Skip to main content
s3Raytheon
s3Raytheon
New Member
February 7, 2022
Question

Single firewall policy for VPN/Wifi

  • February 7, 2022
  • 2 replies
  • 2532 views

The network we manage currently only has users connecting remotely via SSL VPN with authentication via LDAP back to Active Directory. This allows all group memberships to be fetched and used in firewall rules.

Each user might be a member of several groups depending on what projects they work on. Firewall policies each have a group on them to allow access only if the user is in the correct group.

 

We now have a requirement to integrate WiFi into the system for users. We have an existing UniFi system which uses WPA-802.1X Radius/NPS to authenticate to Active Directory but this does not fetch all the users groups. Is there a way to use RSSO or FSSO to make this behave similar to in the VPN case, so when a user connects via WiFi they get access to the correct servers based on all their groups?

 

Ideally I would like to create a zone with wifi interface and VPN interface and apply a single firewall policy to both but I don't know if this is possible either.

 

e.g.

User1 is in groups A,B,C,D

User2 is in groups B,C,F

Firewall policy if user in group B they can access serverB.

Firewall policy if user in group F they can access serverF.

2 replies

alasser
Staff
alasser
Staff
February 8, 2022

If these machines are domain joined, and you've setup FSSO properly based off the guide below, then all of the corresponding AD groups would be available within the FortiGate to use for policy creation.

FortiOS 6.4.8 - FSSO 

 

Fortinet Single Sign-On (FSSO), through agents installed on the network, monitors user logons and passes that information to the FortiGate unit. When a user logs on at a workstation in a monitored domain, FSSO:

  • Detects the logon event and records the workstation name, domain, and user,

  • Resolves the workstation name to an IP address,

  • Determines which user groups the user belongs to,

  • Sends the user logon information, including IP address and groups list, to the FortiGate unit, and

  • Creates one or more log entries on the FortiGate unit for this logon event as appropriate.

When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups associated with that policy then the connection is allowed, otherwise the connection is denied.

 

s3Raytheon
s3RaytheonAuthor
New Member
February 8, 2022

Unfortunately the machines are not domain joined. Does this rule out FSSO? Or would it detect the user logging in to the wifi via radius?

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
February 8, 2022

If the authentication against NPS triggers a Windows Event Log, then there is a good chance that FSSO can catch the login.

However, with RADIUS authentication you have another option, in particular RADIUS accounting.
If your WiFi solution sends RADIUS accounting messages to FortiGate, then FortiGate can add the users to its logged-on user list.

It does NOT perform an additional group lookup as it would for your VPN users; it would read the groups from attributes in the RADIUS accounting message (by default from the class attribute).
See here: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/85730/radius-single-sign-on-rsso-agent

If you do have an FSSO setup already, you could also have the wireless controller send accounting messages to the Collector Agent.
The Collector Agent does perform a lookup against the domain to get group information, and forwards the user and group information to FortiGate as an FSSO login.

s3Raytheon
s3RaytheonAuthor
New Member
February 11, 2022

I don't currently use FSSO but I will give it a test to see if it will work.

Thanks for the help.

Terms & ConditionsAccessibility statement