config globalBy default, user authentication only applies to the rule in which the authentication request was made. By setting this value, we can authenticate users using a dummy TELNET policy and then have that validated user session apply to all policies using the same user group.
config system global
set auth-policy-exact-match disable
end
end
config vdom
edit Auth
end
Next, create an Inter-VDOM Link between your main VDOM and the new Auth VDOM. In this case we will use the 'root' VDOM.
config globalBe sure the IP adresses you configure on the Inter-VDOM link are not used elsewhere in your configuration. Next, create a Virtual IP to translate the TELNET challenge request over the Inter-VDOM Link.
config system vdom-link
edit "AuthLink"
next
end
config system interface
edit "AuthLink0"
set vdom "root"
set ip 192.168.6.1 255.255.255.0
set type vdom-link
next
edit "AuthLink1"
set vdom "Auth"
set ip 192.168.6.2 255.255.255.0
set type vdom-link
next
end
config vdomIn this case, the test hosts are sitting behind 'port2' and the interface IP address for 'port2' is 192.168.10.4. The IP address for the 'AuthLink1' is 192.168.6.2 thus we use that as the mapped IP. Also the NAT is limited to port 23 for TELNET.
edit root
config firewall vip
edit "AuthNat"
set extip 192.168.10.4
set extintf "port2"
set portforward enable
set mappedip 192.168.6.2
set extport 23
set mappedport 23
next
end
config vdomIn the rule above, 'UsrGrp' is the user group used to validate authentication. Now that the dummy TELNET rule is in place, we can add additional rules to enforce access based on user authentication. In the following example, we are only allowing PING requests to hosts on 'port1' if the user is authenticated. To do this:
edit root
config firewall policy
edit 1
set srcintf "port2"
set dstintf "AuthLink0"
set srcaddr "all"
set dstaddr "AuthNat"
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set groups "UsrGrp"
set service "TELNET"
next
end
next
end
config vdomAt this point, the main configuration is done. You can customize your policy to suit any of your authentication needs. Also, by default, authentication sessions only last 5 minutes. You can tune this time with the following commands:
edit root
config firewall policy
edit 2
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set groups "UsrGrp"
set service "PING"
next
end
next
end
config vdomIn this example, the timeout has been raised to 8 hours.
edit root
config user setting
set auth-timeout 480
end
Firewall Authentication required before proceeding with serviceOnce you've been successfully authenticated, you can check the authenticated sessions on the FortiGate like this:
login: test
password: ******
Welcome to Fortinet Firewall
Authentication is successful, please connect again
Connection to host lost.
Fortigate-VM64 (root) # diagnose firewall auth listAt this point, any Identity Based Policies that enforce the group 'UsrGrp' will be allowed from the source IP address of the authenticated host (192.168.10.155).
policy id: 1, src: 192.168.10.155, action: accept, timeout: 293
user: test, group: UsrGrp
flag (80020): auth timeout_ext, flag2 (0):
group id: 3
----- 1 listed, 0 filtered ------
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.