Troubleshooting LDAP
The examples in this section use the values from the previous example.
LDAP user test
A quick way to see if the LDAP configuration is correct is to run a diagnose CLI command with LDAP user information. The following command tests with a user called netAdmin and a password of fortinet. If the configuration is correct the test will be successful.
FGT# diag test authserver ldap ldap_server netAdmin fortinet
‘ldap_server’ is not a valid ldap server name — an LDAP server by that name has not been configured on the FortiGate unit, check your spelling.
authenticate ‘netAdmin’ against ‘ldap_server’ failed! — the user netAdmin does not
exist on ldap_server, check your spelling of both the user and sever and ensure the user has been configured on the FortiGate unit.
LDAP authentication debugging
For a more in-depth test, you can use a diag debug command. The sample output from a shows more information about the authentication process that may prove useful if there are any problems.
Ensure the “Allow Dial-in” attribute is still set to “TRUE” and run the following CLI command. fnbamd is the Fortinet non-blocking authentication daemon.
FGT# diag debug enable
FGT# diag debug reset
FGT# diag debug application fnbamd –1 FGT# diag debug enable
The output will look similar to:
get_member_of_groups-Get the memberOf groups.
TACACS+ servers
get_member_of_groups- attr=’msNPAllowDialin’, found 1 values
get_member_of_groups-val[0]=’TRUE’ fnbamd_ldap_get_result-Auth accepted fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS fnbamd_auth_poll_ldap-Passed group matching
If the “Allow Dial-in” attribute is not set but it is expected, the last line of the above output will instead be:
fnbamd_auth_poll_ldap-Failed group matching
TACACS+ servers
When users connect to their corporate network remotely, they do so through a remote access server. As remote access technology has evolved, the need for security when accessing networks has become increasingly important. This need can be filled using a Terminal Access Controller Access-Control System (TACACS+) server.
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS+ allows a client to accept a username and password and send a query to a TACACS+ authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies the user access to the network.
TACACS+ offers fully encrypted packet bodies, and supports both IP and AppleTalk protocols. TACACS+ uses TCP port 49, which is seen as more reliable than RADIUS’s UDP protocol.
There are several different authentication protocols that TACACS+ can use during the authentication process:
Authentication protocols
| Protocol | Definition |
| ASCII | Machine-independent technique that uses representations of English characters.
Requires user to type a username and password that are sent in clear text (unencrypted) and matched with an entry in the user database stored in ASCII format. |
| PAP | Password Authentication Protocol (PAP) Used to authenticate PPP connections. Transmits passwords and other user information in clear text. |
| CHAP | Challenge-Handshake Authentication Protocol (CHAP) Provides the same functionality
as PAP, but is more secure as it does not send the password and other user information over the network to the security server. |
| MS-CHAP | MicroSoft Challenge-Handshake Authentication Protocol v1 (MSCHAP) Microsoftspecific version of CHAP. |
| default | The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order. |
TACACS+
Configuring a TACACS+ server on the FortiGate unit
A maximum of 10 remote TACACS+ servers can be configured for authentication.
One or more servers must be configured on FortiGate before remote users can be configured. To configure remote users, see Local and remote users on page 50.
The TACACS+ page in the web-based manager (User & Device >
TACACS+ Servers) is not available until a TACACS+ server has been configured in the CLI. For more information see the CLI Reference.
To configure the FortiGate unit for TACACS+ authentication – web-based manager:
- Go to User & Device > TACACS+ Servers and select Create New.
- Enter the following information, and select OK.
| Name | Enter the name of the TACACS+ server. |
| Server Name/IP | Enter the server domain name or IP address of the TACACS+ server. |
| Server Key | Enter the key to access the TACACS+ server. |
| Authentication Type | Select the authentication type to use for the TACACS+ server. Auto tries PAP, MSCHAP, and CHAP (in that order). |
To configure the FortiGate unit for TACACS+ authentication – CLI:
config user tacacs+ edit “TACACS-SERVER” set server [IP_ADDRESS] set key [PASSWORD] set authen-type ascii
next
end config user group edit “TACACS-GROUP” set group-type firewall set member “TACACS-SERVER”
next
end
config system admin edit TACACS-USER set remote-auth enable set accprofile “super_admin”
set vdom “root” set wildcard enable set remote-group “TACACS-GROUP”
next
end
IPv6 TACACS+ server IP address
IPv6 address support is available for TACACS+ servers.
POP3 servers
Syntax
config user tacacs+ edit <name> set server <ipv6 address> set source-ipv6 <ipv6 address>
next
end
POP3 servers
FortiOS can authenticate users who have accounts on POP3 or POP3s email servers. POP3 authentication can be configured only in the CLI.
To configure the FortiGate unit for POP3 authentication:
config user pop3 edit pop3_server1 set server pop3.fortinet.com set secure starttls set port 110
end
To configure a POP3 user group:
config user group edit pop3_grp set member pop3_server1
end
A user group can list up to six POP3 servers as members.
SSO servers
Novell and Microsoft Windows networks provide user authentication based on directory services: eDirectory for Novell, Active Directory for Windows. Users can log on at any computer in the domain and have access to resources as defined in their user account. The Fortinet Single Sign On (FSSO) agent enables FortiGate units to authenticate these network users for security policy or VPN access without asking them again for their username and password.
When a user logs in to the Windows or Novell domain, the FSSO agent sends to the FortiGate unit the user’s IP address and the names of the user groups to which the user belongs. The FortiGate unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the FortiGate unit does not perform authentication. It recognizes group members by their IP address.
In the FortiOS FSSO configuration, you specify the server where the FSSO Collector agent is installed. The Collector agent retrieves the names of the Novell or Active Directory user groups from the domain controllers on the domains, and then the FortiGate unit gets them from the Collector agent. You cannot use these groups directly. You must define FSSO type user groups on your FortiGate unit and then add the Novell or Active
SSO
Directory user groups to them. The FSSO user groups that you created are used in security policies and VPN configurations to provide access to different services and resources.
FortiAuthenticator servers can replace the Collector agent when FSSO is using polling mode. The benefits of this is that FortiAuthenticator is a stand-alone server that has the necessary FSSO software pre-installed. For more information, see the FortiAuthenticator Administration Guide.
SSO agent configuration settings
The following are SSO configuration settings in Security Fabric > Fabric Connectors.
SSO server List
Lists all the collector agents’ lists that you have configured (along with other Security Fabric connectors). On this page, you can create, edit or delete FSSO agents. There are different types of FSSO agents, each with its own settings.
You can create a redundant configuration on your unit if you install a collector agent on two or more domain controllers. If the current (or first) collector agent fails, the Fortinet unit switches to the next one in its list of up to five collector agents.
| Create New | Gives you the option to create a new agent. When you select Create New, you are automatically redirected to the New Fabric Connector page. Select an option from under SSO/Identity. |
| Edit | Modifies the settings for the selected SSO server.
To remove multiple entries from the list, for each servers you want removed, select the check box and then select Delete. To remove all agents from the list, on the FSSO Agent page, select the check box at the top of the check box column and then select Delete. |
| Delete | Removes an agent from the list on the page. |
| Settings for Poll Active Directory Server | |
| Server IP/Name The IP address of the domain controller (DC). | |
| User The user ID used to access the domain controller. | |
| Password Enter the password for the account used to access the DC. | |
| LDAP Server Select the check box and select an LDAP server to access the Directory Service. | |
| Enable Polling Enable to allow the FortiGate unit to poll this DC. | |
| Users/Groups A list of user and user group names retrieved from the DC. | |
| Settings when Type is RADIUS Single Sign On Agent |
| Name Enter a name for the SSO server. |
| Use RADIUS Enable and specify the SSO server secret. Shared Secret |
| Send RADIUS Enable to send RADIUS responses. Responses |
| Settings for Fortinet Single Sign On Agent |
| Name Enter a name for the SSO server. |
| Primary FSSO Enter the IP address or name of the Directory Service server where this SSO agent is Agent installed, along with the password. The maximum number of characters is 63. |
| FSSO Agent Optionally, add and configured up to four additional FSSO agents, up to a maximum of five. |
| Collector Agent Select one of the following options: AD access mode l Standard: Enable and view A list of user and user group names retrieved from the server. l Advanced: Enable and select an LDAP server to access the Directory Service. |
RSA ACE (SecurID) servers
SecurID is a two-factor system that uses one-time password (OTP) authentication. It is produced by the company RSA. This system includes portable tokens carried by users, an RSA ACE/Server, and an Agent Host. In our configuration, the FortiGate unit is the Agent Host.
Components
When using SecurID, users carry a small device or “token” that generates and displays a pseudo-random password. According to RSA, each SecurID authenticator token has a unique 64-bit symmetric key that is combined with a powerful algorithm to generate a new code every 60 seconds. The token is time-synchronized with the SecurID RSA ACE/Server.
The RSA ACE/Server is the management component of the SecurID system. It stores and validates the information about the SecurID tokens allowed on your network. Alternately the server could be an RSA SecurID 130 Appliance.
The Agent Host is the server on your network, in this case it is the FortiGate unit, that intercepts user logon attempts. The Agent Host gathers the user ID and password entered from their SecurID token, and sends that information to the RSA ACE/Server to be validated. If valid, a reply comes back indicating it is a valid logon and the FortiGate unit allows the user access to the network resources specified in the associated security policy.
RSA ACE (SecurID)
Configuring the SecurID system
To use SecurID with a FortiGate unit, you need:
- to configure the RSA server and the RADIUS server to work with each other (see RSA server documentation) l to configure the RSA SecurID 130 Appliance or
- to configure the FortiGate unit as an Agent Host on the RSA ACE/Server l to configure the FortiGate unit to use the RADIUS server l to create a SecurID user group
- to configure a security policy with SecurID authentication
The following instructions are based on RSA ACE/Server version 5.1, or RSA SecurID 130 Appliance, and assume that you have successfully completed all the external RSA and RADIUS server configuration steps listed above.
For this example, the RSA server is on the internal network, with an IP address of 192.128.100.100. The FortiGate unit internal interface address is 192.168.100.3, RADIUS shared secret is fortinet123, RADIUS server is at IP address 192.168.100.102.
To configure the RSA SecurID 130 appliance
- Go to the IMS Console for SecurID and logon.
- Go to RADIUS > RADIUS Clients, and select Add New.
- Enter the following information to configure your FortiGate as a SecurID Client, and select Save.
| RADIUS Client Basics | |
| Client Name | FortiGate |
| Associated RSA Agent | FortiGate |
| RADIUS Client Settings | |
| IP Address | 192.168.100.3
The IP address of the FortiGate unit internal interface. |
| Make / Model | Select Standard Radius |
| Shared Secret | fortinet123
The RADIUS shared secret. |
| Accounting | Leave unselected |
| Client Status | Leave unselected |
To configure the FortiGate unit as an Agent Host on the RSA ACE/Server
- On the RSA ACE/Server computer, go to Start > Programs > RSA ACE/Server, and then Database Administration – Host Mode.
- On the Agent Host menu, select Add Agent Host.
- Enter and save the following information.
| Name | FortiGate |
| Network Address | 192.168.100.3
The IP address of the FortiGate unit. |
| Secondary Nodes | Optionally enter other IP addresses that resolve to the FortiGate unit. |
If needed, refer to the RSA ACE/Server documentation for more information.
To configure the FortiGate unit to use the RADIUS server
- Go to User & Device > RADIUS Servers and select Create New.
- Enter the following information, and select OK.
| Name | RSA |
| Primary Server IP/Name | 192.168.100.102
Optionally select Test to ensure the IP address is correct and the FortiGate can contact the RADIUS server. |
| Primary Server Secret | fortinet123 |
| Authentication Scheme | Select Use Default Authentication Scheme. |
To create a SecurID user group
- Go to User & Device > User Groups, and select Create New.
- Enter the following information.
| Name | RSA_group |
| Type | Firewall |
- In Remote Groups, select Add, then select the RSA server.
- Select OK.
To create a SecurID user:
- Go to User & Device > User Definition, and select Create New.
- Use the wizard to enter the following information, and then select Create.
| User Type | Remote RADIUS User | |
| User Name | wloman | |
| RADIUS Server | RSA |
RSA ACE (SecurID)
| Contact Info | (optional) Enter Email or SMS information |
| User Group | RSA_group |
To test this configuration, on your FortiGate unit use the CLI command:
diagnose test authserver radius RSA auto wloman 111111111
The series of 1s is the one time password that your RSA SecurID token generates and you enter.
Using the SecurID user group for authentication
You can use the SecurID user group in several FortiOS features that authenticate by user group including l Security policy l IPsec VPN XAuth l PPTP VPN l SSL VPN
The following sections assume the SecurID user group is called securIDgrp and has already been configured. Unless otherwise states, default values are used.
Security policy
To use SecurID in a security policy, you must include the SecurID user group in a security policy. This procedure will create a security policy that allows HTTP, FTP, and POP3 traffic from the internal interface to wan1. If these interfaces are not available on your FortiGate unit, substitute other similar interfaces.
To configure a security policy with SecurID authentication
- Go to Policy & Objects > IPv4 Policy.
- Select Create New.
- Enter:
| Incoming Interface | internal | |
| Source Address | all | |
| Source User(s) | securIDgrp | |
| Outgoing Interface | wan1 | |
| Destination Address | all | |
| Schedule | always | |
| Services | HTTP, FTP, POP3 | |
| Action | ACCEPT | |
| NAT | On | |
| Shared Shaper | On, if you want to either limit traffic or guarantee minimum bandwidth for traffic that uses the SecurID security policy. Use the default shaper guarantee-100kbps. | |
| Log Allowed Traffic | On, if you want to generate usage reports on traffic authenticated with this policy. | |
- Select OK.
The SecurID security policy is configured.
For more detail on configuring security policies, see the FortiOS Handbook FortiGate Fundamentals guide.
IPsec VPN XAuth
Extended Authentication (XAuth) increases security by requiring user authentication in addition to the pre-shared key.
When creating an IPsec VPN using the wizard, under VPN > IPsec Wizard, select the SecurID User Group on the Authentication page. Members of the SecurID group are required to enter their SecureID code to authenticate.
For more on XAuth, see Configuring XAuth authentication on page 98
PPTP VPN
PPTP VPN is configured in the CLI. In the PPTP configuration (config vpn pptp), set usrgrp to the SecurID user group.
SSL VPN
You need to map the SecurID user group to the portal that will serve SecurID users and include the SecurID user group in the Source User(s) field in the security policy.
To map the SecurID group to an SSL VPN portal:
- Go to VPN > SSL-VPN Settings.
- In Authentication/Portal Mapping, select Create New.
- Enter
| Users/Groups | securIDgrp |
| Portal | Choose the portal. |
- Select OK.
Nice article.
Do you know resolution?
For user created with radius authentication (Microsoft) and token assigned, how to resolve that only strict username as set on fg I asked for token.
There is a difference between domain\username and username , both are allowed to login but only one is asked for fortitoken auth.
Good article, like all of your Fortigate ones.
Can I use the account-key-filter to pass the subject of the computer certificate to the backend LDAP and use it for group filtering?