Examples and Troubleshooting
This chapter provides an example of a FortiGate unit providing authenticated access to the Internet for both Windows network users and local users. The following topics are included in this section:
- Firewall authentication example
- LDAP Dial-in using member-attribute example
- RADIUS SSO example
- Troubleshooting
Firewall authentication example
Example configuration
Overview
In this example, there is a Windows network connected to Port 2 on the FortiGate unit and another LAN, Network_1, connected to Port 3.
All Windows network users authenticate when they logon to their network. Members of the Engineering and Sales groups can access the Internet without entering their authentication credentials again. The example assumes that the Fortinet Single Sign On (FSSO) has already been installed and configured on the domain controller.
LAN users who belong to the Internet_users group can access the Internet after entering their username and password to authenticate. This example shows only two users, User1 is authenticated by a password stored on the FortiGate unit, User2 is authenticated on an external authentication server. Both of these users are referred to as local users because the user account is created on the FortiGate unit.
Creating a locally-authenticated user account
User1 is authenticated by a password stored on the FortiGate unit. It is very simple to create this type of account.
To create a local user – web-based manager:
- Go to User & Device > User Definition and select Create New.
- Follow the User Creation Wizard, entering the following information and then select Create:
User Type | Local User |
User Name | User1 |
Password | hardtoguess |
Email Address
SMS |
(optional) |
Enable | Select. |
To create a local user – CLI:
config user local edit user1 set type password set passwd hardtoguess
end
Creating a RADIUS-authenticated user account
To authenticate users using an external authentication server, you must first configure the FortiGate unit to access the server.
To configure the remote authentication server – web-based manager:
- Go to User & Device > RADIUS Servers and select Create New.
- Enter the following information and select OK:
Name | OurRADIUSsrv |
Primary Server Name/IP | 10.11.101.15 |
Primary Server Secret | OurSecret |
Authentication Scheme | Select Use Default Authentication Scheme. |
To configure the remote authentication server – CLI:
config user radius edit OurRADIUSsrv set server 10.11.102.15 set secret OurSecret set auth-type auto
Firewall authentication example
end
Creation of the user account is similar to the locally-authenticated account, except that you specify the RADIUS authentication server instead of the user’s password.
To configure a remote user – web-based manager:
- Go to User & Device > User Definition and select Create New.
- Follow the User Creation Wizard, entering the following information and then select Create:
User Type | Remote RADIUS User |
User Name | User2 |
RADIUS server | OurRADIUSsrv |
Email Address
SMS |
(optional) |
Enable | Select |
To configure a remote user – CLI:
config user local edit User2 set name User2 set type radius
set radius-server OurRADIUSsrv
end
Creating user groups
There are two user groups: an FSSO user group for FSSO users and a firewall user group for other users. It is not possible to combine these two types of users in the same user group.
Creating the FSSO user group
For this example, assume that FSSO has already been set up on the Windows network and that it uses Advanced mode, meaning that it uses LDAP to access user group information. You need to
- configure LDAP access to the Windows AD global catalog l specify the collector agent that sends user logon information to the FortiGate unit l select Windows user groups to monitor
- select and add the Engineering and Sales groups to an FSSO user group
To configure LDAP for FSSO – web-based manager:
- Go to User & Device > LDAP Servers and select Create New.
- Enter the following information:
Name | ADserver | |
Server Name / IP | 10.11.101.160 | |
Distinguished Name | dc=office,dc=example,dc=com | |
Bind Type | Regular | |
User DN | cn=FSSO_Admin,cn=users,dc=office,dc=example,dc=com | |
Password | set_a_secure_password | |
- Leave other fields at their default values.
- Select OK.
To configure LDAP for FSSO – CLI”
config user ldap edit “ADserver” set server “10.11.101.160”
set dn “cn=users,dc=office,dc=example,dc=com”
set type regular
set username “cn=administrator,cn=users,dc=office,dc=example,dc=com” set password set_a_secure_password
next
end
To specify the collector agent for FSSO – web-based manager
- Go to User & Device > Single Sign-On and select Create New.
- Enter the following information:
Type | Fortinet Single Sign-On Agent |
Name | WinGroups |
Primary Agent IP/Name | 10.11.101.160 |
Password | fortinet_canada |
LDAP Server | ADserver |
- Select Apply & Refresh.
In a few minutes, the FortiGate unit downloads the list of user groups from the server.
To specify the collector agent for FSSO – CLI:
config user fsso edit “WinGroups” set ldap-server “ADserver” set password ENC
G7GQV7NEqilCM9jKmVmJJFVvhQ2+wtNEe9T0iYA5Sa+EqT2J8zhOrbkJFDr0RmY3c4LaoXdsoBczA
1dONmcGfthTxxwGsigzGpbJdC71spFlQYtj set server “10.11.101.160” end
Firewall authentication example
To create the FSSO_Internet-users user group – web-based manager:
- Go to User & Device > User Groups and select Create New.
- Enter the following information and then select OK:
Name | FSSO_Internet_users |
Type | Fortinet Single Sign-On (FSSO) |
Members | Engineering, Sales |
To create the FSSO_Internet-users user group – CLI:
config user group edit FSSO_Internet_users set group-type fsso-service
set member CN=Engineering,cn=users,dc=office,dc=example,dc=com
CN=Sales,cn=users,dc=office,dc=example,dc=com end
Creating the Firewall user group
The non-FSSO users need a user group too. In this example, only two users are shown, but additional members can be added easily.
To create the firewall user group – web-based manager:
- Go to User & Device > User Groups and select Create New.
- Enter the following information and then select OK:
Name | Internet_users |
Type | Firewall |
Members | User1, User2 |
To create the firewall user group – CLI:
config user group edit Internet_users set group-type firewall set member User1 User2
end
Defining policy addresses
- Go to Policy & Objects > Addresses.
- Create the following addresses:
Address Name | Internal_net | |
Type | Subnet | |
Subnet / IP Range | 10.11.102.0/24 | |
Interface | Port 3 | |
Address Name | Windows_net | |
Type | Subnet | |
Subnet / IP Range | 10.11.101.0/24 | |
Interface | Port 2 | |
Creating security policies
Two security policies are needed: one for firewall group who connect through port3 and one for FSSO group who connect through port2.
To create a security policy for FSSO authentication – web-based manager:
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter the following information:
Incoming Interface | Port2 |
Source Address | Windows_net |
Source User(s) | FSSO_Internet_users |
Outgoing Interface | Port1 |
Destination Address | all |
Schedule | always |
Service | ALL |
NAT | ON |
Security Profiles | Optionally, enable security profiles. |
- Select OK.
To create a security policy for FSSO authentication – CLI:
config firewall policy edit 0 set srcintf port2 set dstintf port1 set srcaddr Windows_net set dstaddr all
LDAP Dial-in using member-attribute example
set action accept set groups FSSO_Internet_users set schedule always set service ANY set nat enable
end
To create a security policy for local user authentication – web-based manager
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter the following information:
Incoming Interface | Port3 |
Source Address | Internal_net |
Source User(s) | Internet_users |
Outgoing Interface | Port1 |
Destination Address | all |
Schedule | always |
Service | ALL |
NAT | ON |
Security Profiles | Optionally, enable security profiles. |
- Select OK.
To create a security policy for local user authentication – CLI
config firewall policy edit 0 set srcintf port3 set dstintf port1 set srcaddr internal_net set dstaddr all set action accept set schedule always set groups Internet_users set service ANY set nat enable
end