Skip to main content
Millibhu
Millibhu
New Member
September 22, 2015
Question

Internet Access Authentication with LDAP

  • September 22, 2015
  • 2 replies
  • 19149 views

Hi,

 

I want to control user access to internet by creating LDAP authentication

I'm not quite sure where I have to use this LDAP.

Thing I've done so far

1.Create LDAP server (Test Successful)

2.Create user group (Firewall Type, and choose remote server to be LDAP server I just create above)

3. In Network > Interfaces > Lan I choose security mode to be captive portal with authentication local and choose user group from user group I just create

 

But when I try to access internet, It doesn't prompt any login portal. Not sure I'm missing some step

 

Please guide

Thank you

 

Millibhu

    2 replies

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    September 22, 2015

    Hi,

     

    you haven't mentioned it, but you need firewall policy!

    For more details and config examples refer to Authentication guide on docs.fortinet.com.

     

    Kind regards, Tomas

    gschmitt
    gschmitt
    New Member
    September 22, 2015

    xsilver wrote:

    Hi,

     

    you haven't mentioned it, but you need firewall policy!

    For more details and config examples refer to Authentication guide on docs.fortinet.com.

     

    Kind regards, Tomas

    To be specific, your internal to wan policy needs to be set to user group: yourUserGroup

    All other policies (going from internal to wan (all)) need to be authentication or deny

    Millibhu
    MillibhuAuthor
    New Member
    September 24, 2015

    Hi,

     

    I already modified my security policy (internal to WAN) , I specified the source users to be user group (group I create to authen with LDAP) and source address to be none (previously source address is set to any) and set action to be Accept. But still when I open browser it does not prompt any authentication portal.

     

    I'm not sure whether I have to choose authentication method, what I found from cookbook they mention that to authentication with security policies need to choose whether to use FSSO Agent, NTLM, Certificate or RADIUS SSO. I tried with NTLM (enable NTML in security policy) because I don't want to install any agent in my AD server. But still no hope. (Is it relate with my explicit proxy ? because in explicit proxy policy cannot choose source users it can only choose source address)

    Could you please guide me what to do next

     

    Thanks

    Millibhu

    gschmitt
    gschmitt
    New Member
    September 24, 2015

    Millibhu wrote:

    I already modified my security policy (internal to WAN) , I specified the source users to be user group (group I create to authen with LDAP) and source address to be none (previously source address is set to any) and set action to be Accept. But still when I open browser it does not prompt any authentication portal.

    Let's ignore the authentication method for now, if you don't get an authentication page something is wrong with your policies

    Take another look at your internal > wan policy

    It sould be

    Source Interface: internal

    Source User: YourUserGroup

    Source Address: yourInternalNetwork

    Destination Interface: wan1 (or 2 depending on your setup)

    Destination Address: any

    Service: all (or at least http/https)

    NAT on (depending on your setup)

     

    All other internal > wan policies with the same source IPs need to be deny or authenticate! This is important

    Terms & ConditionsAccessibility statement