Tag Archives: fortinet can’t connect

Configuring Single Sign On to Windows AD

Configuring Single Sign On to Windows AD

On the FortiGate unit, security policies control access to network resources based on user groups. With Fortinet Single Sign On, this is also true but each FortiGate user group is associated with one or more Windows AD user groups. This is how Windows AD user groups get authenticated in the FortiGate security policy.

Fortinet Single Sign On sends information about Windows user logons to FortiGate units. If there are many users on your Windows AD domains, the large amount of information might affect the performance of the FortiGate unit.

To configure your FortiGate unit to operate with either a Windows AD or a Novell eDirectory FSSO install, you

  • Configure LDAP access to the Windows AD global catalog. See Configuring LDAP server access on page 546.
  • Configure the LDAP Server as a Single Sign-On server. See Configuring the LDAP Server as a Single Sign-On server on page 547.
  • Add Active Directory user groups to FortiGate FSSO user groups. See Creating Fortinet Single Sign-On (FSSO) user groups on page 548.
  • Create security policies for FSSO-authenticated groups. See Creating security policies on page 548.
  • Optionally, specify a guest protection profile to allow guest access. See Enabling guest access through FSSO security policies on page 550

 

Configuring LDAP server access

The FortiGate unit needs access to the domain controller’s LDAP server to retrieve user group information.

The LDAP configuration on the FortiGate unit not only provides access to the LDAP server, it sets up the retrieval of Windows AD user groups for you to select in FSSO. The LDAP Server configuration (in User & Device > Authentication > LDAP Servers) includes a function to preview the LDAP server’s response to your distinguished name query. If you already know the appropriate Distinguished Name (DN) and User DN settings, you may be able to skip some of the following steps.

 

To add an LDAP server – web-based manager:

1. Go to User & Device > Authentication > LDAP Servers and select Create New.

2. Enter the Server IP/Name and Server Port (default 389).

3. In the Common Name Identifier field, enter sAMAccountName.The default common name identifier is cn.

This is correct for most LDAP servers. However some servers use other identifiers such as uid.

4. In the Distinguished Name field, enter your organization distinguished name. In this example, Distinguished

Name is dc=techdoc,dc=local

5. Select Fetch DN, this will fetch the Windows AD directory.

6. Set Bind Type to Regular.

7. In the User DN field, enter the administrative account name that you created for FSSO.

For example, if the account is administrator, enter “administrator@techdoc.local”.

8. Enter the administrative account password in the Password field.

9. Optionally select Secure Connection.

  • In the Protocol field, select LDAPS or STARTTLS.
  • In the Certificate field, select the appropriate certificate for authentication. Note that you need to configure the Windows AD for secure connection accordingly.

10. Select OK.

11. Test your configuration by selecting the Test button. A successful message confirming the right settings appears.

 

Single Sign-On to Windows AD

Single Sign-On to Windows AD

The FortiGate unit can authenticate users transparently and allow them network access based on their privileges in Windows AD. This means that users who have logged on to the network are not asked again for their credentials to access network resources through the FortiGate unit, hence the term “Single Sign-On”.

The following topics are included:

  • Introduction to Single Sign-On with Windows AD
  • Configuring Single Sign On to Windows AD
  • FortiOS FSSO log messages
  • Testing FSSO
  • Troubleshooting FSSO

 

Introduction to Single Sign-On with Windows AD

Introduced in FortiOS 5.0, Single Sign-On (SSO) support provided by FortiGate polling of domain controllers is simpler than the earlier method that relies on agent software installed on Windows AD network servers. No Fortinet software needs to be installed on the Windows network. The FortiGate unit needs access only to the Windows AD global catalog and event log.

When a Windows AD user logs on at a workstation in a monitored domain, the FortiGate unit

  • detects the logon event in the domain controller’s event log and records the workstation name, domain, and user,
  • resolves the workstation name to an IP address,
  • uses the domain controller’s LDAP server to determine which groups the user belongs to,
  • creates one or more log entries on the FortiGate unit for this logon event as appropriate.

When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. The selection consist of matching the FSSO group or groups the user belongs to with the security policy or policies that match that group. If the user belongs to one of the permitted user groups associated with that policy, the connection is allowed. Otherwise the connection is denied.

Configuring the FortiClient SSO Mobility Agent

Configuring the FortiClient SSO Mobility Agent

The user’s device must have at least FortiClient Endpoint Security v5.0 installed. Only two pieces of information are required to set up the SSO Mobility Agent feature: the FortiAuthenticator unit IP address and the preshared secret.

The user needs to know the FortiAuthenticator IP address and preshared secret to set up the SSO Mobility Agent. Or, you could preconfigure FortiClient.

 

To configure FortiClient SSO Mobility Agent:

1. In FortiClient Endpoint Security, go to File > Settings.

You must run the FortiClient application as an administrator to access these settings.

2. Select Enable single sign-on mobility agent. Enter the FortiAuthenticator unit IP address, including the listening port number specified on the FortiAuthenticator unit.

Example: 192.168.0.99:8001. You can omit the port number if it is 8005.

3. Enter the preshared key.

4. Select OK.

 

Viewing SSO authentication events on the FortiGate unit

User authentication events are logged in the FortiGate event log. Go to Log & Report > Event Log > User.

 

Configuring the FortiGate unit

Configuring the FortiGate unit

Adding a FortiAuthenticator unit as an SSO agent

On the FortiGate unit, you need to add the FortiAuthenticator unit as a Single Sign-On agent that provides user logon information.

Single Sign-On using a FortiAuthenticator unit

 

To add a FortiAuthenticator unit as SSO agent:

1. Go to User & Device > Authentication > Single Sign-On and select Create New.

2. In Type, select Fortinet Single-Sign-On Agent.

3. Enter a Name for the FortiAuthenticator unit.

4. In Primary Agent IP/Name, enter the IP address of the FortiAuthenticator unit.

5. In Password, enter the secret key that you defined for the FortiAuthenticator unit.

On the FortiAuthenticator unit, you go to Fortinet SSO Methods > SSO > General to define the secret key. Select Enable Authentication.

6. Select OK.

In a few minutes, the FortiGate unit receives a list of user groups from the FortiAuthenticator unit. The entry in the Single Sign-On server list shows a blue caret.

When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

 

Configuring an FSSO user group

You cannot use FortiAuthenticator SSO user groups directly in a security policy. Create an FSSO user group and add FortiAuthenticator SSO user groups to it. FortiGate FSSO user groups are available for selection in identity- based security policies.

To create an FSSO user group:

1. Go to User & Device > User > User Groups and select Create New.

2. Enter a Name for the group.

3. In Type, select Fortinet Single Sign-On (FSSO).

4. Add Members.

The groups available to add as members are SSO groups provided by SSO agents.

5. Select OK.

 

Configuring security policies

You can create identity-based policies based on FSSO groups as you do for local user groups. For more information about security policies see the Firewall chapter.

Configuring the FortiAuthenticator unit

Configuring the FortiAuthenticator unit

The FortiAuthenticator unit can poll FortiGate units, Windows Active Directory, RADIUS servers, LDAP servers, and FortiClients for information about user logon activity.

 

To configure FortiAuthenticator polling:

1. Go to Fortinet SSO Methods > SSO > General.

2. In the FortiGate section, leave the Listening port at 8000, unless your network requires you to change this. The

FortiGate unit must allow traffic on this port to pass through the firewall.

Optionally, you can set the Login Expiry time. This is the length of time users can remain logged in before the system logs them off automatically. The default is 480 minutes (8 hours).

3. Select Enable Authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.

4. In the Fortinet Single Sign-On (FSSO) section, enter

 

Enable Windows Active Dir- ectory domain controllers

Select for integration with Windows Active Directory.

 

Enable Radius accounting

SSO clients

Select if you want to use a Remote Radius server.

 

Enable Syslog SSO                   Select for integration with Syslog server.

 

Enable FortiClient SSO Mobility Agent service

 

Enable Authentication

Select both options to enable single sign-on by clients running FortiClient Endpoint Security. Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.

5. Select OK.

For more information, see the FortiAuthenticator Administration Guide.

Single Sign-On using a FortiAuthenticator unit

Single Sign-On using a FortiAuthenticator unit

If you use a FortiAuthenticator unit in your network as a single sign-on agent,

  • Users can authenticate through a web portal on the FortiAuthenticator unit.
  • Users with FortiClient Endpoint Security installed can be automatically authenticated by the FortiAuthenticator unit through the FortiClient SSO Mobility Agent.

The FortiAuthenticator unit can integrate with external network authentication systems such as RADIUS and LDAP to gather user logon information and send it to the FortiGate unit.

 

Users view of FortiAuthenticator SSO authentication

There are two different ways users can authenticate through a FortiAuthenticator unit.

 

Users without FortiClient Endpoint Security – SSO widget

To log onto the network, the user accesses the organization’s web page with a web browser. Embedded on that page is a simple logon widget, like this:

User not logged in. Click Login to go to the FortiAuthenticator login page.

User logged in. Name displayed. Logout button available.

The SSO widget sets a cookie on the user’s browser. When the user browses to a page containing the login widget, the FortiAuthenticator unit recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days.

 

Users with FortiClient Endpoint Security – FortiClient SSO Mobility Agent

The user simply accesses resources and all authentication is performed transparently with no request for credentials. IP address changes, such as those due to WiFi roaming, are automatically sent to the FortiAuthenticator unit. When the user logs off or otherwise disconnects from the network, the FortiAuthenticator unit is aware of this and deauthenticates the user.

The FortiClient SSO Mobility Agent, a feature of FortiClient Endpoint Security v5.0, must be configured to communicate with the appropriate FortiAuthenticator unit. After that, the agent automatically provides user name and IP address information to the FortiAuthenticator unit for transparent authentication.

 

Administrators view of FortiAuthenticator SSO authentication

You can configure either or both of these authentication types on your network.

 

SSO widget

You need to configure the Single Sign-On portal on the FortiAuthenticator unit. Go to Fortinet SSO Methods > SSO > Portal Services to do this. Copy the Embeddable login widget code for use on your organization’s home page. Identity-based security policies on the FortiGate unit determine which users or groups of users can access which network resources.

 

FortiClient SSO Mobility Agent

Your users must be running at least FortiClient Endpoint Security v5.0 to make use of this type of authentication. On the FortiAuthenticator unit, you need to select Enable FortiClient SSO Mobility Agent Service, optionally

select Enable Authentication and choose a Secret key. Go to Fortinet SSO Methods > SSO > General. You need to provide your users the FortiAuthenticator IP address and secret key so that they can configure the FortiClient SSO Mobility Agent on their computers. See Configuring the FortiGate unit on page 542.

Configuring certificate-based authentication

Configuring certificate-based authentication

You can configure certificate-based authentication for FortiGate administrators, SSL VPN users, and IPsec VPN users.

In Microsoft Windows 7, you can use the certificate manager to keep track of all the different certificates on your local computer. To access certificate manager, in Windows 7 press the Windows key, enter “certmgr.msc” at the search prompt, and select the displayed match. Remember that in addition to these system certificates, many applications require you to register certificates with them directly.

To see FortiClient certificates, open the FortiClient Console, and select VPN. The VPN menu has options for My Certificates (local or client) and CA Certificates (root or intermediary certificate authorities). Use Import on those screens to import certificate files from other sources.

 

Authenticating administrators with security certificates

You can install a certificate on the management computer to support strong authentication for administrators. When a personal certificate is installed on the management computer, the FortiGate unit processes the certificate after the administrator supplies a username and password.

 

To enable strong administrative authentication:

  • Obtain a signed personal certificate for the administrator from a CA and load the signed personal certificate into the web browser on the management computer according to the browser documentation.
  • Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients on page 529 ).
  • Create a PKI user account for the administrator.
  • Add the PKI user account to a firewall user group dedicated to PKI-authenticated administrators.
  • In the administrator account configuration, select PKI as the account Type and select the User Group to which the administrator belongs.

 

Authenticating SSL VPN users with security certificates

While the default self-signed certificates can be used for HTTPS connections, it is preferable to use the X.509 server certificate to avoid the redirection as it can be misinterpreted as possible session hijacking. However, the server certificate method is more complex than self-signed security certificates. Also the warning message is typically displayed for the initial connection, and future connections will not generate these messages.

X.509 certificates can be used to authenticate IPsec VPN peers or clients, or SSL VPN clients. When configured to authenticate a VPN peer or client, the FortiGate unit prompts the VPN peer or client to authenticate itself using the X.509 certificate. The certificate supplied by the VPN peer or client must be verifiable using the root CA certificate installed on the FortiGate unit in order for a VPN tunnel to be established.

 

To enable certificate authentication for an SSL VPN user group:

1. Install a signed server certificate on the FortiGate unit and install the corresponding root certificate (and CRL) from the issuing CA on the remote peer or client.

2. Obtain a signed group certificate from a CA and load the signed group certificate into the web browser used by each user. Follow the browser documentation to load the certificates.

3. Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients on page 529).

4. Create a PKI user for each SSL VPN user. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.

5. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the SSL VPN users who are authenticated by certificate.

6. Go to Policy & Objects > Policy > IPv4.

7. Edit the SSL-VPN security policy.

8. Select the user group created earlier in the Source User(s) field.

9. Select OK.

 

Authenticating IPsec VPN users with security certificates

To require VPN peers to authenticate by means of a certificate, the FortiGate unit must offer a certificate to authenticate itself to the peer.

 

To enable the FortiGate unit to authenticate itself with a certificate:

1. Install a signed server certificate on the FortiGate unit.

See To install or import the signed server certificate – web-based manager on page 529.

2. Install the corresponding CA root certificate on the remote peer or client. If the remote peer is a FortiGate unit, see To install a CA root certificate on page 529.

3. Install the certificate revocation list (CRL) from the issuing CA on the remote peer or client. If the remote peer is a

FortiGate unit, see To import a certificate revocation list on page 529.

4. In the VPN phase 1 configuration, set Authentication Method to Signature and from the Certificate Name list select the certificate that you installed in Step 1.

To authenticate a VPN peer using a certificate, you must install a signed server certificate on the peer. Then, on the FortiGate unit, the configuration depends on whether there is only one VPN peer or if this is a dialup VPN that can be multiple peers.

 

To configure certificate authentication of a single peer

1. Install the CA root certificate and CRL.

2. Create a PKI user to represent the peer. Specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.

3. In the VPN phase 1 Peer Options, select peer certificate for Accept Types field and select the PKI user that you created in the Peer certificate field.

 

To configure certificate authentication of multiple peers (dialup VPN)

1. Install the corresponding CA root certificate and CRL.

2. Create a PKI user for each remote VPN peer. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.

3. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the PKI

users who will use the IPsec VPN.

In the VPN phase 1 Peer Options, select peer certificate group for Accept Types field and select the PKI

user group that you created in the Peer certificate group field.

Online updates to certificates and CRLs

Online updates to certificates and CRLs

If you obtained your local or CA certificate using SCEP, you can configure online renewal of the certificate before it expires. Similarly, you can receive online updates to CRLs.

 

Local certificates

In the config vpn certificate local command, you can specify automatic certificate renewal. The relevant fields are:

scep-url <URL_str>             The URL of the SCEP server. This can be HTTP or HTTPS. The following options appear after you add the <URL_str>.

scep-password <password_str>  The password for the SCEP server.

auto-regenerate-days <days_

int>

How many days before expiry the FortiGate unit requests an updated local certificate. The default is 0, no auto-update.

auto-regenerate-days-warning

<days_int>

How many days before local certificate expiry the FortiGate gen- erates a warning message. The default is 0, no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate local edit mycert

set scep-url http://scep.example.com/scep set scep-server-password my_pass_123

set auto-regenerate-days 3

set auto-regenerate-days-warning 2 end

 

CA certificates

In the config vpn certificate ca command, you can specify automatic certificate renewal. The relevant fields are:

 

Variable                                                    Description

scep-url <URL_str>             The URL of the SCEP server. This can be HTTP or HTTPS.

 

Variable                                                    Description

auto-update-days <days_int>   How many days before expiry the FortiGate unit requests an updated CA certificate. The default is 0, no auto-update.

auto-update-days-warning

<days_int>

How many days before CA certificate expiry the FortiGate gen- erates a warning message. The default is 0,no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate ca edit mycert

set scep-url http://scep.example.com/scep set auto-update-days 3

set auto-update-days-warning 2 end

 

Certificate Revocation Lists

If you obtained your CRL using SCEP, you can configure online updates to the CRL using the config vpn certificate crl command. The relevant fields are:

 

Variable                                                    Description

http-url <http_url>            URL of the server used for automatic CRL certificate updates.

This can be HTTP or HTTPS.

scep-cert <scep_certificate>  Local certificate used for SCEP communication for CRL auto- update.

scep-url <scep_url>            URL of the SCEP CA server used for automatic CRL certificate updates. This can be HTTP or HTTPS.

update-interval <seconds>

How frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires. Not available for http URLs.

update-vdom <update_vdom>      VDOM used to communicate with remote SCEP server for CRL

auto-update.

In this example, an updated CRL is requested only when it expires.

config vpn certificate crl edit cert_crl

set http-url http://scep.example.com/scep set scep-cert my-scep-cert

set scep-url http://scep.ca.example.com/scep set update-interval 0

set update-vdom root end