Lab 4: Firewall Authentication

Sumário
Lab 4: Firewall Authentication .................................................................................................................... 3
Objectives ............................................................................................................................................. 3
Exercise 1: Configuring an LDAP Server .................................................................................................... 4
Configure an LDAP Server on FortiGate................................................................................................. 4
Assign an LDAP User Group to a Firewall Group .................................................................................... 6
Add the Remote User Group to the Firewall Policy ................................................................................. 8
To add the remote user group to the firewall policy ................................................................................ 8
To test whether aduser1 can successfully authenticate ......................................................................... 9
To monitor active authenticated users ................................................................................................ 10
Remove the User Group From the Firewall Policy................................................................................. 11
Exercise 2: Configuring a RADIUS Server on FortiGate ............................................................................. 12
Configure a RADIUS Server on FortiGate ............................................................................................. 12
Assign a RADIUS User Group to a Firewall Group ................................................................................. 13
To assign a user to a user group.......................................................................................................... 13
Add the Training User Group to the Firewall Policy ............................................................................... 15
To test whether the radius1 user can successfully authenticate ........................................................... 15
Authenticate and Monitor the Authentication ...................................................................................... 16
To monitor active authenticated users ................................................................................................ 16
Remove the User Group From the Firewall Policy................................................................................. 17

2
Lab 4: Firewall Authentication
In this lab, you will examine how to configure FortiGate to communicate with remote LDAP and RADIUS servers
for server-based password authentication.

Objectives
• Configure server-based password authentication with an LDAP server

• Configure server-based password authentication with a RADIUS server

Time to Complete

Estimated: 35 minutes

LAB-4 > Firewall Authentication

3
Exercise 1: Configuring an LDAP Server
In this exercise, you will examine how to configure an LDAP server on FortiGate for remote authentication,
create a remote authentication group for remote users, and then add that group as a source in a firewall policy.
Finally, you will authenticate as one of the remote users, and then monitor the login as the administrator.

Configure an LDAP Server on FortiGate

You will configure FortiGate to point to a preconfigured FortiAuthenticator acting as an LDAP server for server-
based password authentication.

To configure an LDAP server on FortiGate

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click User & Authentication > LDAP Servers, and then click Create New.

3. Configure a server using the following settings:

Field Value

Name External_Server

Server IP/Name 10.0.1.150

This is the IP address of the FortiAuthenticator acting as

the LDAP server. For more information, see Network
Topology on page 1.

Server Port 389

This is the default port for LDAP.

Common Name uid

Identifier
This is the attribute name used to find the username on
the preconfigured LDAP server.

Distinguished Name ou=Training,dc=trainingAD,dc=training,dc=lab

This is the domain name for the LDAP directory on

FortiAuthenticator, with all users located under
the Training organizational unit (ou).

Bind Type Regular

Username uid=adadmin,cn=Users,dc=trainingAD,dc=training,dc=lab

4
 Field Value

You are using the credentials of an LDAP user called

adadmin to authenticate to the LDAP server.

Password Training!

This is the password preconfigured for the adadmin user.

You must use it to be able to bind.

4. Click Test Connectivity.

You should see a message indicating that the connection was successful.

5. Click OK.

5
Assign an LDAP User Group to a Firewall Group
You will assign an LDAP user group (AD_users) that includes two users (aduser1 and aduser2) to a firewall user
group, called Remote-users, on FortiGate. By doing this, you will be able to configure firewall policies to act on
the firewall user group.

Usually, groups are used to more effectively manage individuals who have a shared relationship.

The Remote-users firewall group is preconfigured for you. However, you must
modify it to add the users from the remote LDAP server you configured in the
previous procedure.

Take the Expert Challenge!

On Local-FortiGate (10.0.1.254), assign the Active Directory user group

called AD_users to the FortiGate firewall user group called Remote-users.

If you require assistance, or to verify your work, use the step-by-step instructions
that follow.

After you have completed this exercise, see Configuring an LDAP Server on page
1.

To assign a user to a user group

1. On the Local-FortiGate GUI, click User & Authentication > User Groups, and then edit the Remote-
users group.

Notice that it's currently configured as a firewall group.

2. In the Remote Groups table, click Add to add users from the remote LDAP server.

6
The Add Group Match window opens.

3. In the Remote Server field, select External_Server.

4. On the Groups tab, right-click AD_users, and then click Add Selected.

AD_users has a green check mark beside it, which indicates that it was added.

5. Click OK.

The users in this Active Directory group are now included in the FortiGate Remote-users firewall user group.
Only users from the remote LDAP server that match this user group entry can authenticate.

6. Click OK.

7
Add the Remote User Group to the Firewall Policy
Now that you have added the LDAP server to the Remote-users firewall user group, you can add the group to a
firewall policy. This allows you to control access to network resources, because policy decisions are made for
the group as a whole.

To add the remote user group to the firewall policy

1. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy, and then double-click the existing
port3 to port1 firewall policy.

2. Configure the following setting:

Field Value

Source Click +, and then select Remote-users (located under User).

3. In the Security Profiles section, enable Web Filter, and then select Category_Monitor.

This web filter was preconfigured and is set to block the following categories: Potentially Liable, Adult/Mature
Content, and Security Risk.

4. In the Logging Options section, ensure Log Allowed Traffic is enabled, and then select All Sessions.

5. Click OK.

8
To test whether aduser1 can successfully authenticate
1. On the Local-FortiGate CLI, log in with the username admin and password password.

2. Enter the following command:

diagnose test authserver ldap <LDAP server name> <LDAP user name> <password>

Where:

• <LDAP server name> is External_Server (case sensitive)

• <LDAP user name> is aduser1

• <password> is Training!

A message like the following example should appear to indicate that authentication was successful:

3. Close the Local-FortiGate CLI window.

Authenticate and Monitor the Authentication

You will authenticate through the firewall policy as aduser1. This user is a member of the Remote-users group
on FortiGate. Then, you will monitor the authentication.

To authenticate as a remote user

1. On the Local-Client VM, open a new browser tab, and then go to elite-hackers.com.

You are asked to log in to the network.

2. Log in as aduser1 with the password Training!.

This URL is set to be blocked by the web filter security profile you enabled in the firewall policy.

Notice that the blocked page displays a replacement message that includes useful information, such as
the URL and Category.

9
To monitor active authenticated users
1. Return to the browser tab where you are logged in to the Local-FortiGate GUI as admin.

2. Click Dashboard > Assets&Identities, and then click Firewall Users to expand it to full screen to view
this login authentication and monitor the firewall authenticated user.

You will see aduser1 listed along with other information, such as User Group and IP Address.

3. Click aduser1, and then click Deauthenticate.

The config user setting CLI command determines how long a user can remain
authenticated. However, you can choose to manually revoke a user
authentication by selecting the user in the Firewall User Monitor list, and then
clicking Deauthenticate. After the user is deauthenticated, the user disappears
from the list, because it is reserved for active users only.

4. In the Confirm window, click OK.

This deauthenticates the user. The user must log in again to access the resources that the firewall policy
protects.

10
Remove the User Group From the Firewall Policy
You will remove the user group assigned to the firewall policy for authentication.

To remove the remote user group from the firewall policy

1. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy, and then double-click the existing
port3 to port1 firewall policy.

2. In the Source field, remove the Remote-users user group.

3. Click Close, and then click OK to save the changes.

LAB-4 > Configuring an LDAP Server

11
Exercise 2: Configuring a RADIUS Server on FortiGate
In this exercise, you will examine how to configure a RADIUS server on FortiGate for remote authentication,
create a remote authentication group for remote users, and then add that group as a source in a firewall policy.
Finally, you will authenticate as one of the remote users, and then monitor the login as the administrator.

Configure a RADIUS Server on FortiGate

You can configure FortiGate to point to a preconfigured FortiAuthenticator acting as a RADIUS server for server-
based password authentication.

To configure a RADIUS server on FortiGate

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click User & Authentication > RADIUS Servers, and then click Create New.

3. Configure a server using the following settings:

Field Value

Name RADIUS_Server

Authentication Default
method

Primary Server 10.0.1.150

IP/Name
This is the IP address of the FortiAuthenticator acting as the RADIUS
server. For more information, see Network Topology on page 1.

Secret Training1!

4. Click Test Connectivity.

You should see a message indicating that the connection was successful.

5. Click OK.

12
Assign a RADIUS User Group to a Firewall Group
You will assign a RADIUS user group (Training) that includes a user (radius1) to a firewall user group,
called Training, on FortiGate. By doing this, you will be able to configure firewall policies to act on the firewall
user group.

Usually, groups are used to more effectively manage individuals who have a shared relationship.

The Training firewall group is preconfigured for you. However, you must modify it
to add the users from the remote RADIUS server you configured in the previous
procedure.

Take the Expert Challenge!

On Local-FortiGate (10.0.1.254), assign the RADIUS user group

called Training to the FortiGate firewall user group called Training.

If you require assistance, or to verify your work, use the step-by-step instructions
that follow.

After you have completed this exercise, see Configuring a RADIUS Server on
FortiGate on page 1.

To assign a user to a user group

1. On the Local-FortiGate GUI, click User & Authentication > User Groups, and then edit
the Training group.

Notice that it's currently configured as a firewall group.

2. In the Training table, click Add to add users from the remote RADIUS server.

The Add Group Match window opens.

13
 3. In the Remote Server field, select RADIUS_Server.

4. In the Groups field, select Specify, and then type the group name Training.

5. Click OK.

The user in this RADIUS server group is now included in the FortiGate Training firewall user group. Only users
from the remote RADIUS server that match this user group entry can authenticate.

The remote RADIUS server is configured with using the RADIUS attribute value
pair (AVP) 26, known as a vendor-specific attribute (VSA). This attribute allows
the Fortinet-Group-Name VSA to be included in the RADIUS response. In
FortiOS, the user group must be configured to specifically match this group.

6. Click OK.

14
Add the Training User Group to the Firewall Policy
Now that you have added the RADIUS server to the Training firewall user group, you can add the group to a
firewall policy. This allows you to control access to network resources, because policy decisions are made for
the group as a whole.

To add the Training user group to the firewall policy

1. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy, and then double-click the existing
port3 to port1 firewall policy.

2. Configure the following setting:

Field Value

Source Click +, and then select Training (located under User).

3. Click OK.

To test whether the radius1 user can successfully authenticate

1. On the Local-FortiGate CLI, log in with the username admin and password password.

2. Enter the following command:

diagnose test authserver radius <RADIUS server name> mschap2 <RADIUS user name> <password>

Where:

• <RADIUS server name> is RADIUS_Server (case sensitive)

• <RADIUS user name> is radius1

• <password> is Training!

A message like the following example should appear to indicate that authentication was successful:

3. Close the Local-FortiGate CLI window.

15
Authenticate and Monitor the Authentication
You will authenticate through the firewall policy as radius1. This user is a member of the Training group on
FortiGate. Then, you will monitor the authentication.

To authenticate as a remote RADIUS user

1. On the Local-Client VM, open a new browser tab, and then go to elite-hackers.com.

You are asked to log in to the network.

2. Log in as radius1 with the password Training!.

This URL is set to be blocked by the web filter security profile you enabled in the firewall policy.

Notice that the blocked page displays a replacement message that includes useful information, such as
the URL and Category.

To monitor active authenticated users

1. Return to the browser tab where you are logged in to the Local-FortiGate GUI as admin.

2. Click Dashboard > Assets&Identities, and then click Firewall Users to expand it to full screen to view
this login authentication and monitor the firewall authenticated user.

You will see the user radius1 listed along with other information, such as User Group and IP Address.

3. Click aduser1, and then click Deauthenticate.

16
 The config user setting CLI command determines how long a user can remain
authenticated. However, you can choose to manually revoke a user
authentication by selecting the user in the Firewall User Monitor list, and then
clicking Deauthenticate. After the user is deauthenticated, the user disappears
from the list, because it is reserved for active users only.

4. In the Confirm window, click OK.

This deauthenticates the user. The user must log in again to access the resources that the firewall policy
protects.

Remove the User Group From the Firewall Policy

You will remove the user group assigned to the firewall policy for authentication.

To remove the remote user group from the firewall policy

1. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy, and then double-click the existing
port3 to port1 firewall policy.

2. In the Source field, remove the Training user group.

3. Click Close, and then click OK to save the changes.

LAB-4 > Configure a RADIUS Server on FortiGate

17