LDAP Authentication on Fortigate

Posted on June 19, 2012

0



On Fortigate we can use LDAP Server for user authentication. What I miss here is the 2 important things what Cisco calls AAA
-Authentication
-Authorization –> missing
-Accounting –> missing

– Fortigate Supports LDAP, RADIUS, TACACS, with LDAP it can only authenticate users, authorization is only possible with TACACS.
– With Fortigate we cannot define where it should look for the user regarding the base DN. one level or more level beneath the base DN is not possible. What it does in the background, is not clear for me.
– It is possible to look for group membership. See the link:
http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-authentication-40-mr3.pdf

Used Version: v4.0,build0521,120313 (MR3 Patch 6)

1. LDAP Server configuration.

config user ldap
    edit "WindowsLDAP"
        set server "10.0.1.10"
        set cnid "cn"
        set dn "CN=Users,DC=mycompanyAD,DC=mycompany,DC=sec"
        set type regular
        set username "cn=administrator,cn=users,dc=mycompanyad,dc=mycompany,dc=sec"
        set password ENC AwAAAMhVMCPmG0A0z4lq2AY7VbExK8/4PQBdOIpMGzActfHzgRdKP/3ogrnXe4k277GUqHAccpTkysswKekSwLjQvBvHt3qS1YEQyvu+E+qdfrnd
    next
end

2. User-group configuration.

config user group
    edit "FSSO_Guest_Users"
        set group-type fsso-service
    next
    edit "Guest-group"
            set member "guest"
    next
    edit "LDAP_Users"
            set member "WindowsLDAP"
    next
end

3. Firewall Policy configuration.

config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "External"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set utm-status enable
        set identity-based enable
        set nat enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                    set logtraffic enable
                        set groups "LDAP_Users"
                        set service "ANY"
                next
            end
    next
end

4. Testing Ldap authentication.

firewall (root) # diag test authserver ldap WindowsLDAP firewall mypassword
authenticate 'firewall' against 'WindowsLDAP' succeeded!
Group membership(s) - CN=Remote Desktop Users,CN=Builtin,DC=mycompanyAD,DC=mycompany,DC=sec
                      CN=Administrators,CN=Builtin,DC=mycompanyAD,DC=mycompany,DC=sec
Advertisements
Posted in: AAA, Fortigate, Security