Hi,
I want to control user access to internet by creating LDAP authentication
I'm not quite sure where I have to use this LDAP.
Thing I've done so far
1.Create LDAP server (Test Successful)
2.Create user group (Firewall Type, and choose remote server to be LDAP server I just create above)
3. In Network > Interfaces > Lan I choose security mode to be captive portal with authentication local and choose user group from user group I just create
But when I try to access internet, It doesn't prompt any login portal. Not sure I'm missing some step
Please guide
Thank you
Millibhu
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
you haven't mentioned it, but you need firewall policy!
For more details and config examples refer to Authentication guide on docs.fortinet.com.
Kind regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
xsilver wrote:To be specific, your internal to wan policy needs to be set to user group: yourUserGroupHi,
you haven't mentioned it, but you need firewall policy!
For more details and config examples refer to Authentication guide on docs.fortinet.com.
Kind regards, Tomas
All other policies (going from internal to wan (all)) need to be authentication or deny
Hi,
I already modified my security policy (internal to WAN) , I specified the source users to be user group (group I create to authen with LDAP) and source address to be none (previously source address is set to any) and set action to be Accept. But still when I open browser it does not prompt any authentication portal.
I'm not sure whether I have to choose authentication method, what I found from cookbook they mention that to authentication with security policies need to choose whether to use FSSO Agent, NTLM, Certificate or RADIUS SSO. I tried with NTLM (enable NTML in security policy) because I don't want to install any agent in my AD server. But still no hope. (Is it relate with my explicit proxy ? because in explicit proxy policy cannot choose source users it can only choose source address)
Could you please guide me what to do next
Thanks
Millibhu
Millibhu wrote:Let's ignore the authentication method for now, if you don't get an authentication page something is wrong with your policiesI already modified my security policy (internal to WAN) , I specified the source users to be user group (group I create to authen with LDAP) and source address to be none (previously source address is set to any) and set action to be Accept. But still when I open browser it does not prompt any authentication portal.
Take another look at your internal > wan policy
It sould be
Source Interface: internal
Source User: YourUserGroup
Source Address: yourInternalNetwork
Destination Interface: wan1 (or 2 depending on your setup)
Destination Address: any
Service: all (or at least http/https)
NAT on (depending on your setup)
All other internal > wan policies with the same source IPs need to be deny or authenticate! This is important
Hi,
I follow your instruction this is my security policy config
FGT_HA_2 # show firewall policy 1 config firewall policy edit 1 set uuid 8a53c544-3bc3-51e5-4279-90090cb380f8 set srcintf "port1" set dstintf "wan1" set srcaddr "My_network" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set webcache enable set ntlm enable set groups "My_user_group" set av-profile "default" set webfilter-profile "allow_9gag" set ips-sensor "default" set application-list "default" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next end
I have only 1 security policy , the other is implicit deny
now I have denied my explicit proxy policy.
config firewall explicit-proxy-policy edit 1 set uuid e493a46c-4c93-51e5-3a46-b142df3ef351 set proxy web set dstintf "wan1" set srcaddr "all" set dstaddr "all" set service "webproxy" set action accept set status disable set schedule "always" set utm-status enable set av-profile "default" set webfilter-profile "default" set ips-sensor "default" set application-list "default" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" next end
It still does not prompt for authentication, not sure where did I miss ?
Thanks
Millibhu
Hi ,
now am able to get for the prompt authentication
I forget to put the authentication in my proxy security profiles.
But when I put my username/password (join domain name) it could not pass the authenticaiton, only the account that I use for LDAP queries can pass the authentication. Am I missing something ?
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.