Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Deltarr
New Contributor

Guest user is seen as domain user

Hello,

 

Our webfilter is flow-based and we have several AD groups that each have specific web filtering profile (from no access to full access) Everything is working fine for all users, the sites that need to be blocked are blocked. My problem is when a guest connect to our Wifi. Sometimes (it's definitely not all the time), the web filter will restrict ALL sites. I created a replacement page to get some information and I can see that the guest user (not in the domain) is referred to as a generic user that exist in our AD

 

Since english is not my main language, here is a short example

 

on the domain, user "ABC" is part of the group "No access" This group is linked to a web filter profile on fortigate that allow no websites access

If I log with the user "ABC" and try to connect to any website, I get fortigate blocked page (wich is what I want) Now, a guest comes in our office, connect to our wifi (sadly we don't have separate access) to get internet access. Sometimes, he will be blocked as if he was user ABC (the username on the block page is "ABC") How can I be sure that users that are not part of the domain, that use computer that are not part of the domain, don't get this problem ? I hope I'm clear enough...  Let me know if you need more information Thank you for your help

 

 

6 REPLIES 6
dmcquade
New Contributor III

How do you have AD integrated with the Fortigate? If the group object is an FSSO group, make sure you enable FSSO on the rule in the advanced options

Deltarr

I have 4 groups created in AD (All my AD users are member of 1 of these) and each one is member of a FSSO group on the Fortigate

Each one has a specific web filter rule (flow-based / SSL inspection) assigned to it

 

What options are you speaking of ?

 

 

What I don't understand is why a non-domain user using a non-domain computer is recognized as a domain user by the webfilter... note that he is never asked to enter any credentials at any time He is logged with his local username

and to be clear, it has happened to other people (no relationship between them) as well

 

 

Thank you !

 

 

 

dmcquade
New Contributor III

This option is available via the CLI or if you are using a FortiManager, the advanced options section. From the CLI run

config firewall policy

edit <policyId>

set fsso enable

end

 

If this option is set to disabled (default setting) it will ignore FSSO users and groups. Your guests are not authenticated to your AD. They are simply being allowed on the rule because the groups assigned to the rule are being ignored.

 

Hope that helps.

d

Deltarr

Thanks for your input. I've double checked my settings and fsso is ENABLED (check the full config below)

 

I still don't get why some guests, while browsing, get the block page (as they are not part of any group) and why  they are identified on the FG as a specific user (always the same by the way) that is a member of the "No Access" AD Group used in one of the policy...

 

I used %%USERNAME%% on the block page to check and it returns always the same user If I remove this user from the AD group linked to the FG profile, the guest can then has full access to all websites

 

Again, thanks for your help.

 

- Fabien

 

Here is the full config of one of the policy

 

policyid : 13
uuid : 794ceca8-5d42-51e5-afda-ef6d1c329723
srcintf:
 == [ internal1 ]
 name: internal1
dstintf:
 == [ wan1 ]
 name: wan1
srcaddr:
 == [ all ]
 name: all
dstaddr:
 == [ all ]
 name: all
rtp-nat : disable 
action : accept 
status : enable 
schedule : always 
schedule-timeout : disable 
service:
 == [ ALL ]
 name: ALL
utm-status : enable 
logtraffic : utm 
logtraffic-start : disable 
capture-packet : disable 
auto-asic-offload : enable 
wanopt : disable 
webcache : disable 
session-ttl : 0
vlan-cos-fwd : 255
vlan-cos-rev : 255
wccp : disable 
ntlm : disable 
ntlm-guest : disable 
ntlm-enabled-browsers:
fsso : enable 
rsso : disable 
fsso-agent-for-ntlm : 
groups:
 == [ BASIC_FILTERING ]
 name: BASIC_FILTERING
users:
devices:
auth-path : disable 
disclaimer : disable 
natip : 0.0.0.0 0.0.0.0
match-vip : disable 
diffserv-forward : disable 
diffserv-reverse : disable 
tcp-mss-sender : 0
tcp-mss-receiver : 0
comments : 
auth-cert : 
auth-redirect-addr : 
identity-based-route: 
block-notification : disable 
custom-log-fields:
tags:
replacemsg-override-group: 
srcaddr-negate : disable 
dstaddr-negate : disable 
service-negate : disable 
timeout-send-rst : disable 
delay-tcp-npu-session: disable 
profile-type : single 
av-profile : 
webfilter-profile : Basic_Filtering 
spamfilter-profile : 
dlp-sensor : 
ips-sensor : 
application-list : 
voip-profile : 
icap-profile : 
profile-protocol-options: default 
ssl-ssh-profile : certificate-inspection 
traffic-shaper : 
traffic-shaper-reverse: 
per-ip-shaper : 
nat : enable 
permit-any-host : disable 
permit-stun-host : disable 
fixedport : disable 
ippool : disable 
central-nat : disable 
redirect-url : 

 

 

dmcquade
New Contributor III

Can you check the logs and see what rule is blocking the user? What are you using to get the AD information? Do you have a FortiAuthenticator or just using the software installed on the Domain Controllers? Either way, the list of users identified should show up in the Monitor - Firewall Users. Have a guest connect and search for the IP address to see if they are in this list.

 

Regards

D

Deltarr
New Contributor

We did the following:

 

AD:

4 groups populated by user accounts (Full, Basic, Strict and No Access)

 

Fortigate:

4 User Groups (Fortinet Single Sign-On) each one having AD group as a member

4 policies (using the 4 groups) + one without webfilter

 

Order of policies (LAN - WAN):

No Access

Strict

Basic

Full

All (no webfilter)

 

Detail of BASIC Webfilter policy:

 

 

 

The guest user gets the block page as if he was connected as one domain user (user account "VideoCad")

This is a generic user logged on several computers in the company

 

If I want to test this account, I open Chrome as this user (the account has a password) and I can check that the webfilter is working as intended. I tested to log to CNN.com

 

[code lang=css]date=2018-01-16 time=09:32:06 logid=0316013056 type=utm subtype=webfilter eventtype=ftgd_blk level=warning vd="root" policyid=12 sessionid=61269217 user="VIDEOCAD" srcip=192.168.120.119 srcport=61020 srcintf="internal1" dstip=151.101.1.67 dstport=80 proto=6

 

service=HTTP hostname="www.cnn.com" profile="NO ACCESS" action=blocked reqtype=direct url="/favicon.ico" sentbyte=366 rcvdbyte=0 direction=N/A msg="URL belongs to a denied category in policy" method=domain cat=36 catdesc="News and Media" crscore=30 crlevel=high

 

Thanks again for your help :)

Labels
Top Kudoed Authors