Hello,
I have to deploy an explicit proxy architecture for a customer and we want to use authentication on it. Main mode will be FSSO, no issue with that. But if Fortigate doesn't identify a user by FSSO standard mode, we want to try by using NTLM. Is it possible ?
I was thinking of this kind of configuration :
set active-auth-method ntlm
set sso-auth-method fsso
But is the active method used only when the connection with the agent is broken or also as a fallback when the agent just doesn't find anything in the AD ?
Thanks in advance. Best regards,
François
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Francois,
'active-auth-method' is actually not about a primary method. Let me explain.
There are active auth methods, which does require user input and activity (that's why they are called 'active').
And passive auth methods (Single Sign-On scenarios, mostly) where user/computer is considered as authenticated based on his previous activity. For example user log into 3rd party WiFi AP/controller, authenticate once via RADIUS server which tells about successful auth to FortiGate firewall. Once we have trustworthy confirmation and basic data about the user and his connection parameters like Framed-IP-Address (in RADIUS case) and/or port or VLAN assigned. We can allow such pre-authenticated traffic based on that knowledge. This is passive authentication. So user do NOT need to actively/manually authenticate again.
Therefore your kind of configuration is exactly what you were looking for.
FSSO as passive auth method is preferred. Once the connection cannot be authenticated based on previous knowledge, no record in 'diag debug auth fsso list' or 'diag firewall auth list', then we have to trigger active method and ask the user directly.
Mentioned NTLM is active as in default it will ask user. However web browsers can be configured to consider firewall as trusted and allow silent NTLM question/answer handshake between firewall and workstation. In this way it might look like passive authentication, as user might not get auth request, but web browser will sent his domain auth data to firewall which will use FSSO config to validate the data against DC.
For more details I'd suggest to check documentation and cookbooks at http://docs.fortinet.com
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi Francois,
'active-auth-method' is actually not about a primary method. Let me explain.
There are active auth methods, which does require user input and activity (that's why they are called 'active').
And passive auth methods (Single Sign-On scenarios, mostly) where user/computer is considered as authenticated based on his previous activity. For example user log into 3rd party WiFi AP/controller, authenticate once via RADIUS server which tells about successful auth to FortiGate firewall. Once we have trustworthy confirmation and basic data about the user and his connection parameters like Framed-IP-Address (in RADIUS case) and/or port or VLAN assigned. We can allow such pre-authenticated traffic based on that knowledge. This is passive authentication. So user do NOT need to actively/manually authenticate again.
Therefore your kind of configuration is exactly what you were looking for.
FSSO as passive auth method is preferred. Once the connection cannot be authenticated based on previous knowledge, no record in 'diag debug auth fsso list' or 'diag firewall auth list', then we have to trigger active method and ask the user directly.
Mentioned NTLM is active as in default it will ask user. However web browsers can be configured to consider firewall as trusted and allow silent NTLM question/answer handshake between firewall and workstation. In this way it might look like passive authentication, as user might not get auth request, but web browser will sent his domain auth data to firewall which will use FSSO config to validate the data against DC.
For more details I'd suggest to check documentation and cookbooks at http://docs.fortinet.com
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi Tomas,
Thank you for your very clear and detailed answer. Therefore I will use that configuration.
BR,
François
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.