<

Fortigate Tutorial – Authentication

 

Fortigate Tutorial 4 – Authentication

 

The Fortigate aplience support different types of authentication.

Let’s discuss them here:

1. LDAP

Fortigate support all servers that are LDAP compliant. It supports up to LDAPv3

Also LDAP over SSL/TLS is supported. One downside of using LDAP is that the Fortinet firewall does not  supply any information on why the user authentication failed. For the reason you must check the Server itself.

2. Local Users

You can define local users on the Fortigate itself, by defining a user name and a password for the user.

3. RADIUS

Radius is also supported on the Fortigate. For this you just define a RADIUS server and define the shared key between the RADIUS server and the FG.

The Fortigate support 4 different types of authentication the users to the RADIUS server:

a. MS-CHAP2

b. MS-CHAP

c. CHAP

d. PAP

If none of those is selected, then the default is in the following order: PAP, MS-CHAP v2, CHAP and the last one is MS-CHAP.

4. PKI

The Fortigate can login users based on the PKI protocol. Certificates are used in this case.

5. Novell eDirecotry & Microsoft Active Directory

An awesome feature is the integration with Active Directory, as this is transparent to the users.

You just have to install a FSAE/FSSO applience on the Domain Controller(Microsoft) and the FG will automaticly catch any logins to the Active Directory.

The FSAE/FSSO  is composed of 2 different things:

a. Domain Controller Agent – this application must be installed on every Domain Controller that you have in your Microsoft Domain

b. Collector Agent – this application must be installed on AT LEAST one Domain Controller that you have in your Microsoft Domain.

The Domain Controller Agent gets users login info.

The Collector Agent send the information gather by the Controller Agents to the Fortigate.

 

One important thing that mostly new Fortigate Network Engineers forget is that FSAE/FSSO needs read-access to each clients computer registry over TCP port 139 and TCP port 445 must be opened. This is needed so the FSAE/FSSO application knows when an user logs off.

So do you forget to allows this in the users PC windows firewall!

 

6. TACACS

Yes, Fortigate supports TACACS too ;) . Isn’t this firewall really great?!

The same principal applies as the RADIUS server, but it supports the following:

a. Auto(here the default is enabled, PAP->MS-CHAP->CHAP)

b. ASCII

c. PAP only

d. CHAP only

e. MS-CHAP only

 

Hope this help you to better understand the Fortigate. Below is a pick on where you can define all of these:

 

 

You can leave a response, or trackback from your own site.

15 Responses to “Fortigate Tutorial – Authentication”

  1. Cameron Kerr says:

    When configuring LDAPS on a new Fortigate, which CA Cert are we supposed to use? We have a chain of certificates, and no matter which CA Cert we use (either the true root of trust, or the one who signed our key) we see the Fortinet fail its TLSv1 handshake with the TLS protocol message Unknown CA, immediately after the server has responded with a Handshake Done. All of the certs in the CA chain are entered into the CA Certificates part of the interface.

    The documentation provides no guidance on how CA chains should be entered into the system, and it only allows you to associate one CA certificate (and if you pass it a concatenation of PEM certificates, it silently discards all but the first and reports that the certificate was successfully installed.

    I can reproduce this with certificates from other CAs too. All other LDAPS clients can successfully complete the handshake. The LDAPS server does not allow SSLv2, just TLSv1, and does not have STARTTLS enabled, just LDAPS.

    Any ideas? Thanks.

    • Kord says:

      For anyone else that comes across this issue, as it is still a trouble point in FortiOS v4.0 MR3 Patch 8, I was informed by Fortinet support that there is a bug in the Fortigate’s that require for the unit to be restarted after the certificates have been imported and LDAPS has been setup before the configuration will actually work.

  2. Daniel says:

    Hello,

    Can you please tell me which Fortigate version you have ? v4.0 MR2 or MR3 ?
    Also i would like to know the Patch Version of the MR2 or MR3

  3. Ignas says:

    Hi,

    It’s actually possible to debug LDAP on Fortigate side:

    #diag debug app fnbamd -1
    #diag debug en

  4. anjanesh babu says:

    caveat about using RADIUS – make sure if you are using multiple vdoms you are actually hitting the correct vdom where radius user is configured. And super admins need to be configured on root vdom with the ‘exit’ ip configured as the NAS client.
    Fortigate rocks !

  5. keerthilal says:

    Hello,

    Please help me to configure TACACS+ authorization for fortigate administrators

  6. keerthilal says:

    Authentication works fine, and looks like the issue is with Cisco ACS 4.2 TACACS+ settings where we don’t know how to define the Fortigate attributes correctly

  7. jk says:

    Hi keerthilal

    Could you please tell me what configuration you have added on ACS for fortigate.

    Basically, I need the screen shot of interface configuration section and what attribute you have added in the user/group setup.

    Thanks a lot in advance for looking into this.

  8. Learning how penis extenders work helps in choosing the appropriate penis stretcher. Exactly how penis extender work shows whether or not it would be effective or perhaps not.

  9. simply click the next website page

    Fortigate Tutorial – Authentication | Network & Security Blog

  10. click through the up coming webpage

    Fortigate Tutorial – Authentication | Network & Security Blog

  11. you could check here

    Fortigate Tutorial – Authentication | Network & Security Blog

Leave a Reply