Internet Access Authentication with LDAP

Millibhu · ‎09-22-2015

Hi,

I want to control user access to internet by creating LDAP authentication

I'm not quite sure where I have to use this LDAP.

Thing I've done so far

1.Create LDAP server (Test Successful)

2.Create user group (Firewall Type, and choose remote server to be LDAP server I just create above)

3. In Network > Interfaces > Lan I choose security mode to be captive portal with authentication local and choose user group from user group I just create

But when I try to access internet, It doesn't prompt any login portal. Not sure I'm missing some step

Please guide

Thank you

Millibhu

xsilver_FTNT · ‎09-22-2015

Hi,

you haven't mentioned it, but you need firewall policy!

For more details and config examples refer to Authentication guide on docs.fortinet.com.

Kind regards, Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

gschmitt · ‎09-22-2015

xsilver wrote:
Hi,

you haven't mentioned it, but you need firewall policy!
For more details and config examples refer to Authentication guide on docs.fortinet.com.

Kind regards, Tomas

To be specific, your internal to wan policy needs to be set to user group: yourUserGroup

All other policies (going from internal to wan (all)) need to be authentication or deny

Millibhu · ‎09-23-2015

Hi,

I already modified my security policy (internal to WAN) , I specified the source users to be user group (group I create to authen with LDAP) and source address to be none (previously source address is set to any) and set action to be Accept. But still when I open browser it does not prompt any authentication portal.

I'm not sure whether I have to choose authentication method, what I found from cookbook they mention that to authentication with security policies need to choose whether to use FSSO Agent, NTLM, Certificate or RADIUS SSO. I tried with NTLM (enable NTML in security policy) because I don't want to install any agent in my AD server. But still no hope. (Is it relate with my explicit proxy ? because in explicit proxy policy cannot choose source users it can only choose source address)

Could you please guide me what to do next

Thanks

Millibhu

gschmitt · ‎09-23-2015

Millibhu wrote:
I already modified my security policy (internal to WAN) , I specified the source users to be user group (group I create to authen with LDAP) and source address to be none (previously source address is set to any) and set action to be Accept. But still when I open browser it does not prompt any authentication portal.

Let's ignore the authentication method for now, if you don't get an authentication page something is wrong with your policies

Take another look at your internal > wan policy

It sould be

Source Interface: internal

Source User: YourUserGroup

Source Address: yourInternalNetwork

Destination Interface: wan1 (or 2 depending on your setup)

Destination Address: any

Service: all (or at least http/https)

NAT on (depending on your setup)

All other internal > wan policies with the same source IPs need to be deny or authenticate! This is important

Millibhu · ‎09-24-2015

Hi,

I follow your instruction this is my security policy config

FGT_HA_2 # show firewall policy 1 config firewall policy edit 1 set uuid 8a53c544-3bc3-51e5-4279-90090cb380f8 set srcintf "port1" set dstintf "wan1" set srcaddr "My_network" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set webcache enable set ntlm enable set groups "My_user_group" set av-profile "default" set webfilter-profile "allow_9gag" set ips-sensor "default" set application-list "default" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next end

I have only 1 security policy , the other is implicit deny

now I have denied my explicit proxy policy.

config firewall explicit-proxy-policy edit 1 set uuid e493a46c-4c93-51e5-3a46-b142df3ef351 set proxy web set dstintf "wan1" set srcaddr "all" set dstaddr "all" set service "webproxy" set action accept set status disable set schedule "always" set utm-status enable set av-profile "default" set webfilter-profile "default" set ips-sensor "default" set application-list "default" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" next end

It still does not prompt for authentication, not sure where did I miss ?

Thanks

Millibhu

Millibhu · ‎10-09-2015

Hi ,

now am able to get for the prompt authentication

I forget to put the authentication in my proxy security profiles.

But when I put my username/password (join domain name) it could not pass the authenticaiton, only the account that I use for LDAP queries can pass the authentication. Am I missing something ?

Thanks