LDAP Authentication with Explicit proxy

Question

I hope someone could shed their personal experiences while waiting for TAC reply.

As you can see in my network diagram, I have 2 VDOMS root and TP, in root vdom where explicit proxy was configured and in TP VDOM where LDAP Server was defined. My TP Vdom abled to query my AD/LDAP structure.

All settings are in place already, one thing I noticed if user1 browsed the internet fortigate will display authentication page and user1 entered his/her credentials successfully (can surf the net), now the user2 automatically browsed the internet WITHOUT authentication.

In which section of my fortigate configuration do I need to review so that each user/s must authenticate using their AD credentials before browsing the internet?

additional facts: user1 and user2 browsers have explicit proxy settings (10.10.11.210)

10.10.11.3 is core switch vlan interface

10.10.11.210 WAN 1/root ip address

Identity Based policies are created inside TP VDOM

config web-proxy explicit set status enable set http-incoming-port 3128 end

config user ldap edit "LDAP" set server "10.10.0.16" set cnid "sAMAccountName" set dn "dc=xxxx,dc=yyyyy" set type regular set username "Administrator@xxxx.yyyy" set password ENC next end

config user group edit "Allowed" set member "LDAP" config match edit 1 set server-name "LDAP" set group-name "CN=MB_Allow,OU=Groups,DC=xxxx,DC=yyyy" next end next edit "Limited" set member "LDAP" config match edit 1 set server-name "LDAP" set group-name "CN=MB_Limited,OU=Groups,DC=xxxx,DC=yyyy" end

config firewall policy edit 1 set name "Port4-Port5" set srcintf "lan4" set dstintf "lan5" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable next end edit 4 set name "DNS" set srcintf "lan5" set dstintf "lan4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "DNS" set utm-status enable next edit 3 set name "Limited" set srcintf "lan5" set dstintf "lan4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set groups "Allowed" set comments "Clone of Port5-Port4" set webfilter-profile "Allowed" set profile-protocol-options "default" next edit 2 set name "Allowed" set srcintf "lan5" set dstintf "lan4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set groups "Limited" set comments "Clone of Port4-Port5" set webfilter-profile "Limited" set profile-protocol-options "default" next end

appreciate your feedback and badly needed ^_^

xsilver_FTNT · Answer

Hi Fullmoon,'flow debug' would clarify that, but my guess (no lab test done) is that connection of user2 will use existing session (created by user1 connection) to reach explicit proxy in root VDOM through TP VDOM. Instead of authenticating who can reach explicit proxy kind of ahead in TP VDOM. I would suggest to move/duplicate LDAP into root VDOM where explicit proxy is and then make identity-based explicit proxy policies (those mentioned are IP based). You could have a default session-based user identity, helps to separate users even when comming from same source like terminal server, or other IP based methods like NTLM/FSSO. Choice is yours. Best regards,Tomas

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded