Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Creating security policies

Creating security policies

Policies that require FSSO authentication are very similar to other security policies. Using identity-based policies, you can configure access that depends on the FSSO user group. This allows each FSSO user group to have its own level of access to its own group of services

In this situation, Example.com is a company that has its employees and authentication servers on an internal network. The FortiGate unit intercepts all traffic leaving the internal network and requires FSSO authentication to access network resources on the Internet. The following procedure configures the security policy for FSSO authentication. FSSO is installed and configured including the RADIUS server, FSSO Collector agent, and user groups on the FortiGate

For the following procedure, the internal interface is port1 and the external interface connected to the Internet is port2. There is an address group for the internal network called company_network. The FSSO user group is called fsso_group, and the FSSO RADIUS server is fsso_rad_server.

 

To configure an FSSO authentication security policy – web-based manager:

1. Go to Policy & Objects > Policy > IP4 and select Create New.

2. Enter the following information.

Incoming Interface                   port1

Source Address                        company_network

Source User(s)                          fsso_group

Outgoing Interface                   port2

Destination Address                 all

Schedule                                    always

Service                                       HTTP, HTTPS, FTP, and Telnet

Action                                         ACCEPT

NAT                                             ON

UTM Security Profiles              ON for AntiVirus, IPS, Web Filter, and Email Filter, all using default pro- files.

Log Allowed Traffic                  ON. Select Security Events.

3. Select OK.

4. Ensure the FSSO authentication policy is higher in the policy list than more general policies for the same interfaces.

 

To create a security policy for FSSO authentication – CLI:

config firewall policy edit 0

set srcintf port1 set dstintf port2

set srcaddr company_network set dstaddr all

set action accept

set groups fsso_group set schedule always

set service HTTP HTTPS FTP TELNET

set nat enable end

Here is an example of how this FSSO authentication policy is used. Example.com employee on the internal company network logs on to the internal network using their RADIUS username and password. When that user attempts to access the Internet, which requires FSSO authentication, the FortiGate authentication security policy intercepts the session, checks with the FSSO Collector agent to verify the user’s identity and credentials, and then if everything is verified the user is allowed access to the Internet.

 

Enabling guest access through FSSO security policies

You can enable guest users to access FSSO security policies. Guests are users who are unknown to Windows AD and servers that do not logon to a Windows AD domain.

To enable guest access in your FSSO security policy, add an identity-based policy assigned to the built-in user group SSO_Guest_Users. Specify the services, schedule and UTM profiles that apply to guest users — typically guests have access to a reduced set of services. See Creating security policies on page 548.

Creating Fortinet Single Sign-On (FSSO) user groups

Creating Fortinet Single Sign-On (FSSO) user groups

You cannot use Windows or Novell groups directly in FortiGate security policies. You must create FortiGate user groups of the FSSO type and add Windows or Novell groups to them.

 

To create a user group for FSSO authentication – web-based manager:

1. Go to User & Device > User > User Groups and select Create New.

The New User Group dialog box opens.

2. In the Name box, enter a name for the group, FSSO_Internet_users for example.

3. In Type, select Fortinet Single Sign-On (FSSO).

4. In Members, select the required FSSO groups.

5. Select OK.

 

 

To create the FSSO_Internet-users user group – CLI

config user group

edit FSSO_Internet_users

set group-type fsso-service

set member CN=Engineering,cn=users,dc=office,dc=example,dc=com

CN=Sales,cn=users,dc=office,dc=example,dc=com

end

 

Default FSSO group

SSO_Guest_users is a default user group enabled when FSSO is configured. It allows guest users on the network who do not have an FSSO account to authenticate and have access to network resources. See Enabling guest access through FSSO security policies on page 550.

Configuring Single Sign On to Windows AD

Configuring Single Sign On to Windows AD

On the FortiGate unit, security policies control access to network resources based on user groups. With Fortinet Single Sign On, this is also true but each FortiGate user group is associated with one or more Windows AD user groups. This is how Windows AD user groups get authenticated in the FortiGate security policy.

Fortinet Single Sign On sends information about Windows user logons to FortiGate units. If there are many users on your Windows AD domains, the large amount of information might affect the performance of the FortiGate unit.

To configure your FortiGate unit to operate with either a Windows AD or a Novell eDirectory FSSO install, you

  • Configure LDAP access to the Windows AD global catalog. See Configuring LDAP server access on page 546.
  • Configure the LDAP Server as a Single Sign-On server. See Configuring the LDAP Server as a Single Sign-On server on page 547.
  • Add Active Directory user groups to FortiGate FSSO user groups. See Creating Fortinet Single Sign-On (FSSO) user groups on page 548.
  • Create security policies for FSSO-authenticated groups. See Creating security policies on page 548.
  • Optionally, specify a guest protection profile to allow guest access. See Enabling guest access through FSSO security policies on page 550

 

Configuring LDAP server access

The FortiGate unit needs access to the domain controller’s LDAP server to retrieve user group information.

The LDAP configuration on the FortiGate unit not only provides access to the LDAP server, it sets up the retrieval of Windows AD user groups for you to select in FSSO. The LDAP Server configuration (in User & Device > Authentication > LDAP Servers) includes a function to preview the LDAP server’s response to your distinguished name query. If you already know the appropriate Distinguished Name (DN) and User DN settings, you may be able to skip some of the following steps.

 

To add an LDAP server – web-based manager:

1. Go to User & Device > Authentication > LDAP Servers and select Create New.

2. Enter the Server IP/Name and Server Port (default 389).

3. In the Common Name Identifier field, enter sAMAccountName.The default common name identifier is cn.

This is correct for most LDAP servers. However some servers use other identifiers such as uid.

4. In the Distinguished Name field, enter your organization distinguished name. In this example, Distinguished

Name is dc=techdoc,dc=local

5. Select Fetch DN, this will fetch the Windows AD directory.

6. Set Bind Type to Regular.

7. In the User DN field, enter the administrative account name that you created for FSSO.

For example, if the account is administrator, enter “administrator@techdoc.local”.

8. Enter the administrative account password in the Password field.

9. Optionally select Secure Connection.

  • In the Protocol field, select LDAPS or STARTTLS.
  • In the Certificate field, select the appropriate certificate for authentication. Note that you need to configure the Windows AD for secure connection accordingly.

10. Select OK.

11. Test your configuration by selecting the Test button. A successful message confirming the right settings appears.

 

Single Sign-On to Windows AD

Single Sign-On to Windows AD

The FortiGate unit can authenticate users transparently and allow them network access based on their privileges in Windows AD. This means that users who have logged on to the network are not asked again for their credentials to access network resources through the FortiGate unit, hence the term “Single Sign-On”.

The following topics are included:

  • Introduction to Single Sign-On with Windows AD
  • Configuring Single Sign On to Windows AD
  • FortiOS FSSO log messages
  • Testing FSSO
  • Troubleshooting FSSO

 

Introduction to Single Sign-On with Windows AD

Introduced in FortiOS 5.0, Single Sign-On (SSO) support provided by FortiGate polling of domain controllers is simpler than the earlier method that relies on agent software installed on Windows AD network servers. No Fortinet software needs to be installed on the Windows network. The FortiGate unit needs access only to the Windows AD global catalog and event log.

When a Windows AD user logs on at a workstation in a monitored domain, the FortiGate unit

  • detects the logon event in the domain controller’s event log and records the workstation name, domain, and user,
  • resolves the workstation name to an IP address,
  • uses the domain controller’s LDAP server to determine which groups the user belongs to,
  • creates one or more log entries on the FortiGate unit for this logon event as appropriate.

When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. The selection consist of matching the FSSO group or groups the user belongs to with the security policy or policies that match that group. If the user belongs to one of the permitted user groups associated with that policy, the connection is allowed. Otherwise the connection is denied.

Configuring the FortiClient SSO Mobility Agent

Configuring the FortiClient SSO Mobility Agent

The user’s device must have at least FortiClient Endpoint Security v5.0 installed. Only two pieces of information are required to set up the SSO Mobility Agent feature: the FortiAuthenticator unit IP address and the preshared secret.

The user needs to know the FortiAuthenticator IP address and preshared secret to set up the SSO Mobility Agent. Or, you could preconfigure FortiClient.

 

To configure FortiClient SSO Mobility Agent:

1. In FortiClient Endpoint Security, go to File > Settings.

You must run the FortiClient application as an administrator to access these settings.

2. Select Enable single sign-on mobility agent. Enter the FortiAuthenticator unit IP address, including the listening port number specified on the FortiAuthenticator unit.

Example: 192.168.0.99:8001. You can omit the port number if it is 8005.

3. Enter the preshared key.

4. Select OK.

 

Viewing SSO authentication events on the FortiGate unit

User authentication events are logged in the FortiGate event log. Go to Log & Report > Event Log > User.

 

Configuring the FortiGate unit

Configuring the FortiGate unit

Adding a FortiAuthenticator unit as an SSO agent

On the FortiGate unit, you need to add the FortiAuthenticator unit as a Single Sign-On agent that provides user logon information.

Single Sign-On using a FortiAuthenticator unit

 

To add a FortiAuthenticator unit as SSO agent:

1. Go to User & Device > Authentication > Single Sign-On and select Create New.

2. In Type, select Fortinet Single-Sign-On Agent.

3. Enter a Name for the FortiAuthenticator unit.

4. In Primary Agent IP/Name, enter the IP address of the FortiAuthenticator unit.

5. In Password, enter the secret key that you defined for the FortiAuthenticator unit.

On the FortiAuthenticator unit, you go to Fortinet SSO Methods > SSO > General to define the secret key. Select Enable Authentication.

6. Select OK.

In a few minutes, the FortiGate unit receives a list of user groups from the FortiAuthenticator unit. The entry in the Single Sign-On server list shows a blue caret.

When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

 

Configuring an FSSO user group

You cannot use FortiAuthenticator SSO user groups directly in a security policy. Create an FSSO user group and add FortiAuthenticator SSO user groups to it. FortiGate FSSO user groups are available for selection in identity- based security policies.

To create an FSSO user group:

1. Go to User & Device > User > User Groups and select Create New.

2. Enter a Name for the group.

3. In Type, select Fortinet Single Sign-On (FSSO).

4. Add Members.

The groups available to add as members are SSO groups provided by SSO agents.

5. Select OK.

 

Configuring security policies

You can create identity-based policies based on FSSO groups as you do for local user groups. For more information about security policies see the Firewall chapter.

Configuring the FortiAuthenticator unit

Configuring the FortiAuthenticator unit

The FortiAuthenticator unit can poll FortiGate units, Windows Active Directory, RADIUS servers, LDAP servers, and FortiClients for information about user logon activity.

 

To configure FortiAuthenticator polling:

1. Go to Fortinet SSO Methods > SSO > General.

2. In the FortiGate section, leave the Listening port at 8000, unless your network requires you to change this. The

FortiGate unit must allow traffic on this port to pass through the firewall.

Optionally, you can set the Login Expiry time. This is the length of time users can remain logged in before the system logs them off automatically. The default is 480 minutes (8 hours).

3. Select Enable Authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.

4. In the Fortinet Single Sign-On (FSSO) section, enter

 

Enable Windows Active Dir- ectory domain controllers

Select for integration with Windows Active Directory.

 

Enable Radius accounting

SSO clients

Select if you want to use a Remote Radius server.

 

Enable Syslog SSO                   Select for integration with Syslog server.

 

Enable FortiClient SSO Mobility Agent service

 

Enable Authentication

Select both options to enable single sign-on by clients running FortiClient Endpoint Security. Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.

5. Select OK.

For more information, see the FortiAuthenticator Administration Guide.

Single Sign-On using a FortiAuthenticator unit

Single Sign-On using a FortiAuthenticator unit

If you use a FortiAuthenticator unit in your network as a single sign-on agent,

  • Users can authenticate through a web portal on the FortiAuthenticator unit.
  • Users with FortiClient Endpoint Security installed can be automatically authenticated by the FortiAuthenticator unit through the FortiClient SSO Mobility Agent.

The FortiAuthenticator unit can integrate with external network authentication systems such as RADIUS and LDAP to gather user logon information and send it to the FortiGate unit.

 

Users view of FortiAuthenticator SSO authentication

There are two different ways users can authenticate through a FortiAuthenticator unit.

 

Users without FortiClient Endpoint Security – SSO widget

To log onto the network, the user accesses the organization’s web page with a web browser. Embedded on that page is a simple logon widget, like this:

User not logged in. Click Login to go to the FortiAuthenticator login page.

User logged in. Name displayed. Logout button available.

The SSO widget sets a cookie on the user’s browser. When the user browses to a page containing the login widget, the FortiAuthenticator unit recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days.

 

Users with FortiClient Endpoint Security – FortiClient SSO Mobility Agent

The user simply accesses resources and all authentication is performed transparently with no request for credentials. IP address changes, such as those due to WiFi roaming, are automatically sent to the FortiAuthenticator unit. When the user logs off or otherwise disconnects from the network, the FortiAuthenticator unit is aware of this and deauthenticates the user.

The FortiClient SSO Mobility Agent, a feature of FortiClient Endpoint Security v5.0, must be configured to communicate with the appropriate FortiAuthenticator unit. After that, the agent automatically provides user name and IP address information to the FortiAuthenticator unit for transparent authentication.

 

Administrators view of FortiAuthenticator SSO authentication

You can configure either or both of these authentication types on your network.

 

SSO widget

You need to configure the Single Sign-On portal on the FortiAuthenticator unit. Go to Fortinet SSO Methods > SSO > Portal Services to do this. Copy the Embeddable login widget code for use on your organization’s home page. Identity-based security policies on the FortiGate unit determine which users or groups of users can access which network resources.

 

FortiClient SSO Mobility Agent

Your users must be running at least FortiClient Endpoint Security v5.0 to make use of this type of authentication. On the FortiAuthenticator unit, you need to select Enable FortiClient SSO Mobility Agent Service, optionally

select Enable Authentication and choose a Secret key. Go to Fortinet SSO Methods > SSO > General. You need to provide your users the FortiAuthenticator IP address and secret key so that they can configure the FortiClient SSO Mobility Agent on their computers. See Configuring the FortiGate unit on page 542.