DO NOT REPRINT

 LAB 5–Firewall Authentication

© FORTINET

LAB 5–Firewall Authentication

In this lab, you will configure FortiGate to communicate with a remote LDAP server for server-based
password authentication.
You will also configure captive portal, so that any user connecting to the network is prompted for their
login credentials (active authentication).

Objectives
 Configure server-based password authentication with an LDAP server.
 Configure captive portal so users connecting to your network are forced to authenticate.

Time to Complete
Estimated: 20 minutes

Prerequisites
Before beginning this lab, you must restore a configuration file to FortiGate.

To restore the FortiGate configuration file

1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.

3. Select to restore from Local PC and click Upload.

FortiGate I Student Guide 73

DO NOT REPRINT
 LAB 5–Firewall Authentication
© FORTINET
4. Browse to Desktop > Resources > FortiGate-I > Firewall-Authentication and select local-
firewall-authentication.conf.
5. Click OK.
6. Click OK to reboot.

FortiGate I Student Guide 74

DO NOT REPRINT
 LAB 5–Firewall Authentication
© FORTINET

1 Remote Authentication
In this exercise, you will configure an LDAP server on FortiGate for remote authentication, create a
remote authentication group for your remote users, and add that group as a source in a firewall policy.
Finally, you will authenticate over SSL-VPN as one of the remote users, and then monitor the login as
the administrator.

Configuring an LDAP Server on FortiGate

You can configure FortiGate to point to an LDAP server for server-based password authentication
using the pre-configured Active Directory service located on the Local-Windows VM. Active Directory
already has users available to use in this lab.

To configure an LDAP Server on FortiGate

1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to User & Device > LDAP Servers and click Create New.
3. Complete the following:

Field Value
Name ADserver
Server IP/Name 10.0.1.10
This is the IP address of the Windows Server, Local-
Windows VM. For more information, see Network Topology.
Server Port 389
This is the default port for LDAP.
Common Name Identifier cn
This is the attribute name used to find the user name. Active
Directory calls this cn.
Distinguished Name ou=Training,dc=trainingAD,dc=training,dc=lab
This is the domain name for Active Directory on the Windows
Server. Active Directory has already been pre-configured,
with all users located in the Training organizational unit (ou).
Bind Type Regular
User DN cn=ADadmin,cn=users,dc=trainingAD,dc=training,dc=lab
We are using the credentials of an Active Directory user
called ADadmin to authenticate to Active Directory. ADadmin
is located in the Users organizational unit (ou).
Password Training!
This is the password pre-configured for the ADadmin user.
You must use it to be able to bind.
4. Click Test.

FortiGate I Student Guide 75

DO NOT REPRINT
 LAB 5–Firewall Authentication
© FORTINET
You should receive an indication of a successful connection.

5. Click OK.

Assigning Remote Users to a Firewall Group

In this procedure, you will assign a user located on the LDAP server to a firewall user group called
Remote-users on FortiGate. This way, you can configure firewall policies to act on the firewall user
group.
Generally, groups are used to more effectively manage individuals that have a shared relationship.

Note: The Remote-users group was pre-configured for you. However, it needs to be
modified to add the users from the remote LDAP server you just configured in the last
procedure.

To assign a user to a user group

1. In the Local-FortiGate GUI, go to User & Device > User Groups and edit the Remote-users
group.
As you can see, it's currently configured as a firewall group.
2. To add users from the remote LDAP server, click Create New from the Remote groups table.

The Add Group Match dialog box appears.

3. From the Remote Server drop-down list, select ADserver.

4. From the LDAP Groups table, click AD-users under the Group tab in the main window and
click the Add Selected button that appears.

AD-users will appear disabled with a green checkmark, indicating it has been added.

FortiGate I Student Guide 76

DO NOT REPRINT
 LAB 5–Firewall Authentication
© FORTINET

5. Click OK.
The users in this Active Directory group are now included in your FortiGate Remote-users firewall
user group. Only users from the remote LDAP server that match this user group entry can
authenticate.

6. Click OK.

Adding the Remote User Group to your Firewall Policy

Now that the LDAP server is added to the Remote-user firewall user group, you can add the group to a
firewall policy. This allows you to control access to network resources, as policy decisions are made
on the group as a whole.
Since your remote user on your LDAP server will be authenticating over SSL-VPN, you will add the
group to an SSL-VPN firewall policy.

Note: Configuring SSL-VPN is out of scope for this lab. As such, the SSL-VPN settings
have been pre-configured for you. However, you still need to configure an SSL-VPN
firewall policy and add the Remote-user group to it.

To add the remote user group to your firewall policy

1. In the Local-FortiGate GUI, go to VPN > SSL-VPN Settings and click the warning message at the
top of the page.
Clicking this warning message will create a new SSL-VPN policy for you using these pre-
configured settings.

Complete the following:

FortiGate I Student Guide 77

DO NOT REPRINT
 LAB 5–Firewall Authentication
© FORTINET
Field Value
Name SSL-VPN
Outgoing Interface port1
Source LOCAL_SUBNET
Remote-users (located under User)
Destination Address all
Schedule always
Service ALL
Action ACCEPT
2. Under Security Profiles, enable Web Filter and select Category_Monitor.
This Web Filter was pre-configured for you and is set to block the following categories: Potentially
Liable, Adult/Mature Contents, and Security Risk.
3. Under Logging Options, enable Log Allowed Traffic and select All Sessions.
4. Click OK.
5. Click OK.
The SSL-VPN Settings page re-appears. Note that web mode access for SSL VPN is listening at
https://10.0.1.254:10443.

To test whether aduser1 will be able to successfully authenticate

1. Test to see whether aduser1 will be able to successfully authenticate:
A. Open PuTTY on Local-Windows VM and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
B. Log in as admin.
C. Type the following command:

diagnose test authserver ldap <LDAP server name> <LDAP user name>
<password>
Where:
 <LDAP server name> is ADserver (case-sensitive)
 <LDAP user name> is aduser1
 <password> is Training!

You should see something like this for a successful authentication:

FortiGate I Student Guide 78

DO NOT REPRINT
 LAB 5–Firewall Authentication
© FORTINET

2. Close PuTTY.

Authenticating and Monitoring

You will authenticate through the pre-configured SSL VPN as aduser1. This user is a member of the
Remote_users group on FortiGate.
You will then monitor the authentication.

To authenticate as a remote user

1. In the Local-Windows VM, open a new browser tab and go to https://10.0.1.254:10443.
This is the Web mode access for SSL VPN.
If you receive an error that indicates your connection is not secure, click Advanced and then
select Add Exception.
2. Log in as aduser1 with password Training!

The SSL VPN Web portal appears

3. Click Quick Connection and in the URL field, type www.google.com and click Launch.

The site launches successfully.

FortiGate I Student Guide 79

DO NOT REPRINT
 LAB 5–Firewall Authentication
© FORTINET
4. Return to your browser tab with the SSL-VPN portal and click Quick Connection again. This time
in the URL field type elite-hackers.com and click Launch.
This URL is set to be blocked by the Web Filter security profile you enabled in the SSL VPN
firewall policy.

5. Remain logged into the SSL VPN portal and continue to the next procedure.

To monitor user authentications

1. Return to the browser tab where you are logged into Local-FortiGate as admin.
2. Monitor aduser1. You can view this particular login authentication from the following:
 FortiView > VPN (filter on last 5 minutes and double-click the entry to view more details)
 Monitor > SSL-VPN Monitor
3. View the activity of aduser1. You can check the following:
 FortiView > All Sessions
 Log & Report > Forward Traffic (Try filtering by user and any additional filters to get more
specific results.)
 Log & Report > Web Filter (Try filtering by user and any additional filters to get more specific
results.)
4. Return to your browser tab where you are logged into the SSL VPN portal and log out.

You will notice back in the Local-FortiGate GUI (where you are logged in as admin) that Monitor
> SSL-VPN Monitor no longer shows the authentication, as the connection is not active.
However, FortiView > VPN retains the login information.
5. Close all your browser tabs except for the tab with the Local-FortiGate GUI.

FortiGate I Student Guide 80

DO NOT REPRINT
 LAB 5–Firewall Authentication
© FORTINET

2 Captive Portal
In this exercise, you will configure captive portal and restrict access to a specific user group. Captive
portal is a convenient way to authenticate Web users on wired or WiFi networks through an HTML
form that requests a user name and password (active authentication).
This exercise involves creating a user group (and adding a user to it); enabling captive portal and
restricting access based on that group; and enabling the disclaimer message.
Finally, you will authenticate through captive portal and monitor the authentication.

Creating a User Group for Captive Portal

Since the goal is to enable captive portal based on a specific group, you must first create a user group
and then add a user to the group. For the purposes of this exercise, you will add the user student to
the group. Student is a local user on FortiGate that was pre-configured for you.

To create a user group for captive portal

1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to User & Device > User Groups and click Create New.
3. Complete the following:

Field Value
Name CP-group
Type Firewall
Members student
4. Click OK.

Enabling Captive Portal

In this procedure, you will enable captive portal on a wired network.

To enable captive portal

1. In the Local-FortiGate GUI, go to Network > Interfaces and edit port3.
This port is your incoming traffic. For more information, see the Network Topology.
2. Complete the following under the Admission Control section:

Field Value
Security Mode Captive Portal
Authentication Portal Local
User Access Restricted to Groups
User Groups CP-group

FortiGate I Student Guide 81

DO NOT REPRINT
 LAB 5–Firewall Authentication
© FORTINET
3. Click OK.

Enabling the Disclaimer Message

In order to provide those logging in through captive portal with a disclaimer message, you must enable
disclaimers. Since we are enabling captive portal through a wired interface, disclaimers can only be
enabled through the CLI.

Note: If captive portal is enabled through WiFi, you can enable disclaimers through the
GUI (WiFi & Switch Controller > SSID). We are using a wired interface in this lab.

To enable the disclaimer message

1. Open PuTTY on the Local-Windows VM and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
2. Log in as admin.
3. Type the following command:

config firewall policy

edit 1

set disclaimer enable

end
4. Close PuTTY.

Authenticating and Monitoring

Now that captive portal is configured and the disclaimer enabled, you can test it by authenticating
through captive portal as the student user. You will then monitor the authentication as the admin user.

To authenticate through captive portal

1. In the Local-Windows VM, open a new browser tab and go to any website, such as www.bbc.com.
2. When prompted, log in with username student and password fortinet.

FortiGate I Student Guide 82

DO NOT REPRINT
 LAB 5–Firewall Authentication
© FORTINET

The Terms and Disclaimer Agreement dialog appears.

3. Click Yes, I agree.

Once you agree to the terms, you are redirected to the website you originally requested.
4. Open additional browser tabs and access a few more websites through captive portal, for
example:
 www.youtube.com
 www.cnn.com
5. Leave all browser tabs open and continue to the next procedure.

FortiGate I Student Guide 83

DO NOT REPRINT
 LAB 5–Firewall Authentication
© FORTINET
To monitor active captive portal authentications
1. In the Local-Windows VM, return to the browser tab where you are logged into the Local-FortiGate
GUI as admin.
2. Monitor the student user. You can view this particular login authentication from Monitor > Firewall
User Monitor.

Note: While the CLI config user setting dictates how long a user authenticating
through captive portal can remain authenticated, you can choose to manually de-
authenticate a captive portal user by selecting the user in the Firewall User Monitor list and
clicking De-authenticate. Once de-authenticated, the user disappears from the list, as it is
reserved for active users only.

3. Select student and click De-authenticate to manually end the user's session.
4. Click OK.
5. Close the browser.

FortiGate I Student Guide 84