I am having a major headache with our 500D (Formware 5.6.5) and I’m sure it’s some fundamental setting I am missing.
FSSO configured on the Fortigate and FSSO user group pointing to AD user group for internet access. IPv4 Policy setup as follows….. Source: all+ FSSO Group above and….. Dest: all <-- This is working fine, logging IP and AD users!
I have been trying for some time to get an alternative method of authentication to help none domain devices and Apple Macs to get internet access. We just need a pop up box, or web authentication to verify an account to AD.
So far I have tried;
NTLM authentication via an IPv4 policy (ntlm enabled via CLi) – no pop up box appears. Just fails with a page not found. Without the FSSO or LDAP user group tagged on the rule – the device gets internet.
NTLM, FSSO group and LDAP all tired using both a Transparent and Explicit proxy rules. Again the proxy policies both work fine without user groups - but when they are added I get “Access Denied – The page you requested has been blocked by a firewall policy restriction”
I followed Cookbook recipes such as this one for the above.
I don’t mind if the device gets a pop up login box, or a web authentication box, but as soon as I introduce a user group, the policy fails.
Am I missing some global setting to allow these other methods of authentication?
Help would be greatly appreciated.
Thank you for reading.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi guys,
Have a same situation with the same firmware.
Please help.
NTLM Enabled on the FSSO Collector NTLM Enabled on the Policy FSSO Working aprop
Regards.
Alfonso Pereira.
Hi Alfonso,
Hope this helps, I ended up raising a ticket with their support. This was their reply. It worked for me.
Really hope it helps
Rob
~~~~~~~~~~~~~~~~~~
- You will need to change the groups to the FSSO groups you set up in the firewall proxy policy
- Please add the following authentication schemes :
config authentication scheme
edit "NTLM"
set method ntlm
next
end
config authentication rule
edit "NTLM-RULE"
set srcaddr "all"
set ip-based disable
set active-auth-method "NTLM"
next
end"
- Set the active-auth-scheme to "NTLM"
Sorry I have to respond on an old topic. What do you mean with "You will need to change the groups to the FSSO groups you set up in the firewall proxy policy" ?
And how do you set the active-auth-scheme to "NTLM" ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.