Troubleshooting LDAP

The examples in this section use the values from the previous example.

LDAP user test

A quick way to see if the LDAP configuration is correct is to run a diagnose CLI command with LDAP user information. The following command tests with a user called netAdmin and a password of fortinet. If the configuration is correct the test will be successful.

FGT# diag test authserver ldap ldap_server netAdmin fortinet

‘ldap_server’ is not a valid ldap server name — an LDAP server by that name has not been configured on the FortiGate unit, check your spelling.

authenticate ‘netAdmin’ against ‘ldap_server’ failed! — the user netAdmin does not

exist on ldap_server, check your spelling of both the user and sever and ensure the user has been configured on the FortiGate unit.

LDAP authentication debugging

For a more in-depth test, you can use a diag debug command. The sample output from a shows more information about the authentication process that may prove useful if there are any problems.

Ensure the “Allow Dial-in” attribute is still set to “TRUE” and run the following CLI command. fnbamd is the Fortinet non-blocking authentication daemon.

FGT# diag debug enable

FGT# diag debug reset

FGT# diag debug application fnbamd –1 FGT# diag debug enable

The output will look similar to:

get_member_of_groups-Get the memberOf groups.

 

TACACS+ servers

get_member_of_groups- attr=’msNPAllowDialin’, found 1 values

get_member_of_groups-val[0]=’TRUE’ fnbamd_ldap_get_result-Auth accepted fnbamd_ldap_get_result-Going to DONE state res=0

fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS fnbamd_auth_poll_ldap-Passed group matching

If the “Allow Dial-in” attribute is not set but it is expected, the last line of the above output will instead be:

fnbamd_auth_poll_ldap-Failed group matching

TACACS+ servers

When users connect to their corporate network remotely, they do so through a remote access server. As remote access technology has evolved, the need for security when accessing networks has become increasingly important. This need can be filled using a Terminal Access Controller Access-Control System (TACACS+) server.

TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS+ allows a client to accept a username and password and send a query to a TACACS+ authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies the user access to the network.

TACACS+ offers fully encrypted packet bodies, and supports both IP and AppleTalk protocols. TACACS+ uses TCP port 49, which is seen as more reliable than RADIUS’s UDP protocol.

There are several different authentication protocols that TACACS+ can use during the authentication process:

Authentication protocols

Protocol	Definition
ASCII	Machine-independent technique that uses representations of English characters. Requires user to type a username and password that are sent in clear text (unencrypted) and matched with an entry in the user database stored in ASCII format.
PAP	Password Authentication Protocol (PAP) Used to authenticate PPP connections. Transmits passwords and other user information in clear text.
CHAP	Challenge-Handshake Authentication Protocol (CHAP) Provides the same functionality as PAP, but is more secure as it does not send the password and other user information over the network to the security server.
MS-CHAP	MicroSoft Challenge-Handshake Authentication Protocol v1 (MSCHAP) Microsoftspecific version of CHAP.
default	The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.

TACACS+

Configuring a TACACS+ server on the FortiGate unit

A maximum of 10 remote TACACS+ servers can be configured for authentication.

One or more servers must be configured on FortiGate before remote users can be configured. To configure remote users, see Local and remote users on page 50.

The TACACS+ page in the web-based manager (User & Device >

TACACS+ Servers) is not available until a TACACS+ server has been configured in the CLI. For more information see the CLI Reference.

To configure the FortiGate unit for TACACS+ authentication – web-based manager:

1. Go to User & Device > TACACS+ Servers and select Create New.
2. Enter the following information, and select OK.

Name	Enter the name of the TACACS+ server.
Server Name/IP	Enter the server domain name or IP address of the TACACS+ server.
Server Key	Enter the key to access the TACACS+ server.
Authentication Type	Select the authentication type to use for the TACACS+ server. Auto tries PAP, MSCHAP, and CHAP (in that order).

To configure the FortiGate unit for TACACS+ authentication – CLI:

config user tacacs+ edit “TACACS-SERVER” set server [IP_ADDRESS] set key [PASSWORD] set authen-type ascii

next

end config user group edit “TACACS-GROUP” set group-type firewall set member “TACACS-SERVER”

next

end

config system admin edit TACACS-USER set remote-auth enable set accprofile “super_admin”

set vdom “root” set wildcard enable set remote-group “TACACS-GROUP”

next

end

IPv6 TACACS+ server IP address

IPv6 address support is available for TACACS+ servers.

POP3 servers

Syntax

config user tacacs+ edit <name> set server <ipv6 address> set source-ipv6 <ipv6 address>

next

end

POP3 servers

FortiOS can authenticate users who have accounts on POP3 or POP3s email servers. POP3 authentication can be configured only in the CLI.

To configure the FortiGate unit for POP3 authentication:

config user pop3 edit pop3_server1 set server pop3.fortinet.com set secure starttls set port 110

end

To configure a POP3 user group:

config user group edit pop3_grp set member pop3_server1

end

A user group can list up to six POP3 servers as members.

SSO servers

Novell and Microsoft Windows networks provide user authentication based on directory services: eDirectory for Novell, Active Directory for Windows. Users can log on at any computer in the domain and have access to resources as defined in their user account. The Fortinet Single Sign On (FSSO) agent enables FortiGate units to authenticate these network users for security policy or VPN access without asking them again for their username and password.

When a user logs in to the Windows or Novell domain, the FSSO agent sends to the FortiGate unit the user’s IP address and the names of the user groups to which the user belongs. The FortiGate unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the FortiGate unit does not perform authentication. It recognizes group members by their IP address.

In the FortiOS FSSO configuration, you specify the server where the FSSO Collector agent is installed. The Collector agent retrieves the names of the Novell or Active Directory user groups from the domain controllers on the domains, and then the FortiGate unit gets them from the Collector agent. You cannot use these groups directly. You must define FSSO type user groups on your FortiGate unit and then add the Novell or Active

SSO

Directory user groups to them. The FSSO user groups that you created are used in security policies and VPN configurations to provide access to different services and resources.

FortiAuthenticator servers can replace the Collector agent when FSSO is using polling mode. The benefits of this is that FortiAuthenticator is a stand-alone server that has the necessary FSSO software pre-installed. For more information, see the FortiAuthenticator Administration Guide.

SSO agent configuration settings

The following are SSO configuration settings in Security Fabric > Fabric Connectors.

SSO server List

Lists all the collector agents’ lists that you have configured (along with other Security Fabric connectors). On this page, you can create, edit or delete FSSO agents. There are different types of FSSO agents, each with its own settings.

You can create a redundant configuration on your unit if you install a collector agent on two or more domain controllers. If the current (or first) collector agent fails, the Fortinet unit switches to the next one in its list of up to five collector agents.

Create New	Gives you the option to create a new agent. When you select Create New, you are automatically redirected to the New Fabric Connector page. Select an option from under SSO/Identity.
Edit	Modifies the settings for the selected SSO server. To remove multiple entries from the list, for each servers you want removed, select the check box and then select Delete. To remove all agents from the list, on the FSSO Agent page, select the check box at the top of the check box column and then select Delete.
Delete	Removes an agent from the list on the page.
Settings for Poll Active Directory Server
Server IP/Name       The IP address of the domain controller (DC).
User                       The user ID used to access the domain controller.
Password               Enter the password for the account used to access the DC.
LDAP Server          Select the check box and select an LDAP server to access the Directory Service.
Enable Polling         Enable to allow the FortiGate unit to poll this DC.
Users/Groups         A list of user and user group names retrieved from the DC.

 

Settings when Type is RADIUS Single Sign On Agent

Name                      Enter a name for the SSO server.

Use RADIUS Enable and specify the SSO server secret. Shared Secret

Send RADIUS   Enable to send RADIUS responses. Responses

Settings for Fortinet Single Sign On Agent

Name                      Enter a name for the SSO server.

Primary FSSO  Enter the IP address or name of the Directory Service server where this SSO agent is Agent   installed, along with the password. The maximum number of characters is 63.

FSSO Agent Optionally, add and configured up to four additional FSSO agents, up to a maximum of five.

Collector Agent Select one of the following options: AD access mode l Standard: Enable and view A list of user and user group names retrieved from the server. l Advanced: Enable and select an LDAP server to access the Directory Service.

RSA ACE (SecurID) servers

SecurID is a two-factor system that uses one-time password (OTP) authentication. It is produced by the company RSA. This system includes portable tokens carried by users, an RSA ACE/Server, and an Agent Host. In our configuration, the FortiGate unit is the Agent Host.

Components

When using SecurID, users carry a small device or “token” that generates and displays a pseudo-random password. According to RSA, each SecurID authenticator token has a unique 64-bit symmetric key that is combined with a powerful algorithm to generate a new code every 60 seconds. The token is time-synchronized with the SecurID RSA ACE/Server.

The RSA ACE/Server is the management component of the SecurID system. It stores and validates the information about the SecurID tokens allowed on your network. Alternately the server could be an RSA SecurID 130 Appliance.

The Agent Host is the server on your network, in this case it is the FortiGate unit, that intercepts user logon attempts. The Agent Host gathers the user ID and password entered from their SecurID token, and sends that information to the RSA ACE/Server to be validated. If valid, a reply comes back indicating it is a valid logon and the FortiGate unit allows the user access to the network resources specified in the associated security policy.

RSA ACE (SecurID)

Configuring the SecurID system

To use SecurID with a FortiGate unit, you need:

• to configure the RSA server and the RADIUS server to work with each other (see RSA server documentation) l to configure the RSA SecurID 130 Appliance or
• to configure the FortiGate unit as an Agent Host on the RSA ACE/Server l to configure the FortiGate unit to use the RADIUS server l to create a SecurID user group
• to configure a security policy with SecurID authentication

The following instructions are based on RSA ACE/Server version 5.1, or RSA SecurID 130 Appliance, and assume that you have successfully completed all the external RSA and RADIUS server configuration steps listed above.

For this example, the RSA server is on the internal network, with an IP address of 192.128.100.100. The FortiGate unit internal interface address is 192.168.100.3, RADIUS shared secret is fortinet123, RADIUS server is at IP address 192.168.100.102.

To configure the RSA SecurID 130 appliance

1. Go to the IMS Console for SecurID and logon.
2. Go to RADIUS > RADIUS Clients, and select Add New.
3. Enter the following information to configure your FortiGate as a SecurID Client, and select Save.

RADIUS Client Basics
Client Name	FortiGate
Associated RSA Agent	FortiGate
RADIUS Client Settings
IP Address	192.168.100.3 The IP address of the FortiGate unit internal interface.
Make / Model	Select Standard Radius
Shared Secret	fortinet123 The RADIUS shared secret.
Accounting	Leave unselected
Client Status	Leave unselected

To configure the FortiGate unit as an Agent Host on the RSA ACE/Server

1. On the RSA ACE/Server computer, go to Start > Programs > RSA ACE/Server, and then Database Administration – Host Mode.
2. On the Agent Host menu, select Add Agent Host.
3. Enter and save the following information.

Name	FortiGate
Network Address	192.168.100.3 The IP address of the FortiGate unit.
Secondary Nodes	Optionally enter other IP addresses that resolve to the FortiGate unit.

If needed, refer to the RSA ACE/Server documentation for more information.

To configure the FortiGate unit to use the RADIUS server

1. Go to User & Device > RADIUS Servers and select Create New.
2. Enter the following information, and select OK.

Name	RSA
Primary Server IP/Name	192.168.100.102 Optionally select Test to ensure the IP address is correct and the FortiGate can contact the RADIUS server.
Primary Server Secret	fortinet123
Authentication Scheme	Select Use Default Authentication Scheme.

To create a SecurID user group

1. Go to User & Device > User Groups, and select Create New.
2. Enter the following information.

Name	RSA_group
Type	Firewall

3. In Remote Groups, select Add, then select the RSA server.
4. Select OK.

To create a SecurID user:

1. Go to User & Device > User Definition, and select Create New.
2. Use the wizard to enter the following information, and then select Create.

User Type		Remote RADIUS User
User Name		wloman
RADIUS Server		RSA

RSA ACE (SecurID)

Contact Info	(optional) Enter Email or SMS information
User Group	RSA_group

To test this configuration, on your FortiGate unit use the CLI command:

diagnose test authserver radius RSA auto wloman 111111111

The series of 1s is the one time password that your RSA SecurID token generates and you enter.

Using the SecurID user group for authentication

You can use the SecurID user group in several FortiOS features that authenticate by user group including l Security policy l IPsec VPN XAuth l PPTP VPN l SSL VPN

The following sections assume the SecurID user group is called securIDgrp and has already been configured. Unless otherwise states, default values are used.

Security policy

To use SecurID in a security policy, you must include the SecurID user group in a security policy. This procedure will create a security policy that allows HTTP, FTP, and POP3 traffic from the internal interface to wan1. If these interfaces are not available on your FortiGate unit, substitute other similar interfaces.

To configure a security policy with SecurID authentication

1. Go to Policy & Objects > IPv4 Policy.
2. Select Create New.
3. Enter:

Incoming Interface	internal
Source Address	all
Source User(s)	securIDgrp
Outgoing Interface	wan1
Destination Address	all
Schedule	always
Services	HTTP, FTP, POP3
Action	ACCEPT
NAT	On
Shared Shaper		On, if you want to either limit traffic or guarantee minimum bandwidth for traffic that uses the SecurID security policy. Use the default shaper guarantee-100kbps.
Log Allowed Traffic		On, if you want to generate usage reports on traffic authenticated with this policy.

4. Select OK.

The SecurID security policy is configured.

For more detail on configuring security policies, see the FortiOS Handbook FortiGate Fundamentals guide.

IPsec VPN XAuth

Extended Authentication (XAuth) increases security by requiring user authentication in addition to the pre-shared key.

When creating an IPsec VPN using the wizard, under VPN > IPsec Wizard, select the SecurID User Group on the Authentication page. Members of the SecurID group are required to enter their SecureID code to authenticate.

For more on XAuth, see Configuring XAuth authentication on page 98

PPTP VPN

PPTP VPN is configured in the CLI. In the PPTP configuration (config vpn pptp), set usrgrp to the SecurID user group.

SSL VPN

You need to map the SecurID user group to the portal that will serve SecurID users and include the SecurID user group in the Source User(s) field in the security policy.

To map the SecurID group to an SSL VPN portal:

1. Go to VPN > SSL-VPN Settings.
2. In Authentication/Portal Mapping, select Create New.
3. Enter

Users/Groups	securIDgrp
Portal	Choose the portal.

4. Select OK.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!