- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Chromebook login identification
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chromebook login identification
Not sure if this is the correct section.
I work for an educational organization that is slowly transitioning from Windows based local systems to Google GAFE. As part of the process we have deployed a large batch of shared Chromebooks for the students to use. Our primary gateway is a Fortigate 300D and I'm very pleased with it's performance.
The issue I have is that it seems currently impossible for the Fortigate to identify the users logged in to the Chromebook (it will report source IP and MAC). As a stopgap measure I've moved all Chromebooks to their own VLAN and applied the student security profile on it. However, this will also block any sites allowed for staff using the Chromebook. This is not an optimal solution.
I have the occasional need to identify individual users who break policy for security reasons.
Is the Fortigate capable of doing this?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
guess they connect via WiFi, so what about WPA2-enterprise auth against RADIUS (might be FAC or NPS on AD) and then RSSO and group membership per logon to FortiGate and then Identity based policies using group membership knowledge ?
So teachers/stuff will be in different group then users/students .. so it will not be per device identity but per user (probably better as you mentioned that Chromebooks are shared => making it harder to decide who is user).
For more about RSSO/WSSO check cookbook.fortinet.com for receipts.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is an option, but I want to avoid double authentication.
The problem is that the GAFE and AD accounts are different in setup and entirely separate (this is a project for a later date). I have RSSO working (sortof, the Fortigate doesn't identify users properly yet) for a different wireless network.
With your solution a user would have to connect to the wifi first, auth, and then log in to their google account. Right now all wireless settings (simple WPA2 PSK) are pushed to the Chromebooks so the students only need to sign in once.
I'd much rather the Fortigate pick up the google account login and log it to the Chromebook device IP/MAC. It can already restrict logins to certain domains, so there seems to be a way to filter that info out.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have no personal experience with Chromebooks. If you can somehow collect logons (RADIUS Accounting, syslog, or even those Exchange email logons .. ) FSSO Collectors can utilize many sources and make FSSO records based on those data and so pasively authenticate user's traffic without any necessity for user active logon.
Or you can utilize their logon to WiFi via RSSO, so users will be appear in logs on FortiGate/FortiCloud/FortiAnalyzer with their wifi logons and not with google accounts, devices should be recorded by their MAC address kind of uniquely identifying devices.
But I do not know your environment deep enough for more precise advise.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chromebook logins can't utilize FSSO as these are essentially GMail logins. I don't think there's a way to parse login info from Google's end. I know records are kept, but it's pretty obtuse to get them.
The issue seems to stem from a design perspective that a device is assigned to a user and therefor shouldn't require detailed users per device logging. I may have to look at a 3rd party solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is possible to Authenticate the users onto the network using the FortiAuthenticator and the Social Auth feature using Google Credential SSO. There is a cookbook on this topic here http://cookbook.fortinet.com/social-wifi-captive-portal-fortiauthenticator-google/
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Carl Windsor wrote:It is possible to Authenticate the users onto the network using the FortiAuthenticator and the Social Auth feature using Google Credential SSO. There is a cookbook on this topic here http://cookbook.fortinet.com/social-wifi-captive-portal-fortiauthenticator-google/
This looks to show a solution in part. We do not have a FortiAuthenticator and I don't think there's budget to add one.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have also expressed this lack of functionality in the content filtering to fortinet. It has fallen on def ears.
FSSO simply put is "windows devices only".
They will try to push the solution off into using other technologies such has fortiauthenticator or wpa2 enterprise.
They will also try to suggest their Forticlient EMS which has nothing to do with content filtering user identification.
EVERY other Content Filter has a windows app, mac app (dmg) or chrome extension that does user identification and its free.
Most environments in 2017 are a mixure of devices be it windows,mac , chrome ,android ,etc.
If the Admin can't run a report for "Jsmith" because they are using a chromebook, then Fortinet Content filtering and reporting has failed me and is useless.
The bottom line is due to lack of features like this Fortinet Content filtering is not education friendly.
Related Posts
- VPN logs 160 Views
- VPN for ChromeOS 651 Views
- SSL-VPN SAML SSO with Azure AD 1745 Views
- PPPoE not reconnecting. only after reboot 3382 Views
- Server seems to reject credentials when... 4439 Views
Labels
-
FortiGate
6,752 -
FortiClient
1,343 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
88 -
IPsec
85 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.