Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wurstsalat
New Contributor III

Authentication Ruleset, where is the decision which will be used?

Hi there,

for example i have this (after upgrading 5.4 to 5.6)

    edit "auth-rule4pol7"
        set srcaddr "Inside-Network-Clients" "Inside-Network-Server" "VPNs"
        set ip-based disable
        set active-auth-method "auth-sch4pol7"
    next
    edit "auth-rule4pol3"
        set srcaddr "Inside-Network-Clients" "Inside-Network-Server" "VPNs"
        set ip-based disable
        set active-auth-method "auth-sch4pol3"

So basically both has the same criteria...so both may fit. Now i have watched at my previous explicit Proxy rules, there is not mentioned which authentication rule will be used. So how do i prioritise the authentication rule over another one? Or how do i say this Proxy policy should use this rule like it was in 5.4?

 

Hope someone can help

1 Solution
Fishbone_FTNT

Hi Wurstsalat, rules are evaluated top-down. So first will match it all. Second is just the leftover from upgrade process.

 

EDIT: You are basically selecting which authentication to use based on source IP address in the rule. Once rule is matched, authentication scheme specified in it will be used.

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

View solution in original post

11 REPLIES 11
Fishbone_FTNT

Hi Wurstsalat, rules are evaluated top-down. So first will match it all. Second is just the leftover from upgrade process.

 

EDIT: You are basically selecting which authentication to use based on source IP address in the rule. Once rule is matched, authentication scheme specified in it will be used.

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

Wurstsalat

Hi,

thanks for the Response. So how do i reorder? Delete all existing and create it in the order i want to?

Kind regards

Fishbone_FTNT

Hi Wurstsalat, (btw awesome nickname! :)) You didn't share with us the auth schemes. But if they are same, you can have only single pair of rule->scheme mapping.

You need to think of it as policy-like selection of authentication methods. Top-down, first match of rule selects authentication methods, depending if it's passive (ie FSSO or RSSO), or active (Negotiate, Ntlm, etc..).

 

Cheers, Fishbone)(

smithproxy hacker - www.smithproxy.org

Wurstsalat

No prob if it helps, here they are.

 

config authentication scheme
    edit "auth-sch4pol7"
        set method ntlm
    next
    edit "auth-sch4pol3"
        set method ntlm
    next
    edit "auth-sch4pol5"
        set method ntlm
    next
    edit "sso-auth-sch4pol5"
        set method fsso
    next
    edit "auth-scheme-basic"
        set method basic
        set user-database "DC01" "DC02"
    next
    edit "auth-scheme-negotiate"
        set method negotiate
    next
end

 

I understand first match but how can i reorder? For example i want to test browser auth through Kerberos instead of NTLM, the first rule which matches my clients uses an ntlm scheme, while my browser support ntlm...so no further processing of the rules or other schemes

-> so i need to place a rule with Kerberos scheme for the IP (Range) of my testclient at the top. Currently i only see, delete all rules and recreate them in the wanted order

 

Anyway my keytab file wasnt created as described in http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Configuration%20-%20Explicit... ... or is it only created after a Client tried to Access through Kerberos Auth?

Fishbone_FTNT

Hi Wurstsalad,

for rules, you can use "move" CLI command. For example:

config authentication rule

    move auth-rule4pol3 before auth-rule4pol7 end

For testing purposes, you can create separate rule, add src match, and move on the top of rule list.

 

Kerberos keytab should be created immediately you load it. So referring to the link you gave, it's nothing in /tmp/kt directory (see section 2.5)?

 

Fishbone)(

 

smithproxy hacker - www.smithproxy.org

Wurstsalat

Fishbone wrote:

For testing purposes, you can create separate rule, add src match, and move on the top of rule list. Kerberos keytab should be created immediately you load it. So referring to the link you gave, it's nothing in /tmp/kt directory (see section 2.5)? Fishbone)(

yep there is nothing in /tmp/kt

Base64 string is valid (rechecked twice)

Dont know whats wrong here

 

Thanks for the move ;)

Fishbone_FTNT

If base64 is okay ... is it a single line?

Sometimes people adding correct base64 as the block with newlines how it's produced by default. lines has to be concatenated to single line.

smithproxy hacker - www.smithproxy.org

Wurstsalat

concated it to one line, no spaces, no line feeds

 

 

 

 

darhan
New Contributor

Good afternoon, the question is, you need to save the browser password in the operating system, because to access the Internet a new provider requires you to enter credentials in the browser window, only after that the Internet will work. And it is necessary that when you turn on the computer, the password that you enter in the browser is automatically stored in the system, and you do not need to enter the password in the browser window (or even when the saved password is in the browser, you need to press continue) so that the system itself is authorized. In short, you need to save the password to the browser in Windows.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors