Force USer Login when Passive Authentication is on

Belgarioz · ‎05-13-2019

Hello,

I have a weird question my customer asked me:

They have a working passive authentication via Active Directory.

They asked if it is possibile for the administrator to go to a whatever computer and force his credentials to have full access without logging out and logging in with his AD credentials.

To make myself clear, he wants to force his authentication calling some kind of captive portal or telnbet/ssh login to grant him full access.

For some reason a situation similar to the URL filter override but applied to a whole policy.

xsilver_FTNT · ‎05-13-2019

Hello,

just switching user and re-using FSSO mechanisms to update logon info for workstation, now with Admin user and respective full-access user group, isn't enough ?

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Belgarioz · ‎05-13-2019

It's a solution the customer don't want sadly.

He came from an old Check Point FW and he was able to telnet the firewall ip to create an active authentication to the firewall

xsilver_FTNT · ‎05-13-2019

:D well then, there are no insecure telnet or punch-card slots to read data from, in 21st century firewalls.

Maybe you can use REST-API to handle that authentication, hmm ?

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Belgarioz · ‎05-13-2019

I know, my initial reply to the customer was "are you asking for this in 2019???"

anyway, rest api is a good solution, though, im not finding a lot of documentation about it. It seems you need to be part of developing program, so you kinda have to pay to have more informations

ede_pfau · ‎05-13-2019

punch-card slots...

Ede

"Kernel panic: Aiee, killing interrupt handler!"