FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff
Article Id 339382
Description

 

This article details the implementation of Zero Trust Network Access (ZTNA) for SaaS applications using RADIUS authentication

 

Scope

 

FortiGate.

 

Solution

 

Once the ZTNA access proxy configuration for SaaS access is complete, the next step is to configure the authentication scheme and define the authentication rule to manage user verification.

 

Go to Policy & Objects -> Authentication Rules and select Authentication Schemes

 

Capture.PNG

 

 

Go to Policy & Objects -> Authentication Rules

 

Capture.PNG

 

 

 

Once the authentication Rule is set on the ZTNA proxy policy, select the user group.

 

Capture.PNG

 

From the FortiClient endpoint access any of the ZTNA destination SaaS applications say Webex. Popup gets triggered for the authentication and once the correct credentials is entered then the ZTNA proxy policy is matched.

 

Capture.PNG

 

User information can also be verified on the FortiGate with the help of the 'diagnose wad user list' command:

 

chameleon-kvm72 # diagnose wad user list

ID: 2, VDOM: root, IPv4: 10.5.18.235
user name : fortinet
worker : 0
duration : 156
auth_type : IP
auth_method : Basic
pol_id : 1
g_id : 2
user_based : 0
expire : no
LAN:
bytes_in=214873 bytes_out=1067135
WAN:
bytes_in=861993 bytes_out=117537

 

On the ZTNA traffic logs could see the source information is coming with a username and IP address:

 

Capture.PNG

Contributors