|
There are existing articles and documents for outbound authentication using SAML. For more information or instructions on this topic, refer to the following resources:
This particular case will make use of Microsoft Entra ID as the SAML IDP and complete the configuration in the following steps.
- Configure SSO authentication and idp-cert using details from the Entra ID. The SP URLs are created using the interface IP of the nac_segment and port 1003, the captive portal port. Below is an example, as well as images of the nac_segment VLAN interface:
config user saml
edit "Test-SAML-NAC"
set entity-id "http://10.255.13.1:1003/saml/metadata/"
set single-sign-on-url "https://10.255.13.1:1003/saml/login"
set single-logout-url "https://10.255.13.1:1003/saml/logout"
set idp-entity-id "https://sts.windows.net/test-saml-id/"
set idp-single-sign-on-url "https://login.microsoftonline.com/test-saml-id/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/test-saml-id/saml2"
set idp-cert "ENTRA_IDP_CERT"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
- Create a user group mapped to the SSO object created in step 1. It can also be mapped to a specific group in Microsoft Entra using the object ID.
config user group
edit "NAC_Access_SAML"
set member "Test-SAML-NAC"
config match
edit 1
set server-name "Entra-ID-SAML-Onbrd-vlan"
set group-name "test-group-object-id"
next
end
next
end
- After creating the group, it is time to create the NAC policy. The policy category should be user-based and should specify which VLAN to add users to if they match. In this case, a 'Test-IT' VLAN is used, which requires no additional configuration other than a DHCP server and interface IP.
- Next, configure firewall policies to enable the outbound authentication on the nac_segment VLAN. Three policies are required to complete the solution, but this specific use-case has Okta for 2FA, so the second policy in the image below has been added with the Okta internet service.
Note:
The first policy (and the second, in this case) should be made exempt from the captive portal as they are required to complete the authentication process. Also, the nac_segment VLAN must be added to the third policy to complete the redirection to the original request after authentication is done. Captive portal exemption can be done in the CLI using the following commands:
config firewall policy
edit <policy-id>
set captive-portal-exempt enable
next
end
If all of these steps are completed correctly, users that connect to a FortiSwitch interface with NAC enabled will be prompted to authenticate via SSO when they try to browse. If authentication completes successfully, they will be reassigned to a VLAN according to the NAC policy.
|
