Hello,
Fortigate 500D Firmware 5.6.5
We have an AD network with the FSSO Collector monitoring DCs (Agent mode)
FSSO configured on the FTG and FSSO user group pointing to AD user group for internet access.
IPv4 Policy setup Source: all+ FSSO Group above, Dest: all - this is working fine. Users get internet access, and appear in the Logs.
We also have some Macs which we want to authenticate through the browsers, so via the CLI, I've enabled "ntlm" "ntlm-guest" and "ntlm-enable-browsers" on the above policy, but no login prompt is appearing on any browsers, no matter what I try. The Macs IP just hits the DENY rule on the logs. I've tried with a non domain windows PC too - same issue.
Have I configured something wrong? Am I missing something? - been scratching my head over this for a couple of days now, any help would be appreciated.
Thanks for reading.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Rob
On CLI where do you enable the ntlm, is it under authentication scheme or where?
I don't know the case of Ipv4 policy, but I deployed the proxy authentication on v6.0.2 and for browser-based authentication, you have to disable IP-based command in the authentication rule.
i.e config authentication rule
set ip-based disbale
in this way, after defining the proxy policy you will get the browser-based authentication and you get the prompt for user credential.
Hi, and thank you for replying.
I've enabled ntlm on the firewall policy (config firewall policy)
I'm still not 100% clear as to if what I am trying to do is possible on the IPv4 rules
Thanks
Hi
As your concern is browser-based authentication, so it can full-fill using setup the Explicit web proxy feature.
Ready the proxy setup and configs on the CLI using authentication rules, scheme and setting and then add the proxy on a browser and in the authentication scheme use the ntlm method and disable ip-based in authentication rule.
you'll get the prompt and it will browser based so after closing and re-opening browser you'll get the prompt again.
Hi again,
Is there no way to do this without configuring a proxy server on each of the workstations browsers? This is something we definitely wanted to avoid.
Thanks again
Hi
You can push the proxy setting on the AD-Machines using the GPO too.
Or you can integrate your macs with the AD then you can also control the traffic by macs using SSO.
For the ipv4 policies, I don't know, may b they have a method for it too.
I tried and it works
just re-create authentication-rules and authentication-scheme then the problem will be resolved..
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.