Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Grnathan
New Contributor

Bypassing FortiAuthenticator

Hi, 

For context, I'm not "fresh" to sysadmin, but I am "very fresh" to all things Forti-*.  I'm a month or two into a new gig with an MSP that has FortiGate and FortiAuthenticator deployments sprinked around their (our, I guess) clients. 

 

Chatting with a previous engineer that had a hand in setting it all up, recently, he commented that he couldn't really see the point of mandating 2FA with FortiTokens since this doesn't solve the "rogue contractor with laptop" plugging in somewhere and authenticating to the file server with username and password, since it's at the point where users sign onto their laptop/desktop that has OTP authentication challenge, but if I pass credentials for a standard user to a file server from a device that isn't running the updated msgina.dll, the file server (or other resource provider) happily hands over the requested assets. 

 

I'm betting this is a "solved problem" but I haven't seen the suggested approach in the documents I've found to review, todate.  Can someone send me a shortcut to where I find the "easy button" on this? 

1 Solution
cbabfat
New Contributor III

Easy button is relative.  You may have to push down on it real hard to get it to move.

 

To me this is solved, not through the server, but I am interested in other comments, but through Network Access Control/802.1x.  When a AP or Switch gets a new connection, it requires authentication from the user and/or machine to validate that they below on the network.  That network authentication could be pointing back to the Fortiauth if so desired.

View solution in original post

4 REPLIES 4
cbabfat
New Contributor III

Easy button is relative.  You may have to push down on it real hard to get it to move.

 

To me this is solved, not through the server, but I am interested in other comments, but through Network Access Control/802.1x.  When a AP or Switch gets a new connection, it requires authentication from the user and/or machine to validate that they below on the network.  That network authentication could be pointing back to the Fortiauth if so desired.

Grnathan
New Contributor

Thanks for mentioning the NAC approach to looking at this.  Coming more from 'server admin' background than 'network admin' I was possibly looking the wrong way for a solution.  Something along the track of NPS / NAC sounds like it would be useful here. I asked a similar question over on the Reddit forums and someone suggested I need a FortiNAC appliance, so I'm just off to go read up about those, and figure out if I want to recommend & sell one of those, or just handle this in Windows Server NPS....

cbabfat
New Contributor III

Exactly.  We have windows NPS performing machine authentication when it connects to the network.  Not a company asset, no connection to the network.  And NPS was free.  You can install forticlient on individual PC's if you want any login to the PC to require two factor.

 

Chris

 

xsilver_FTNT
Staff
Staff

Unfortunately this is NOT a single "RESOLVE-ALL" button task IMHO.

 

1. Physical security

if you do have contractors freely roaming around without supervision. File servers just under table on the reception or so .. then you can have many NAC/2FA solutions, but 5 minutes with screwdriver and you are done! Proverbial $5 five-bucks-wrench attack can solve surprisingly lot, ranging from 2FA to encrypted filesystems :)

Therefore critical infrastructure have to be in separate room. Very limited and always supervised access.

 

2. Network access control

Yes, NAC and basically port-based authentication, 802.1x is another key element.

Authenticate per port whenever port is tried to be used. Is it expected device there? Is it expected user?

Shut down all unused ports. Cisco switches has funky MAC memory so they allow specific MAC addresses or just one (or set amount) of last used. So someone who disconnect net printer to gain access with idea that printer has MAC based overrides might try his MAC and gets port locked. However he can misuse MAC of printer .. 

NAC from FortiNAC or 3rd party. However serious 802.1x can be built with just mentioned FortiAuthenticator.

 

3. Segmented networks

Policies, from where and who can access critical fileservers for example.

No free DHCP assigning IPs to anyone who just connects to SSID or wire!

Per MAC IP assignments. Etc.

 

4. Agents on server level (2FA login to server/workstation)

If those servers like print servers are Windows, then FortiAuthenticator does have agents, so 2FA can be enforced even if someone RDP or console login to the server itself.

Same does exist on workstations, SSOMA (Single Sign-On Mobility Agent) and is part of FortiClient.

That helps to track users and workstations, let them pass firewall policies based on their previous logon with domain credentials or any other logon. FortiAuthenticator is pretty versatile and capable SSO collector. So not even AD logon but also RADIUS logon into 3rd party WiFi AP can lead to RSSO and user logon tracking.

So no misuse of logins to workstations or print servers etc. Of course, if someone left unlocked server console and for 'convenience' there is no login protected screensaver .. well.

 

just what came to my mind shortly.

 

More on [link]https://docs.fortinet.com[/link] / https://video.fortinet.com / https://kb.fortinet.com

Or via Professional Services / TAM as paid service. As regular TAC is not truly expected and designed to provide network design services. Hope you understand.

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

Labels
Top Kudoed Authors