Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
Somashekara_Hanumant
Staff
Staff

Created on ‎07-06-2020 11:42 PM Edited on ‎09-12-2024 01:53 AM By Community Manager

Article Id 193069

Technical Tip: LDAP authentication on FortiProxy

Description


This article describes how to configure LDAP server and authentication scheme.

LDAP User authentication in Explicit-Proxy mode.
- Configure the LDAP server.
- Configure Authentication Scheme/rules and proxy auth settings.
- Configure firewall policies with LDAP authentication by selecting the explicit mode.
- Enabling proxy settings on workstation and test the authentication.

Solution

 

Configuring LDAP server.



 
# config user ldap
    edit "Proxy-AD"
        set server "10.40.9.78"
        set cnid "sAMAccountName"
        set dn "dc=dubailab,dc=lab"
        set type regular
        set username "cn=administrator,cn=users,dc=dubailab,dc=lab"
        set password xxxxxx
    next
end
Configure Authentication Scheme.
 
 

 
# config authentication scheme
    edit "ldap-scheme"
        set method basic
        set user-database "Proxy-AD"
    next
end
Configuring Authentication Rule.
 
 

 
 
For testing purpose source address is added as 10.40.9.42/32, LDAP user can authenticate from this IP address only.
# config firewall address
    edit "9-42"
        set subnet 10.40.9.42 255.255.255.255
    next
end

# config authentication rule
    edit "ldap_rule"
        set srcintf "port2"
        set srcaddr "9-42"
        set dstaddr "all"
        set active-auth-method "ldap-scheme"
    next
end
Configure Proxy Authentication Settings.
 
 
 
 
# config authentication setting
    set active-auth-scheme "ldap-scheme"
end
Configure firewall policies with LDAP authentication by selecting the explicit mode.
 
 

 
# config firewall policy
    edit 1
        set type explicit-web
        set explicit-web-proxy "web-proxy"
        set dstintf "port1"
        set srcaddr "9-42"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set groups "ldap-sslvpn"
        set utm-status enable
    next
end
Configuring User browser and validation.
 
 
 
 
User authentication.

Once the user is authenticated, the user under FortiView -> User can be seen.
 
 

 

Technical tip: Only  HTTP, HTTPS, FTP, and Telnet protocols are supported by LDAP.

 

Troubleshooting :

 

Useful debug command:

       

      diag wad filter src <source IP>

      diag wad debug enable category auth

      diag wad debug enable category policy

      diag wad debug enable level verbose

      diag debug application fnbamd -1

      diag debug enable

 

Then, run the below command on FortiProxy to verify whether user authentication working correctly with the LDAP server or not.


# diagnose test authserver ldap <server_name> <username> <password>

 

Reference links:

https://docs.fortinet.com/document/fortiproxy/7.4.0/fortiproxy-authentication-guide/413549/configuri...

Labels:
6088
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.