FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff
Article Id 336729
Description

This article describes a solution where customers do not have static IP on LAN systems and want to use MAC addresses as sources.

By default, it is not possible to use source MAC in firewall policy for LDAP authentication, since it would only trigger it with IP in source.

Scope All FortiGate versions.
Solution

If it is desired to authenticate the user with LDAP and specify the source MAC address in the source field of FortiGate firewall policy the authentication will fail by default.

 

Even if testing the user credential on LDAP successful authentication will throw an error on the captive portal auth page (authentication failed). This is if it works as expected with the IP address as the source.

 

Now in some environments, users do not have static IP assignments and it is desired to use MAC MAC-based policy. For that it is necessary to enable captive portal authentication based on interface (LAN).

 

It is necessary to call the LDAP group and MAC addresses in the firewall policy source.

 

Image_test.png

 

config firewall policy
    edit 8
        set uuid 3a1b7386-4f25-51ef-ad8c-d344e5fa4242
        set srcintf "any"
        set dstintf "any"
        set action accept
        set srcaddr "client"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set auto-asic-offload disable
        set np-acceleration disable
        set nat enable
        set groups "LDAP_GRP"

            config user group
                edit "LDAP_GRP"
                    set member "LDAP_Test"
                        config match
                            edit 1
                                set server-name "LDAP_Test"
                                set group-name "CN=Domain Users,CN=Users,DC=TAMDOMAIN,DC=COM"
                            next

 

Now if the user tries to log in the authentication will be triggered to: http://Lan-IP:1000.

If it is desired to change the default port, it is possible to use the commands below:

 

FortiGate# config system global
FortiGate (global)# set auth-http-port X
FortiGate (global)# set auth-https-port Y
FortiGate (global)# end

--------------------------------------------------------------------------------------------------------------------------

 

After configuring the authentication on the interface level and policy as MAC based the user got authenticated successfully:

 

FortiGate-81E # diagnose firewall auth list

10.14.10.163, user_0
src_mac: 00:62:61:72:1a:02
type: fw, id: 0, duration: 770, idled: 7
expire: 21593, allow-idle: 21600
server: LDAP_Test
packets: in 1464 out 963, bytes: in 1147675 out 263696
group_id: 4
group_name: LDAP_GRP

 

Note: There are other ways to do this in case the user does not want to enable interface captive portal. In most cases, if IP addresses are not static the user will be using DHCP, so it is possible to bind the MAC on DHCO settings and enable normal IP (subnet) based source in the firewall policy.

 

Related article:  

Technical Tip: How to configure FortiGate to use an LDAP server