Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akamath
Staff
Staff

Created on ‎09-22-2020 10:51 PM

Article Id 193405

Technical Tip: User information from user login ID by LDAP connectors

Description
This collects additional information about authenticated FSSO users, and display from GUI.

- FortiView -> Sources.
- FortiView -> Policies.
- Log & Report -> Forward Traffic.
- User & Device -> Device Inventory.

Scope
For version 6.2.1.

Solution
This requires that FSSO is configured on the FortiGate.
To view the user information on pages other than Firewall monitor, 'Device Detection' has to be enabled on the interface.
The user-info-server variable in user FSSO configuration is used to select the LDAP server that is used for retrieving user information.
After a valid FSSO user is authenticated, the FortiGate will try to get additional user information from the LDAP server.

To configure the user.

1) Configure the LDAP user.
# config user ldap
    edit "AD-LDAP"
    set server "10.1.100.131"
    set server-identity-check disable
    set cnid "cn"
    set dn "dc=fortinet-fsso,dc=com"
    set type regular
    set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
    set password ENC
    MTAwNIJ4Fk+smJ/CVOuEG2Pjphc5nzumAuRTGjEWiWny1qOB3UYLgYJovcNg1lLkXIFKf9Ov rYNSrt4gfdchKGsLbQbruvHxE1MeEdcw+G7IpNsgUWX1Dlc0uwEKsBuZMGptI5scsEzG1Lqe6H2 J9F9Dok2cqwEX8MCYmStlDc9z11Rl30KkwCdn6wzCS3t+Xq+DPg==
    set secure ldaps
    set ca-cert "CA_Cert_1"
    set port 636
    next
end
2) Configure the FSSO user.
# config user fsso
    edit "ad-214"
        set server "10.1.100.142"
        set password ENC
        JvwNFvjbXd7T0qsYkO18K8k+DZlHFwDvc7CAv6gHD1nvE7nu8tlaQrWf/tK5o0jDChqkUUG7Wm yqeGupJmTFYzDTB4szvVUafR4D0BKVCt8AaULybjoAtJb6NvU2Hu7P0Trnh08p930hleR13r4mB HjLmNEyBZgvB6jz7bOZYtKaQdkCn/9KKrjAteVjWqxcqYCEvw==
        set user-info-server "AD-LDAP"
    next
end
To verify that information is being collected per user.
# diagnose wad user info 20 TEST1
    'username' = 'TEST1'
    'sourceip' = '10.1.100.188'
    'sourceip' = '32.1.0.0'
    'sourceip' = '10.1.100.185'
    'vdom' = 'root'
    'cn' = 'test1'
    'givenName' = 'test1'
    'sn' = 'test101'
    'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
    'telephoneNumber' = '604-123456'
    'mail' = 'test1@fortinet-fsso.com'
    'thumbnailPhoto' = '/tmp/wad/user_info/ff1bffff376dff29ffff24ff65ff42ffff09292d'
    'company' = 'Fortinet'
    'department' = 'Release QA'
    'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'streetAddress' = 'One Backend Street 1901'
    'l' = 'Burnaby'
    'st' = 'BC'
    'postalCode' = '4711'
    'co' = 'Canada'
    'accountExpires' = '9223372036854775807'
total 1, count 1

Labels:
2020
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.