Hello All,
I'm facing some issue in creating group based policy on non HTTP protocol.
let assume that I've a management network where all the admin interfaces of some equipment resides.
if the management interface is reachable in HTTP(S) i can just add the user group on the rules allowing this traffic and the user will be redirected to the authentication portal.
if the protocol indeed is something else (RDP for example) the fw authenication does not occour and the connection fail.
With other FW vendor we used to have a web page where a user can "spontaneously" authenticate, so that the subsequent sessions can be authorized by the firewall.
what is the solution with fortinet? is it possibile to create some kind of authentication portal like https://myfw.contoso.local/auth and have the users authenticating before trying to access the resource?
thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Have you made any progress on this? I'm facing the same issue. I proposed to client that we create an "authentication" VLAN with a web server and essentially just custom "Hello World" HTML page. Admins needing access to sensitive management VLANs will browse to this page on the authentication VLAN and be challenged (unless already authenticated) for token+PIN. Then identity policies will let them access other VLANs as appropriate. I didn't see a way for the FG to host this auth portal. I've not been able to try it yet as we're working on another project first.
We've considered using SSL VPN while internal but ruled that out for now.
...Fred
Hello,
unfortunately not.
i was thinking the same but not implemented yet.
Lorenzo
We got to it yesterday afternoon. It works perfectly as I described above. We have two issues we'll play with yet. One is idle timeout. We set that to 30 mins but it times out at 60 mins. (You can observe the countdown using 'diag firewall auth list') Suspiciously, our SSL VPN settings specify 60 mins idle timeout.
Also on timeouts, I changed from default of 'session' to 'traffic' as in: 'set proxy-re-authentication-mode traffic'. Otherwise a single long RDP/SSH/whatever admin session will timeout at 60 mins as the timer doesn't reset until the TCP session ends. Using 'traffic' makes it easy for admins to defeat the timer but I found the keepalive page was worse in that sense because it automatically defeats the timer until a user chooses to logout.
The other issue is the login challenge page. We already use LDAP challenges on some other policies. It's the same login page so we can't customize it to show whether we're prompting for LDAP (AD account) or RADIUS (RSA token). Most identity-based policies use FSSO but I guess where we want to prompt for credentials we'll have to use either AD or RSA everywhere.
...Fred
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.