Fortigate v5.4.0 Authentication in Policy

Forum|Forum|10 years ago
May 2, 2016
1 reply
9363 views

Hi folks I'm trying to use user authentication in policy and it seems it's not working at all. Actually i'm trying to force authentication to a random website (sfr.fr) I have a FSSO account with few user and also a LDAP super group with the same user. edit 10 set uuid 010e1876-0d54-51e6-9f1c-33c8dbd09562 set srcintf "PARROTHQ" set dstintf "CERBER" set srcaddr "Parrot_DeepInspection" set dstaddr "sfr.fr" set action accept set schedule "always" set service "HTTP" "HTTPS" set utm-status enable set logtraffic all set ntlm enable set groups "FSSO_Test "LDAP_Test" set comments "sfr.fr" next

Actually nothing works, my user authentified by FSSO (i can see him in the monitor) is'nt able to access sfr.fr. The user which is not logged in doesn't receive any popup for authentication

Any idea ?

Luiz_Alberto_Camilo

Explorer II

Hi Alexandre,

Can you find this session filtering by source and destination maybe ? on the session information you will find the policy ID wich will point you if your traffic is passing through the right policy.

"diag sys session filter sadd x.x.x.x"

"diag sys session filter dadd x.x.x.x"

"diag sys sesison list"

I suspect that on this case your user is matching another policy.

Also check the order of your policies. The policy that you mentioned above, needs to be above any other internet outgoing policy.

Also check if your FQDN object is resolving it's DNS to IP.

Best regards.

AlexandreLAuthor

New Member

I can't find any session for HTTP/ HTTPS trafic (denied by a subsequent rule)

Here is a session list :

FG200D4615805460 # diagnose sys session list

session info: proto=1 proto_state=00 duration=20 expire=40 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 user=al.lefebvre state=log may_dirty br npu none acct-ext statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2 speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=164->165/165->164 gwy=0.0.0.0/0.0.0.0 hook=pre dir=org act=noop 172.20.70.22:1->80.125.163.172:8(0.0.0.0:0) hook=post dir=reply act=noop 80.125.163.172:1->172.20.70.22:0(0.0.0.0:0) misc=0 policy_id=11 auth_info=0 chk_client_info=0 vd=0 serial=07faeeb3 tos=ff/ff app_list=0 app=0 url_cat=0 dd_type=0 dd_mode=0 npu_state=0x003000 npu info: flag=0x81/0x81, offload=6/6, ips_offload=0/0, epid=7/6, ipid=6/7, vlan=0x8064/0x8064 vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 total session 1

Here is the seq of my rules :