOf groups. get_member_of_groups- attr=’msNPAllowDialin’, found 1 values get_member_of_groups-val[0]=’FALSE’

fnbamd_ldap_get_result-Auth accepted fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS fnbamd_auth_poll_ldap-Failed group matching

The only difference between these two outputs is the last line which is either passed or failed based on if the member-attribute is set to the expected value or not.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.