To create a security policy for FSSO authentication – CLI:
config firewall policy edit 0
set srcintf port2 set dstintf port1
set srcaddr Windows_net set dstaddr all
set action accept
set groups FSSO_Internet_users set schedule always
set service ANY
set nat enable end
To create a security policy for local user authentication – web-based manager
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Enter the following information:
Incoming Interface | Port3 | |
Source Address | Internal_net | |
Source User(s) | Internet_users | |
Outgoing Interface | Port1 | |
Destination Address | all | |
Schedule | always | |
Service | ALL | |
NAT | ON | |
Security Profiles | Optionally, enable security profiles. | |
3. |
Select OK. |
To create a security policy for local user authentication – CLI
config firewall policy edit 0
set srcintf port3 set dstintf port1
set srcaddr internal_net set dstaddr all
set action accept set schedule always
set groups Internet_users set service ANY
set nat enable end
LDAP Dial-in using member-attribute example
In this example, users defined in MicroSoft Windows Active Directory (AD) are allowed to set up a VPN connection simply based on an attribute that is set to TRUE, instead of based on their user group. In AD the “Allow Dialin” property is activated in the user properties, and this sets the msNPAllowDialin attribute to “TRUE”.
This same procedure can be used for other member attributes, as your system requires.
To accomplish this with a FortiGate unit, member-attribute must be set. This can only be accomplished through the CLI – the option is not available through the web-based manager.
Before configuring the FortiGate unit, ensure the AD server has the msNPAllowDialin attribute set to “TRUE” for the users in question. If not, those users will not be able to authenticate.
To configure user LDAP member-attribute settings – CLI:
config user ldap
edit “ldap_server”
set server “192.168.201.3” set cnid “sAMAccountName”
set dn “DC=fortilabanz,DC=com,DC=au” set type regular
set username “fortigate@sample.com” set password ******
set member-attr “msNPAllowDialin” next
end
To configure LDAP group settings – CLI:
config user group edit “ldap_grp”
set member “ldap” config match
edit 1
set server-name “ldap” set group-name “TRUE”
next end
next end
Once these settings are in place, users that are a member of the ldap user group will be able to authenticate. To ensure your settings are correct, here is the sample output from a diag debug command that shows the authentication process.
When the “Allow Dial-in” attribute is set to “TRUE” the following will likely be in the output:
get_member_of_groups-Get the memberOf groups. get_member_of_groups- attr=’msNPAllowDialin’, found 1 values get_member_of_groups-val[0]=’TRUE’
fnbamd_ldap_get_result-Auth accepted fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS fnbamd_auth_poll_ldap-Passed group matching If the attribute is not set but it is expected, the following will likely be in the output:
get_member_of_groups-Get the memberOf groups. get_member_of_groups- attr=’msNPAllowDialin’, found 1 values get_member_of_groups-val[0]=’FALSE’
fnbamd_ldap_get_result-Auth accepted fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS fnbamd_auth_poll_ldap-Failed group matching
The only difference between these two outputs is the last line which is either passed or failed based on if the member-attribute is set to the expected value or not.