Professional Documents
Culture Documents
FGT1 04 Firewall Authentication
FGT1 04 Firewall Authentication
Firewall Authentication
2
Authentication
?
A
• Once the FortiGate identifies the AA
user/device, FortiGate applies theA
right firewall policies and profiles to
allow / deny access to each network
resource
3
Methods of Authentication
4
Local Password Authentication
5
Remote Server Authentication
1
OK
4
Username Username
FortiGate 3 and Remote Server
2 and
password password
6
Remote Server Authentication – Protocols
Single Sign On
Directory RADIUS
POP3 RADIUS LDAP TACACS+ Services RSSO
FSSO, NTLM
7
Remote Server Authentication - Single Sign On (SSO)
8
Remote Server Authentication – POP3
9
Two-Factor Authentication (2FA)
10
Two-Factor Authentication - One-Time Password
11
Two-Factor Authentication - Tokens
OTP generator Static password + OTP Validation Server Time sync with accurate NTP
source
Algorithm Algorithm
Same seed
Same time
12
Adding a FortiToken
13
Authentication Types
• Active
o User receives a login prompt and must manually enter credentials to
authenticate
o Used with LDAP, RADIUS, Local, and TACACS+
• Passive
o User does not receive a login prompt as credentials are determined
automatically
• Method varies depending on type of authentication used
o Used with FSSO, RSSO, and NTLM
14
Active Authentication Triggers
• All other services are not allowed until the user has first
authenticated successfully through one of the protocols above
15
Authentication Types: Order of Operations
16
Firewall Policy: Source
? Policy Source
17
Firewall Policy: DNS
18
Mixing Policies
• 2 options:
o Enable authentication on every policy that could match the traffic
o Enable a captive portal on the ingress interface for the traffic
19
Captive Portal
Local Network
Port 1 Port 2
Enable captive
portal here
20
Example: Captive Portal
21
Captive Portal Exceptions
22
Disclaimers
• Displays the Terms and
Policy
Disclaimer Agreement
page before the user
authenticates
o User must accept the
#config firewall policy
disclaimer to proceed with #edit <policy_id>
the authentication process #set disclaimer enable
o the user is directed to the #end
original destination (or
authentication login)
23
Modifying Disclaimers
24
Authentication Timeout
25
Users and User Groups
26
LDAP Overview
27
LDAP Hierarchy
28
LDAP Directory Tree example
dc=example,dc=com
ou= hr ou= it
uid= abush
uid= apiquet uid: jsmith
email:
jsmith@example.com
objectClass:
inetOrgPerson
29
LDAP Query Configuration
Name of attribute
that identifies
each user
Parent branch
where all users
are located
Credentials for an
LDAP
administrator
30
Testing the LDAP Query
• Output sample
31
RADIUS Overview
Access-Request
Access-Accept
or
Access-Reject
User FortiGate or RADIUS server
Access-Challenge
32
RADIUS Configuration
33
Testing RADIUS Queries
34
Users
35
Types of User Groups
Active RADIUS
Paris Visitors Directory Server
• User groups are assigned one of four group types: Firewall, Fortinet Single
Sign On (FSSO), Guest, and RADIUS Single Sign On (RSSO)
• Firewall user groups provide access to firewall policies that require
authentication
• FSSO and RSSO are used for Single Sign On Authentication
36
Guest User Groups
37
Configuring User Groups
38
Configuring Policies with Users
39
Monitoring Users
40
Monitoring Users via Event Logs
41
Review
Authentication
Three methods of authentication
Authentication protocols
Two-factor authentication (OTP and tokens)
Authentication types (active and passive)
Authentication policies
Captive portals and disclaimers
Authentication timeout
Users/user groups
• LDAP, RADIUS
• FortiGate
Monitoring firewall users
42