hi there,
need advice here.
I have FG 60D,
can I set:
1. user authentication. whenever device want to connect our Network, it will require user authentication.
2. restrict some devices by hardware ID, either mac address, or else.
if those can, kindly please give reference where I can find "how to".
if I'm correct, I can set authentication based on IP.
thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi papapuff,
ad 1. yes, how about captive portal or 802.1x ? So whenever some other device connect through FGT, user will be prompted to authenticate.
ad 2. yes, how about to have DHCP servere assigning IP addresses statically to known MAC (MAC-IP pair). So you will always has known MAC and device behind the IP. Be aware that MAC can be forged. Form this point of view it would need a bit more. Think about device base identity, but in FGT it is passive fingerprint only so might be inaccurate. Then you can harden the access even more via SSOMA, client app, standalone or part of FortiClient, reporting its presence to FAC and then being reported to FGT as well known client via FSSO.
For more info have a look to [link]http://KB.fortinet.com[/link] , [link]http://Docs.fortinet.com[/link] or http://cookbook.fortinet.com/
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
hi there,
sorry to blow up this post again.
1. I searched for create access list based on mac address, but couldn't found.
any help?
I want to restricted unknown list, so they can't connect to our LAN.
2. also, if I use managed switch, and users connect LAN via that switch, can fortigate detect user's mac address?
3. can I create log for every device connected to fortigate (mac, device name, when, traffic data)?
if can, where I can find the log?
Thanks.
1. I searched for create access list based on mac address, but couldn't found. any help? I want to restricted unknown list, so they can't connect to our LAN.
Firmware version: 5.2
http://cookbook.fortinet.com/user-device-authentication/
Firmware version: 5.4
http://cookbook.fortinet.com/user-device-authentication-54-video/
2. also, if I use managed switch, and users connect LAN via that switch, can fortigate detect user's mac address?
a.)yes, If you using DHCP server in fortigate you can see mac address & device identification( CPU Usage may high).
b.)If you using dhcp from windows server then you check logs from firewall. ( forticloud or syslog ).
3. can I create log for every device connected to fortigate (mac, device name, when, traffic data)? if can, where I can find the log?
Yes. you check in forticloud or fortianalyzer .
Device Name: can check device list under user & device option. You can also see mac address in device list.
MAC: from dhcp server ---> depends on firmware version 5.2 (under network option), 5.4 ( Under Monitor).
Regards,
Sudarsan Babu P
if you want to beat unknown MAC addresses out of the net, then how about ...
1. old fashioned DHCP address assignment to known MAC addresses only. So basically pair known MAC to static IP in DHCP. Dynamically obtained static IP, sort of.
2. newer approach is 802.1x port based auth
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
hi there,
after long research,
I found reserve IP not available for interface with no dhcp enable
also, list of Mac address can't be recorded and built. am I correct?
Hi,
"reserve IP not available for interface with no dhcp enable"
Yes, as IP reservation and MAC address lists are features of DHCP, then it's not possible to achieve that without DHCP.
But it does not necessarily has to be DHCP on FortiGate unit, FGT can forward requests to another DHCP.
As implementation in FGT is basic, then maybe some Linux based DHCP might be better choice.
For MAC address listing you can turn on device discovery on interface and FGT will tell you a bit more about connected devices.
But still without ability to assign/reserve IP if there is no DHCP.
Kind regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
hi Tomas,
thank you for your answer.
how to make access list by MAC address?
so only certain device can connect to some ports?
thanks
Hi,
if you want to make that MAC based then simplest way from my point of view is then to have DHCP method ...
- DHCP assigning certain range to well known MAC based clients.
(for example 18:D2:F2:02:CA:F4 will always get 192.168.42.69/24 IP)
- refusing to assign IP to unknown hosts
Then has FW policy allowing just those known IPs or subnet. Drop the rest.
Alternatives mentioned are 802.1x (port access authentication) or some sort of user/guest management and allow access to just known users (identity based policies).
Solutions similar to those described bellow:
http://cookbook.fortinet.com/802-1x-with-vlan-switch-interfaces-on-a-fortigate/
http://cookbook.fortinet.com/wifi-using-fortiauthenticator-radius-certificates/
http://cookbook.fortinet.com/forticonnect-guest-boarding-using-rsso/
Kind regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.