On Fortigate we can use LDAP Server for user authentication. What I miss here is the 2 important things what Cisco calls AAA
-Authentication
-Authorization –> missing
-Accounting –> missing
– Fortigate Supports LDAP, RADIUS, TACACS, with LDAP it can only authenticate users, authorization is only possible with TACACS.
– With Fortigate we cannot define where it should look for the user regarding the base DN. one level or more level beneath the base DN is not possible. What it does in the background, is not clear for me.
– It is possible to look for group membership. See the link:
http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-authentication-40-mr3.pdf
Used Version: v4.0,build0521,120313 (MR3 Patch 6)
1. LDAP Server configuration.
config user ldap
edit "WindowsLDAP"
set server "10.0.1.10"
set cnid "cn"
set dn "CN=Users,DC=mycompanyAD,DC=mycompany,DC=sec"
set type regular
set username "cn=administrator,cn=users,dc=mycompanyad,dc=mycompany,dc=sec"
set password ENC AwAAAMhVMCPmG0A0z4lq2AY7VbExK8/4PQBdOIpMGzActfHzgRdKP/3ogrnXe4k277GUqHAccpTkysswKekSwLjQvBvHt3qS1YEQyvu+E+qdfrnd
next
end
|
2. User-group configuration.
config user group
edit "FSSO_Guest_Users"
set group-type fsso-service
next
edit "Guest-group"
set member "guest"
next
edit "LDAP_Users"
set member "WindowsLDAP"
next
end
|
3. Firewall Policy configuration.
config firewall policy
edit 1
set srcintf "port3"
set dstintf "External"
set srcaddr "all"
set dstaddr "all"
set action accept
set utm-status enable
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set logtraffic enable
set groups "LDAP_Users"
set service "ANY"
next
end
next
end
|
4. Testing Ldap authentication.
firewall (root) # diag test authserver ldap WindowsLDAP firewall mypassword authenticate 'firewall' against 'WindowsLDAP' succeeded! Group membership(s) - CN=Remote Desktop Users,CN=Builtin,DC=mycompanyAD,DC=mycompany,DC=sec CN=Administrators,CN=Builtin,DC=mycompanyAD,DC=mycompany,DC=sec |
itsecworks 
Posted on June 19, 2012
0