Hi there,
for example i have this (after upgrading 5.4 to 5.6)
edit "auth-rule4pol7"
set srcaddr "Inside-Network-Clients" "Inside-Network-Server" "VPNs"
set ip-based disable
set active-auth-method "auth-sch4pol7"
next
edit "auth-rule4pol3"
set srcaddr "Inside-Network-Clients" "Inside-Network-Server" "VPNs"
set ip-based disable
set active-auth-method "auth-sch4pol3"
So basically both has the same criteria...so both may fit. Now i have watched at my previous explicit Proxy rules, there is not mentioned which authentication rule will be used. So how do i prioritise the authentication rule over another one? Or how do i say this Proxy policy should use this rule like it was in 5.4?
Hope someone can help
Solved! Go to Solution.
Hi Wurstsalat, rules are evaluated top-down. So first will match it all. Second is just the leftover from upgrade process.
EDIT: You are basically selecting which authentication to use based on source IP address in the rule. Once rule is matched, authentication scheme specified in it will be used.
Fishbone)(
smithproxy hacker - www.smithproxy.org
Hi Wurstsalat, rules are evaluated top-down. So first will match it all. Second is just the leftover from upgrade process.
EDIT: You are basically selecting which authentication to use based on source IP address in the rule. Once rule is matched, authentication scheme specified in it will be used.
Fishbone)(
smithproxy hacker - www.smithproxy.org
Hi,
thanks for the Response. So how do i reorder? Delete all existing and create it in the order i want to?
Kind regards
Hi Wurstsalat, (btw awesome nickname! :)) You didn't share with us the auth schemes. But if they are same, you can have only single pair of rule->scheme mapping.
You need to think of it as policy-like selection of authentication methods. Top-down, first match of rule selects authentication methods, depending if it's passive (ie FSSO or RSSO), or active (Negotiate, Ntlm, etc..).
Cheers, Fishbone)(
smithproxy hacker - www.smithproxy.org
No prob if it helps, here they are.
config authentication scheme
edit "auth-sch4pol7"
set method ntlm
next
edit "auth-sch4pol3"
set method ntlm
next
edit "auth-sch4pol5"
set method ntlm
next
edit "sso-auth-sch4pol5"
set method fsso
next
edit "auth-scheme-basic"
set method basic
set user-database "DC01" "DC02"
next
edit "auth-scheme-negotiate"
set method negotiate
next
end
I understand first match but how can i reorder? For example i want to test browser auth through Kerberos instead of NTLM, the first rule which matches my clients uses an ntlm scheme, while my browser support ntlm...so no further processing of the rules or other schemes
-> so i need to place a rule with Kerberos scheme for the IP (Range) of my testclient at the top. Currently i only see, delete all rules and recreate them in the wanted order
Anyway my keytab file wasnt created as described in http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Configuration%20-%20Explicit... ... or is it only created after a Client tried to Access through Kerberos Auth?
Hi Wurstsalad,
for rules, you can use "move" CLI command. For example:
config authentication rule move auth-rule4pol3 before auth-rule4pol7 end For testing purposes, you can create separate rule, add src match, and move on the top of rule list. Kerberos keytab should be created immediately you load it. So referring to the link you gave, it's nothing in /tmp/kt directory (see section 2.5)? Fishbone)(
smithproxy hacker - www.smithproxy.org
Fishbone wrote:For testing purposes, you can create separate rule, add src match, and move on the top of rule list. Kerberos keytab should be created immediately you load it. So referring to the link you gave, it's nothing in /tmp/kt directory (see section 2.5)? Fishbone)(
yep there is nothing in /tmp/kt
Base64 string is valid (rechecked twice)
Dont know whats wrong here
Thanks for the move ;)
If base64 is okay ... is it a single line?
Sometimes people adding correct base64 as the block with newlines how it's produced by default. lines has to be concatenated to single line.
smithproxy hacker - www.smithproxy.org
concated it to one line, no spaces, no line feeds
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.