Firewall Authentication and Active Directory

Case ScenarioYou have to two groups of users attempting to access the Internet through the FortiGate. Most users needto be restricted in their access to the Internet. A few select users are permitted unrestricted access to theInternet.

General QuestionHow can the FortiGate distinguish between the two sets of users?

The solution is to enforce firewall authentication against two distinct user groups. The remainder of thedocument will explain how to configure this.

Although it is not necessary to use LDAP to implement the above scenario, LDAP is useful for customerswho already have users defined inActive Directory. This document will focus on implementations usingLDAP.

ConfigurationTwo implementations using LDAP will be explained (the latter approach can also be used with a Radiusserver).

For the sake of this technote, the protection profiles being referenced are as follows:Restricted Users use: “block-yahoo” protection profile (no access to “yahoo.com” permitted) – see belowUnrestricted Users use: “unfiltered” protection profile

Implementation ATwo users group with users defined in unique OUs (Organization Units)

The restricted and unrestricted users must already be defined in separate organizational units inActiveDirectory:

1) Define the LDAP servers

config user ldapedit "Unrestricted OU"set dn "ou=Unrestricted,dc=cs,dc=vanc,dc=ca"set server "172.16.87.83"

nextedit "Restricted OU"set dn "ou=Restricted,dc=cs,dc=vanc,dc=ca"set server "172.16.87.83"

next

2) Define user groups

config user groupedit "unrestricted"

set member "Unrestricted OU"set profile "unfiltered"set types-in-group 4

nextedit "restricted"

set member "Restricted OU"set profile "block-yahoo"set types-in-group 4

next

3) Enable firewall authentication

config firewall policyedit 1set srcintf "internal"set dstintf "wan1"

…set authentication enableset groups "unrestricted" "restricted"

next

How to login?In this example, end users should use the full name to login

Result of logging in:

note: you must reload the page after you receive this message

Blocking of yahoo site (for restricted user):

What LDAP query occurs in the background?

for an unrestricted user (first bind is successful) …for a restricted user (second bind is successful) …

What is the full name anyway and how does it differ from display name or login name?

Implementation BTwo user groups & LDAP authentication but no OUs (the exception to the rule)

Note: this method can be used with Radius servers also

In this case, users are not neatly defined in separate OUs in Active Directory. In this case, we can exemptusers on a case by case basis.

1) Define the LDAP servers<as above>

2) Define user groupsIn this example, “joe smith” will be exempted. Everyone else will be blocked from accessing“yahoo.com”.

config user ldapedit "AD -- Display Name"set server "172.16.87.83"

next

! if “joe smith” logins, authenticate against LDAPconfig user localedit "joe smith"set type ldapset ldap_server "AD -- Display Name"

next

config user group

! majority of usersedit "restricted"

set member " AD -- Display Name "set profile "block-yahoo"set types-in-group 4

next

!”joe smith” is treated differently than other loginsedit "exception"

set member "joe smith"set profile "unfiltered"set types-in-group 16

next

3) Enable firewall authentication

config firewall policyedit 1set srcintf "internal"set dstintf "wan1"

…set authentication enableset groups "exception" "restricted"

next

How to login?

In this example, end users should use the display name to login

What LDAP query occurs in the background?In this whether the user is one of the exempt users OR the restricted group, only 1 bind request is made: