Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Millibhu
New Contributor

Internet Access Authentication with LDAP

Hi,

 

I want to control user access to internet by creating LDAP authentication

I'm not quite sure where I have to use this LDAP.

Thing I've done so far

1.Create LDAP server (Test Successful)

2.Create user group (Firewall Type, and choose remote server to be LDAP server I just create above)

3. In Network > Interfaces > Lan I choose security mode to be captive portal with authentication local and choose user group from user group I just create

 

But when I try to access internet, It doesn't prompt any login portal. Not sure I'm missing some step

 

Please guide

Thank you

 

Millibhu

6 REPLIES 6
xsilver_FTNT
Staff
Staff

Hi,

 

you haven't mentioned it, but you need firewall policy!

For more details and config examples refer to Authentication guide on docs.fortinet.com.

 

Kind regards, Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

gschmitt

xsilver wrote:

Hi,

 

you haven't mentioned it, but you need firewall policy!

For more details and config examples refer to Authentication guide on docs.fortinet.com.

 

Kind regards, Tomas

To be specific, your internal to wan policy needs to be set to user group: yourUserGroup

All other policies (going from internal to wan (all)) need to be authentication or deny

Millibhu
New Contributor

Hi,

 

I already modified my security policy (internal to WAN) , I specified the source users to be user group (group I create to authen with LDAP) and source address to be none (previously source address is set to any) and set action to be Accept. But still when I open browser it does not prompt any authentication portal.

 

I'm not sure whether I have to choose authentication method, what I found from cookbook they mention that to authentication with security policies need to choose whether to use FSSO Agent, NTLM, Certificate or RADIUS SSO. I tried with NTLM (enable NTML in security policy) because I don't want to install any agent in my AD server. But still no hope. (Is it relate with my explicit proxy ? because in explicit proxy policy cannot choose source users it can only choose source address)

Could you please guide me what to do next

 

Thanks

Millibhu

gschmitt
Valued Contributor

Millibhu wrote:

I already modified my security policy (internal to WAN) , I specified the source users to be user group (group I create to authen with LDAP) and source address to be none (previously source address is set to any) and set action to be Accept. But still when I open browser it does not prompt any authentication portal.

Let's ignore the authentication method for now, if you don't get an authentication page something is wrong with your policies

Take another look at your internal > wan policy

It sould be

Source Interface: internal

Source User: YourUserGroup

Source Address: yourInternalNetwork

Destination Interface: wan1 (or 2 depending on your setup)

Destination Address: any

Service: all (or at least http/https)

NAT on (depending on your setup)

 

All other internal > wan policies with the same source IPs need to be deny or authenticate! This is important

Millibhu

Hi,

 

I follow your instruction this is my security policy config

FGT_HA_2 # show firewall policy 1 config firewall policy     edit 1         set uuid 8a53c544-3bc3-51e5-4279-90090cb380f8         set srcintf "port1"         set dstintf "wan1"         set srcaddr "My_network"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set logtraffic all         set webcache enable         set ntlm enable         set groups "My_user_group"         set av-profile "default"         set webfilter-profile "allow_9gag"         set ips-sensor "default"         set application-list "default"         set profile-protocol-options "default"         set ssl-ssh-profile "certificate-inspection"         set nat enable     next end

 

I have only 1 security policy , the other is implicit deny

 

now I have denied my explicit proxy policy.

 

config firewall explicit-proxy-policy     edit 1         set uuid e493a46c-4c93-51e5-3a46-b142df3ef351         set proxy web         set dstintf "wan1"         set srcaddr "all"         set dstaddr "all"         set service "webproxy"         set action accept         set status disable         set schedule "always"         set utm-status enable         set av-profile "default"         set webfilter-profile "default"         set ips-sensor "default"         set application-list "default"         set profile-protocol-options "default"         set ssl-ssh-profile "certificate-inspection"     next end

 

It still does not prompt for authentication, not sure where did I miss ?

 

Thanks

Millibhu

 

Millibhu

Hi ,

 

now am able to get for the prompt authentication

I forget to put the authentication in my proxy security profiles.

 

But when I put my username/password (join domain name) it could not pass the authenticaiton, only the account that I use for LDAP queries can pass the authentication. Am I missing something ?

 

Thanks

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors