Examples and Troubleshooting

Examples and Troubleshooting

This chapter provides an example of a FortiGate unit providing authenticated access to the Internet for both Windows network users and local users. The following topics are included in this section:

  • Firewall authentication example
  • LDAP Dial-in using member-attribute example
  • RADIUS SSO example
  • Troubleshooting

Firewall authentication example

Example configuration

Overview

In this example, there is a Windows network connected to Port 2 on the FortiGate unit and another LAN, Network_1, connected to Port 3.

All Windows network users authenticate when they logon to their network. Members of the Engineering and Sales groups can access the Internet without entering their authentication credentials again. The example assumes that the Fortinet Single Sign On (FSSO) has already been installed and configured on the domain controller.

LAN users who belong to the Internet_users group can access the Internet after entering their username and password to authenticate. This example shows only two users, User1 is authenticated by a password stored on the FortiGate unit, User2 is authenticated on an external authentication server. Both of these users are referred to as local users because the user account is created on the FortiGate unit.

Creating a locally-authenticated user account

User1 is authenticated by a password stored on the FortiGate unit. It is very simple to create this type of account.

To create a local user – web-based manager:

  1. Go to User & Device > User Definition and select Create New.
  2. Follow the User Creation Wizard, entering the following information and then select Create:
User Type Local User
User Name User1
Password hardtoguess
Email Address

SMS

(optional)
Enable Select.

To create a local user – CLI:

config user local edit user1 set type password set passwd hardtoguess

end

Creating a RADIUS-authenticated user account

To authenticate users using an external authentication server, you must first configure the FortiGate unit to access the server.

To configure the remote authentication server – web-based manager:

  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter the following information and select OK:
Name OurRADIUSsrv
Primary Server Name/IP 10.11.101.15
Primary Server Secret OurSecret
Authentication Scheme Select Use Default Authentication Scheme.

To configure the remote authentication server – CLI:

config user radius edit OurRADIUSsrv set server 10.11.102.15 set secret OurSecret set auth-type auto

Firewall authentication example

end

Creation of the user account is similar to the locally-authenticated account, except that you specify the RADIUS authentication server instead of the user’s password.

To configure a remote user – web-based manager:

  1. Go to User & Device > User Definition and select Create New.
  2. Follow the User Creation Wizard, entering the following information and then select Create:
User Type Remote RADIUS User
User Name User2
RADIUS server OurRADIUSsrv
Email Address

SMS

(optional)
Enable Select

To configure a remote user – CLI:

config user local edit User2 set name User2 set type radius

set radius-server OurRADIUSsrv

end

Creating user groups

There are two user groups: an FSSO user group for FSSO users and a firewall user group for other users. It is not possible to combine these two types of users in the same user group.

Creating the FSSO user group

For this example, assume that FSSO has already been set up on the Windows network and that it uses Advanced mode, meaning that it uses LDAP to access user group information. You need to

  • configure LDAP access to the Windows AD global catalog l specify the collector agent that sends user logon information to the FortiGate unit l select Windows user groups to monitor
  • select and add the Engineering and Sales groups to an FSSO user group

To configure LDAP for FSSO – web-based manager:

  1. Go to User & Device > LDAP Servers and select Create New.
  2. Enter the following information:
Name ADserver
Server Name / IP 10.11.101.160
Distinguished Name dc=office,dc=example,dc=com
Bind Type Regular
User DN cn=FSSO_Admin,cn=users,dc=office,dc=example,dc=com
Password set_a_secure_password
  1. Leave other fields at their default values.
  2. Select OK.

To configure LDAP for FSSO – CLI”

config user ldap edit “ADserver” set server “10.11.101.160”

set dn “cn=users,dc=office,dc=example,dc=com”

set type regular

set username “cn=administrator,cn=users,dc=office,dc=example,dc=com” set password set_a_secure_password

next

end

To specify the collector agent for FSSO – web-based manager

  1. Go to User & Device > Single Sign-On and select Create New.
  2. Enter the following information:
Type Fortinet Single Sign-On Agent
Name WinGroups
Primary Agent IP/Name 10.11.101.160
Password fortinet_canada
LDAP Server ADserver
  1. Select Apply & Refresh.

In a few minutes, the FortiGate unit downloads the list of user groups from the server.

To specify the collector agent for FSSO – CLI:

config user fsso edit “WinGroups” set ldap-server “ADserver” set password ENC

G7GQV7NEqilCM9jKmVmJJFVvhQ2+wtNEe9T0iYA5Sa+EqT2J8zhOrbkJFDr0RmY3c4LaoXdsoBczA

1dONmcGfthTxxwGsigzGpbJdC71spFlQYtj set server “10.11.101.160” end

Firewall authentication example

To create the FSSO_Internet-users user group – web-based manager:

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name FSSO_Internet_users
Type Fortinet Single Sign-On (FSSO)
Members Engineering, Sales

To create the FSSO_Internet-users user group – CLI:

config user group edit FSSO_Internet_users set group-type fsso-service

set member CN=Engineering,cn=users,dc=office,dc=example,dc=com

CN=Sales,cn=users,dc=office,dc=example,dc=com end

Creating the Firewall user group

The non-FSSO users need a user group too. In this example, only two users are shown, but additional members can be added easily.

To create the firewall user group – web-based manager:

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name Internet_users
Type Firewall
Members User1, User2

To create the firewall user group – CLI:

config user group edit Internet_users set group-type firewall set member User1 User2

end

Defining policy addresses

  1. Go to Policy & Objects > Addresses.
  2. Create the following addresses:
Address Name Internal_net
Type Subnet
Subnet / IP Range 10.11.102.0/24
Interface Port 3
Address Name Windows_net
Type Subnet
Subnet / IP Range 10.11.101.0/24
Interface Port 2

Creating security policies

Two security policies are needed: one for firewall group who connect through port3 and one for FSSO group who connect through port2.

To create a security policy for FSSO authentication – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information:
Incoming Interface Port2
Source Address Windows_net
Source User(s) FSSO_Internet_users
Outgoing Interface Port1
Destination Address all
Schedule always
Service ALL
NAT ON
Security Profiles Optionally, enable security profiles.
  1. Select OK.

To create a security policy for FSSO authentication – CLI:

config firewall policy edit 0 set srcintf port2 set dstintf port1 set srcaddr Windows_net set dstaddr all

LDAP Dial-in using member-attribute example

set action accept set groups FSSO_Internet_users set schedule always set service ANY set nat enable

end

To create a security policy for local user authentication – web-based manager

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information:
Incoming Interface Port3
Source Address Internal_net
Source User(s) Internet_users
Outgoing Interface Port1
Destination Address all
Schedule always
Service ALL
NAT ON
Security Profiles Optionally, enable security profiles.
  1. Select OK.

To create a security policy for local user authentication – CLI

config firewall policy edit 0 set srcintf port3 set dstintf port1 set srcaddr internal_net set dstaddr all set action accept set schedule always set groups Internet_users set service ANY set nat enable

end

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.