Firewall Authentication and Active Directory
Transcript of Firewall Authentication and Active Directory
![Page 1: Firewall Authentication and Active Directory](https://reader031.fdocuments.in/reader031/viewer/2022012515/618f6454660b103f1b602fd1/html5/thumbnails/1.jpg)
Firewall Authentication and Active Directory
Case ScenarioYou have to two groups of users attempting to access the Internet through the FortiGate. Most users needto be restricted in their access to the Internet. A few select users are permitted unrestricted access to theInternet.
General QuestionHow can the FortiGate distinguish between the two sets of users?
The solution is to enforce firewall authentication against two distinct user groups. The remainder of thedocument will explain how to configure this.
Although it is not necessary to use LDAP to implement the above scenario, LDAP is useful for customerswho already have users defined inActive Directory. This document will focus on implementations usingLDAP.
ConfigurationTwo implementations using LDAP will be explained (the latter approach can also be used with a Radiusserver).
For the sake of this technote, the protection profiles being referenced are as follows:Restricted Users use: “block-yahoo” protection profile (no access to “yahoo.com” permitted) – see belowUnrestricted Users use: “unfiltered” protection profile
![Page 2: Firewall Authentication and Active Directory](https://reader031.fdocuments.in/reader031/viewer/2022012515/618f6454660b103f1b602fd1/html5/thumbnails/2.jpg)
Implementation ATwo users group with users defined in unique OUs (Organization Units)
The restricted and unrestricted users must already be defined in separate organizational units inActiveDirectory:
1) Define the LDAP servers
config user ldapedit "Unrestricted OU"set dn "ou=Unrestricted,dc=cs,dc=vanc,dc=ca"set server "172.16.87.83"
nextedit "Restricted OU"set dn "ou=Restricted,dc=cs,dc=vanc,dc=ca"set server "172.16.87.83"
next
![Page 3: Firewall Authentication and Active Directory](https://reader031.fdocuments.in/reader031/viewer/2022012515/618f6454660b103f1b602fd1/html5/thumbnails/3.jpg)
2) Define user groups
config user groupedit "unrestricted"
set member "Unrestricted OU"set profile "unfiltered"set types-in-group 4
nextedit "restricted"
set member "Restricted OU"set profile "block-yahoo"set types-in-group 4
next
3) Enable firewall authentication
config firewall policyedit 1set srcintf "internal"set dstintf "wan1"
…set authentication enableset groups "unrestricted" "restricted"
next
![Page 4: Firewall Authentication and Active Directory](https://reader031.fdocuments.in/reader031/viewer/2022012515/618f6454660b103f1b602fd1/html5/thumbnails/4.jpg)
How to login?In this example, end users should use the full name to login
Result of logging in:
note: you must reload the page after you receive this message
Blocking of yahoo site (for restricted user):
What LDAP query occurs in the background?
for an unrestricted user (first bind is successful) …for a restricted user (second bind is successful) …
![Page 5: Firewall Authentication and Active Directory](https://reader031.fdocuments.in/reader031/viewer/2022012515/618f6454660b103f1b602fd1/html5/thumbnails/5.jpg)
What is the full name anyway and how does it differ from display name or login name?
![Page 6: Firewall Authentication and Active Directory](https://reader031.fdocuments.in/reader031/viewer/2022012515/618f6454660b103f1b602fd1/html5/thumbnails/6.jpg)
Implementation BTwo user groups & LDAP authentication but no OUs (the exception to the rule)
Note: this method can be used with Radius servers also
In this case, users are not neatly defined in separate OUs in Active Directory. In this case, we can exemptusers on a case by case basis.
1) Define the LDAP servers<as above>
2) Define user groupsIn this example, “joe smith” will be exempted. Everyone else will be blocked from accessing“yahoo.com”.
config user ldapedit "AD -- Display Name"set server "172.16.87.83"
next
! if “joe smith” logins, authenticate against LDAPconfig user localedit "joe smith"set type ldapset ldap_server "AD -- Display Name"
next
config user group
! majority of usersedit "restricted"
set member " AD -- Display Name "set profile "block-yahoo"set types-in-group 4
next
!”joe smith” is treated differently than other loginsedit "exception"
set member "joe smith"set profile "unfiltered"set types-in-group 16
next
![Page 7: Firewall Authentication and Active Directory](https://reader031.fdocuments.in/reader031/viewer/2022012515/618f6454660b103f1b602fd1/html5/thumbnails/7.jpg)
3) Enable firewall authentication
config firewall policyedit 1set srcintf "internal"set dstintf "wan1"
…set authentication enableset groups "exception" "restricted"
next
How to login?
![Page 8: Firewall Authentication and Active Directory](https://reader031.fdocuments.in/reader031/viewer/2022012515/618f6454660b103f1b602fd1/html5/thumbnails/8.jpg)
In this example, end users should use the display name to login
What LDAP query occurs in the background?In this whether the user is one of the exempt users OR the restricted group, only 1 bind request is made: