WiFi with WSSO using FortiAuthenticator RADIUS and Attributes

August 17, 2016, 9:00 am

≫ Next: FortiAuthenticator Certificate with SSL Inspection (Video)

≪ Previous: Installing FortiAuthenticator VM in vSphere

This is an example of wireless single sign-on (WSSO) with a FortiGate and FortiAuthenticator. The WiFi users are teachers and students at a school. These users each belong to a user group, either teachers (smaguire) or students (whunting). The FortiAuthenticator performs user authentication and passes the user group name to the FortiGate so that the appropriate security policy is applied.

This recipe assumes that an SSID and a FortiAP are configured on the FortiGate unit. In this configuration, you will be changing the existing SSID’s WiFi settings so authentication is provided by the RADIUS server. To learn more about configuring FortiAP, see Setting up WiFi with a FortiAP.

For this example, the student security policy applies a more restrictive web filter.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4}

1. Registering the FortiGate as a RADIUS client on the FortiAuthenticator
On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new account. Enter a Name, the Internet-facing IP address of the FortiGate in Client name/IP, and enter a Secret. Select the Password-only authentication method, select the Local users realm, and enable all EAP types.
2. Creating users on the FortiAuthenticator
Go to Authentication > User Management > Local Users and select Create New. Create one teacher user (smaguire) and another student user (whunting).
Note that, after you create a user, RADIUS Attributes appears as an option. If your configuration involves multiple users, it is more efficient to add RADIUS attributes in their respective user groups, in the next step.
3. Creating user groups on the FortiAuthenticator
Go to Authentication > User Management > User Groups and create two user groups: teachers and students. Add the users to their respective groups.
Once created, edit both user groups—RADIUS Attributes becomes available. Select Add Attribute.
Add the Fortinet-Group-Name RADIUS attribute to each group, which specifies the user group name to be sent to the FortiGate.
4. Configuring FortiGate to use FortiAuthenticator as the RADIUS server
On the FortiGate, go to User & Device > RADIUS Servers and select Create New. Enter a Name, the Internet-facing IP address of the FortiAuthenticator in Primary Server IP/Name, and enter the same Primary Server Secret as you entered on the FortiAuthenticator.
You can optionally select Test Connectivity. Enter a RADIUS user’s name and password. The result should be Successful.
5. Configuring user groups on the FortiGate
Go to User & Device > User Groups and create two groups named the same as the ones created on the FortiAuthenticator.
Do not add any members to either group.
6. Creating security policies
Go to Policy & Objects > IPV4 Policy and select Create New. Create two policies with WiFi-to-Internet access: one policy with Source set to the students user group, and the other set to teachers. Make sure to add the SSID address (example-wifi) to both policies also. The student policy has a more restrictive Web Filter enabled.
7. Configuring the SSID to RADIUS authentication
Go to WiFi & Switch Controller > SSID and edit your pre-existing SSID interface.
Under WiFi Settings, set Security Mode to WPA2 Enterprise, set Authentication to RADIUS Server, and add the RADIUS server configured on the FortiGate earlier from the dropdown menu.
8. Results
Connect to the WiFi network as a student.
Then on the FortiGate go to Monitor > Firewall User Monitor. From here you can verify the user, the user group, and that the WSSO authentication method was used.
You can also go to FortiView > Policies to verify that the appropriate security policy was applied.

The post WiFi with WSSO using FortiAuthenticator RADIUS and Attributes appeared first on Fortinet Cookbook.

↧

FortiAuthenticator Certificate with SSL Inspection (Video)

September 21, 2016, 12:03 pm

≫ Next: FortiAuthenticator user self-registration

≪ Previous: WiFi with WSSO using FortiAuthenticator RADIUS and Attributes

In this example, you will create a certificate on the FortiGate, have it signed on the FortiAuthenticator, and configure the FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.

The recipe for this video is available here.

Watch more videos

The post FortiAuthenticator Certificate with SSL Inspection (Video) appeared first on Fortinet Cookbook.

↧

FortiAuthenticator user self-registration

September 30, 2016, 1:00 pm

≫ Next: FortiAuthenticator as a Certificate Authority (Video)

≪ Previous: FortiAuthenticator Certificate with SSL Inspection (Video)

For this recipe, you will configure the FortiAuthenticator self-service portal to allow users to add their own account and create their own passwords.

Note that enabling and using administrator approval requires the use of an email server, or SMTP server. Since administrators will approve requests by email, this recipe describes how to add an email server to your FortiAuthenticator. You will create and use a new server instead of the unit’s default server.

Watch the video

1. Creating a self-registration user group
Go to Authentication > User Management > User Groups and create a new user group for self-registering users. Enter a Name and select OK. Users will be added to this group once they register through the self-registration portal.
2. Editing self-registration settings
Go to Authentication > Self-service Portal > General. Enter a Site name, add an email signature that you would like appended to the end of outgoing emails, and select OK.
3. Enabling self-registration
Go to Authentication > Self-service Portal > Self-registration and select Enable.
Enable Require administrator approval and Enable email to freeform addresses, enter the administrator’s email address in the field provided, and configure basic account information to be sent to the user by Email. Open the Required Field Configuration dropdown and enable First name, Last name, and Email address.
4. Creating a new SMTP server
Go to System > Messaging > SMTP Servers and create a new email server for your users.
Enter a name, the IP address of the FortiAuthenticator, and leave the default port value. Enter the administrator’s email address, account name, and password. Note that, for the purpose of this recipe, Secure connection will not be set to STARTTLS, as a signed CA certificate would be needed.
Once created, highlight the new server and select Set as Default. The new SMTP server will now be used for future user registration.
5. Results – Self-registration
When the user visits the login page, https://<FortiAuthenticator-IP>/auth/register/, they can click the Register button, and is then prompted to enter their information. They will need to enter and confirm a Username, Password, First name, Last name, and Email address. These are the only required fields, as configured in the FortiAuthenticator earlier. Select Submit.
The user’s registration is successful, and their information has been sent to the administrator for approval.
When the administrator has enabled the user’s account, the user will receive an activation welcome email. The user’s login information will be listed.
Select the link and log in to the user’s portal.
The user is now logged into their account where they can review their information. As recommended in the user’s welcome email, the user may change their password. However, this is optional.
6. Results – Administrator approval
After the user requests for registration, in the FortiAuthenticator as the administrator, go to Authentication > User Management > Local Users. The user has been added, but their Status is listed as Unknown.
In the administrator’s email account, open the Approval Required email. In it, the user’s full name will appear in the email’s subject, along with their username. Select the link to approve or deny the user.
The link will take you to the New User Approval page, where you can review the user’s information and either approve or deny the user’s full registration. Select Approve.
The user has now been approved and activated by the administrator. This can be confirmed by going back to Authentication > User Management > Local Users. The user’s Status has changed to Enabled.
7. Verifying the results
On the FortiAuthenticator, go to Logging > Log Access > Log to view the successful login of the user and more information.

Although the FortiAuthenticator can be configured to send emails from the built-in mail server (localhost), this is not recommended. Anti-spam methods such as IP lookup, DKIM, and SPF can cause mail from such ad-hoc mail servers to be blocked. It is highly recommended that email is relayed via an official mail server for your domain.

Alternatively, you can go to System > Messaging > Email Services, set both Administrators and Users to use the new SMTP server, and select Save.

Note that the email may have been marked as Spam.

The post FortiAuthenticator user self-registration appeared first on Fortinet Cookbook.

↧

FortiAuthenticator as a Certificate Authority (Video)

November 7, 2016, 5:55 am

≫ Next: WiFi using FortiAuthenticator RADIUS with Certificates

≪ Previous: FortiAuthenticator user self-registration

In this example, you will configure the FortiAuthenticator as a Certificate Authority, allowing the FortiAuthenticator to sign certificates that the FortiGate can use to secure administrator GUI access.

The recipe for this video is available here.

Watch more videos

The post FortiAuthenticator as a Certificate Authority (Video) appeared first on Fortinet Cookbook.

↧

WiFi using FortiAuthenticator RADIUS with Certificates

December 6, 2016, 5:15 pm

≫ Next: Protected: SAML FSSO with FortiAuthenticator and Okta

≪ Previous: FortiAuthenticator as a Certificate Authority (Video)

This recipe will walk you through the configuration of FortiAuthenticator as the RADIUS server for a FortiGate wireless controller. WPA2-Enterprise with 802.1X authentication can be used to authenticate wireless users with FortiAuthenticator. 802.1X utilizes the Extensible Authentication Protocol (EAP) to establish a secure tunnel between participants involved in an authentication exchange.

EAP-TLS is the most secure form of wireless authentication because it replaces the client username/password with a client certificate. Every end user, including the authentication server, that participates in EAP-TLS must possess at least two certificates: 1) a client certificate signed by the certificate authority (CA) and 2) a copy of the CA root certificate.

This recipe specifically focus on the configuration of the FortiAuthenticator, FortiGate and Windows 7 computer.

1. Creating a local CA on FortiAuthenticator The FortiAuthenticator will act as the certificate authority for all certificates authenticated for client access. To enable this functionality, a self-signed root CA certificate must be generated.
On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs. Click Create New. Complete the information in the fields pertaining to your organization.
2. Creating a local service certificate on FortiAuthenticator In order for the FortiAuthenticator to use a certificate in mutual authentication (supported by EAP‐TLS), a local services certificate has to be created on behalf of the FortiAuthenticator.
Go to Certificate Management > End Entities > Local Services. Click Create New. Complete the information in the fields pertaining to your organization.
3. Configuring RADIUS EAP on FortiAuthenticator In order for the FortiAuthenticator to present the newly created Local Services certificate as its authentication to the WiFi client, the RADIUS‐EAP must be configured to use this certificate.
Go to Authentication > RADIUS Service > EAP. Click Create New. Select the corresponding Local Services certificate in the EAP Server Certificate section. Choose the Local CA certificate previous configured in the Local CAs section.
4. Configuring RADIUS client on FortiAuthenticator The FortiAuthenticator has to be configured to allow RADIUS clients to make authorization requests to it.
Go to Authentication > RADIUS Service > Clients. Click Create New. Enter Name, then Client name IP which is the FortiGate’s IP address. Enter the Secret (password). On Authentication method select Password-only authentication and on Username input format select username@realm.
EAP-‐TLS should be the only EAP type selected to prevent fallback to a less secure version of authentication if a certificate is not presented by the WiFi client.
5. Configuring local user on FortiAuthenticator The authentication of the WiFi client will be tied to a user account on the FortiAuthenticator. In this scenario, a local user will be configured but remote users associated with LDAP can be configured as well.
Go to Authentication > User Management > Local Users. Click Create New. Fill out applicable user information.
6. Configuring local user certificate on FortiAuthenticator The certificate created locally on the FortiAuthenticator will be associated with the local user. It is important to note that the Name (CN) must match the username exactly of the user that is registered in the FortiAuthenticator (i.e. eap‐user).
Go to Certificate Management > End Entities > Users. Click Create New. Fill out applicable user information to map the certificate to the correct user.
7. Creating RADIUS server on FortiGate In order to proxy the authentication request from the wireless client, the FortiGate will need to have a RADIUS server to submit the authentication request to.
On the FortiGate, go to User & Device > RADIUS Servers. Select Create New. Type FortiAuth. Enter the FortiAuthenticator’s IP address and the Server Secret (password). Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.
8. Creating WiFi SSID on FortiGate In order for the WiFi client to connect using its certificate a SSID has to be configured on the FortiGate to accept this type of authentication.
Go to WiFi & Switch Controller > SSID. Create an SSID and set up DHCP for clients.
Set WPA2-Enterprise with RADIUS Server authentication, and choose FortiAuth.
9. Exporting user certificate from FortiAuthenticator In order for the WiFi client to authenticate with the RADIUS server, the user certificate created in the FortiAuthenticator must first be exported.
On the FortiAuthenticator, go to Certificate Management > End Entities > Users. Click the checkbox beside the certificate. Click Export PKCS#12.
In the Export User Certificate and Key File type a password in Passphrase, and confirm it. This password will be used when importing the certificate into a Windows 7 computer. Click OK.
Click Download PKCS#12 file to pull this certificate to the Widows 7 computer. Click Finish.
9. Importing user certificate into Windows 7
On the Windows 7 computer, double-click the downloaded certificate file from the FortiAuthenticator. This will launch the Welcome to Certificate Import Wizard. Click Next.
Make sure the correct certificate is shown in the File Name section in the File to Import window. Click Next.
Below Password, type the password created on the FortiAuthenticator during the export of the certificate. Select Mark this key as exportable. Leave remaining defaults. Click Next.
In the Certificate Store, choose the Place all certificates in the following store. Click Browse and choose Personal. Click Next, and then Finish. A dialog box will show up confirming the certificate was imported successfully.
10. Configuring Windows 7 wireless profile to use certificate
Create a new wireless SSID for this secure connection, in this case EAP-TLS. On Windows 7, got to Control Panel > Network and Sharing Center > Manage Wireless Networks > Add. Select Security type: WPA2-Enterprise and Encryption type: AES.
Modify the newly created wireless connection EAP-TLS by right clicking and choosing Properties.
On EAP-TLS Wireless Network Properties, Under Choose a network authentication method select Microsoft: Smart card or other certificates. Then click on Settings.
On Smart Card or other Certificates Properties. Under When connecting, select Use a certificate on this computer, and check Use simple certificate selection. Click OK and click OK. Please note, for simplification purposes, the Validate server certificate has been disabled but EAP-‐TLS allows the client to validate the server as well as the server validate the client. To enable this, you will need to import the CA from the FortiAuthenticator to the Windows 7 computer and make sure that it is enabled as a Trusted Root Certification Authority. The configuration for the Windows 7 computer has been completed and the user should be able to authenticate to WiFi via the certificate without using username and password.
11. Results on FortiAuthenticator
When the user attempts to authenticate to WiFi using the certificate, they will have a specific log entry in the FortiAuthenticator.
12. Results on FortiGate
The log on the FortiGate shows plenty of details, such as the client’s MAC address, IP address, SSID, Security Mode, Encryption, AP, Radio, Band and Channel

The post WiFi using FortiAuthenticator RADIUS with Certificates appeared first on Fortinet Cookbook.

↧

Protected: SAML FSSO with FortiAuthenticator and Okta

February 17, 2016, 8:23 am

≫ Next: Preventing certificate warnings (CA-signed certificate)

≪ Previous: WiFi using FortiAuthenticator RADIUS with Certificates

There is no excerpt because this is a protected post.

The post Protected: SAML FSSO with FortiAuthenticator and Okta appeared first on Fortinet Cookbook.

↧

Preventing certificate warnings (CA-signed certificate)

June 9, 2017, 8:15 am

≫ Next: FortiAuthenticator user self-registration

≪ Previous: Protected: SAML FSSO with FortiAuthenticator and Okta

In this recipe, you will prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you are using a CA-signed certificate, your FortiGate’s default certificate, or a self-signed certificate. This recipe explains how you can prevent certificate warnings when you are using a CA-signed certificate.

When full SSL inspection is used, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

_{Find this recipe for other FortiOS versions}_5.2 | 5.6

Using a CA-signed certificate In this method, you obtain a CA-signed certificate and install this certificate on your FortiGate for use with SSL inspection. You can use either FortiAuthenticator as a CA or a trusted third-party CA. If you use FortiAuthenticator as a CA, you generate a certificate signing request (CSR) on your FortiGate, have it signed on the FortiAuthenticator, import the certificate into your FortiGate, and configure your FortiGate so the certificate can be used for SSL deep inspection of HTTPS traffic. If you use a trusted third-party CA, you generate a CSR on your FortiGate, apply for an SSL certificate from a trusted third-party CA, import the certificate into your FortiGate, and configure your FortiGate so the certificate can be used for SSL deep inspection of HTTPS traffic. If your FortiAuthenticator is not configured as a CA, see FortiAuthenticator as a Certificate Authority for more information.
1. Generating a CSR on a FortiGate
On your FortiGate, go to System > Certificates and select Generate to create a new CSR. Enter a Certificate Name, the external IP of your FortiGate, and a valid email address. Make sure to set Key Type to RSA and Key Size to 2048 Bit. This will ensure the certificate is securely encrypted.
Once generated, the certificate will show a Status of Pending. Highlight the certificate and select Download. This will save a .csr file to your local drive.
2. Getting the certificate signed by a CA
Trusted third-party CA: If you want to use a third-party CA to sign the certificate, use the CSR to apply for an SSL certificate with a trusted third-party CA.
FortiAuthenticator: If you want to use a FortiAuthenticator as a CA to sign the certificate, on the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import. Set Type to CSR to sign, enter a Certificate ID, and import the Example-cert.csr file. Make sure to select the Certificate authority from the drop-down menu and set the Hash algorithm to SHA-256.
Once imported, you should see that Example-cert has been signed by the FortiAuthenticator, showing a Status of Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export. This will save a .crt file to your local drive.
3. Importing the signed certificate to your FortiGate
On your FortiGate, go to System > Certificates and select Local Certificate from the Import drop-down menu.
Browse to the certificate file and select OK.
You should now see that the certificate has a Status of OK.
4. Editing the SSL inspection profile
To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the dropdown menu in the top right corner to select deep-inspection, which is the profile used to perform full SSL inspection.
Set CA Certificate to use the new certificate.
5. Importing the certificate into web browsers Once you have your certificate signed by FortiAuthenticator, you need to import the certificate into users’ browsers. If you used a trusted third-party CA to sign your certificate, you do not need to import the certificate into users’ browsers. The method you use for importing the certificate varies depending on the type of browser.
Internet Explorer, Chrome, and Safari (on Windows and macOS): Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.
If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard. Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a security warning appears, select Yes to install the certificate.
If you are using macOS, double-click the certificate file to launch Keychain Access. Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.
Firefox (on Windows and macOS) Firefox has its own certificate store. To avoid errors in Firefox, the certificate must be installed in this store, rather than in the OS. If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.
In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab. Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.
6. Results
Before you installed the certificate, an error message would appear in the browser when users accessed a site that used HTTPS (the example shows an error message appearing in Firefox). After you install the certificate, users should not experience a certificate security issue when they browse to sites on which the FortiGate unit performs SSL content inspection.
Users can view information about the connection and the certificate that is used. If users view information about the connection, they will see that it is verified by Fortinet.
If users view the certificate in the browser, they will see which certificate is used and information about that certificate.

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

If you have the right environment, such as the Windows Group Policy Management Console, you can push the certificate to users’ browsers using the Windows Group Policy Editor. In this case, you do not have to import the certificate into users’ browsers.

The post Preventing certificate warnings (CA-signed certificate) appeared first on Fortinet Cookbook.

↧

FortiAuthenticator user self-registration

November 9, 2017, 8:45 am

≫ Next: FortiAuthenticator as Guest Portal for FortiWLC

≪ Previous: Preventing certificate warnings (CA-signed certificate)

For this recipe, you will configure the FortiAuthenticator self-service portal to allow users to add their own account and create their own passwords.

1. Creating a self-registration user group
Go to Authentication > User Management > User Groups and create a new user group for self-registering users. Enter a Name and select OK. Users will be added to this group once they register through the self-registration portal.
2. Enabling self-registration
Go to Authentication > Self-service Portal > General. Enter a Site name, add an Email signature that you would like appended to the end of outgoing emails, and select OK.
3. Enabling self-registration
Go to Authentication > Self-service Portal > Self-registration and select Enable.
Enable Require administrator approval and Enable email to freeform addresses, and enter the administrator’s email address in the field provided. Enable Place registered users into a group, select the user group created earlier, and configure basic account information to be sent to the user by Email. Open the Required Field Configuration dropdown and enable First name, Last name, and Email address.
4. Creating a new SMTP server
Go to System > Messaging > SMTP Servers and create a new email server for your users.
Enter a Name, the IP address of the FortiAuthenticator, and leave the default port value (25). Enter the administrator’s email address, Account username, and Password. Note that, for the purpose of this recipe, Secure connection will not be set to STARTTLS, as a signed CA certificate would be required.
Once created, highlight the new server and select Set as Default. The new SMTP server will now be used for future user registration.
5. Results — Self-registration
When the user visits the login page, https://<FortiAuthenticator-IP>/auth/register/, they can click the Register button, where they will be prompted to enter their information. They will need to enter and confirm a Username, Password, First name, Last name, and Email address. These are the only required fields, as configured in the FortiAuthenticator earlier. Select Submit.
The user’s registration is successful, and their information has been sent to the administrator for approval.
When the administrator has enabled the user’s account, the user will receive an activation welcome email. The user’s login information will be listed.
Select the link and log in to the user’s portal.
The user is now logged into their account where they can review their information. As recommended in the user’s welcome email, the user may change their password. However, this is optional.
6. Results — Administrator approval
After receiving the user’s registration request, in the FortiAuthenticator as the administrator, go to Authentication > User Management > Local Users. The user has been added, but their Status is listed as Unknown.
In the administrator’s email account, open the user’s Approval Required email. The user’s full name will appear in the email’s subject, along with their username in the emai’s body. Select the link to approve or deny the user.
The link will take you to the New User Approval page, where you can review the user’s information and either approve or deny the user’s full registration. Select Approve.
The user has now been approved and activated by the administrator. This can be confirmed by going back to Authentication > User Management > Local Users. The user’s Status has changed to Enabled.
7. Verifying the results
On the FortiAuthenticator, go to Logging > Log Access > Log to view the successful login of the user and more information.

For increased security, it is recommended to configure this setting.

Alternatively, you can go to System > Messaging > Email Services, set both Administrators and Users to use the new SMTP server, and select Save.

Note that the email may have been marked as Spam.

The post FortiAuthenticator user self-registration appeared first on Fortinet Cookbook.

↧

FortiAuthenticator as Guest Portal for FortiWLC

November 15, 2017, 10:43 pm

≫ Next: MAC authentication bypass with dynamic VLAN assignment

≪ Previous: FortiAuthenticator user self-registration

In this recipe we will use FortiAuthenticator as Guest Portal for users getting wireless connection provided by FortiWLC.

1. Creating the FortiAuthenticator as RADIUS server on the FortiWLC

On the FortiWLC, go to Configuration > Security > RADIUS and click the ADD botton and create two profiles. One to be used for Authentication and one to be used for Accounting.

RADIUS Profile name: Enter a name for the profile. TIP: Use a name that will indicate if the profile is used for Authentication or Accounting.
RADIUS IP: IP address of the FortiAuthenticator.
RADIUS Secret: Shared Secret between WLC and FortiAuthenticator.
RADIUS Port: use 1812 for Authentication profile and 1813 when creating an Accounting Profile.

2. Creating the Captive Portal Profile on the FortiWLC

On the FortiWLC, go to Configuration > Security > Captive Portal, select the Captive Portal Profiles tab, and ADD a new profile.

CP Name: Enter a name for the profile.
Authentication Type: RADIUS.
Primary Authentication: Your Authentication profile.
Primary Accounting: Your Accounting profile.
External Server: FortinetConnect.
External Portal URL: https://<fortiauthenticator-ip>/guests
Public IP of Controller: IP address of the FortiWLC.

3. Creating the Security Profile on the FortiWLC

On the FortiWLC, go to Configuration > Security > Profile, and ADD a new profile.

Profile Name: Enter a name for the profile.
Security mode: Open.
Captive Portal: Webauth.
Captive Portal Profile: Select the profile created earlier.
Captive Portal Authentication Method: external.
Passthrough Firewall Filter ID: Your choice, will be used to allow access to the portal before authentication using QoS rules.

4. Creating the QoS rule on the FortiWLC

On the FortiWLC, go to Configuration > Policies > QoS and select the QoS and Firewall Rules tab.
Use the ADD button to create two profiles.

For the first rule, allow the wireless client to access FortiAuthenticator’s guest portal.

ID: Rule number.
Destination IP: IP address of the FortiAuthenticator, and enable Match
Destination Netmask: 255.255.255.255
Destination Port: 443, and enable Match
Network Protocol: 6, and enable Match
Firewall Filter ID: Use the “Passthrough Firewall Filter ID” string from the Security Profile, and enable Match
QoS Protocol: Other.

For the second rule, allow FortiAuthenticator to reach the clients.

ID: Rule number.
Source IP: IP address of the FortiAuthenticator, and enable Match
Source Netmask: 255.255.255.255
Source Port: 443, and enable Match
Network Protocol: 6, and enable Match
Firewall Filter ID: Use the “Passthrough Firewall Filter ID” string from the Security Profile, and enable Match
QoS Protocol: Other.

5. Creating the ESS Profile on the FortiWLC

On the FortiWLC, go to Configuration > Wireless > ESS and ADD an ESS profile.

Configure the profile with an appropriate ESS Profile and SSID. Then select the Security Profile that contains the Captive Portal settings.

Primary RADIUS Accounting Server: Your RADIUS Accounting profile.

6. Creating FortiWLC as RADIUS Client on the FortiAuthenticator

On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new client.

Set Client address as IP/Hostname and enter the FortiWLC management IP as the IP address. Set the same Secret that was entered during the RADIUS configuration on the FortiWLC.
At the Profiles section set a new Profile name, and choose EAP types.
At the Realms section choose the Realms that are allowed.

7. Creating the Guest Portal on the FortiAuthenticator

On the FortiAuthenticator, go to Authentication > Guest Portals > Portals and create a new portal.

For the Profile Configuration select the RADIUS profile created earlier.

8. Creating the Portal Rule on the FortiAuthenticator

On the FortiAuthenticator, go to Authentication > Guest Portal > Rules and create a new rule.

For Action choose Go to portal, and select the portal created earlier.

You can choose different HTTP parameters to determine which portal to show (used for instances with multiple portals from different FortiWLC’s and or Client IP subnets)

9. Results

Connect a client to the SSID created on the FortiWLC, then login to the portal with the correct username and password.

You can use Authentication > User Management > Local Users to create local user accounts for the FortiAuthenticator.

To confirm the successful login, on FortiAuthenticator go to Logging > Log Access > Logs

Find the line showing User Portal at Sub Category

To confirm the successful login, on FortiWLC go to Monitor > Devices > All Stations and find the device showing the authenticated user.

The post FortiAuthenticator as Guest Portal for FortiWLC appeared first on Fortinet Cookbook.

↧

MAC authentication bypass with dynamic VLAN assignment

November 20, 2017, 7:00 am

≫ Next: Wired 802.1x EAP-TLS with computer authentication

≪ Previous: FortiAuthenticator as Guest Portal for FortiWLC

In this recipe, you will configure MAC authentication bypass in a wired network with dynamic VLAN assignment.

The purpose of this recipe is to configure and demonstrate MAC address bypass with FortiAuthenticator, using a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. The recipe also demonstrates dynamic VLAN allocation without a supplicant.

1. Configuring MAC Authentication Bypass on the FortiAuthenticator
Go to Authentication > User Management > MAC Devices and create a new MAC-based device.
2. Configuring the user group
Go to Authentication > User Management > User Groups and create a new user group. No members are required; MAC-based authentication devices are automatically linked with this group. Click OK.
Edit the group you just created and add RADIUS Attributes as shown.
3. Configuring the RADIUS client
Go to Authentication > RADIUS Service > Clients and create a new RADIUS client. Configure the Switch IP and Shared Secret. Use the Local realm. Allow MAC-based authentication and link the group created in Step 2.
4. Configuring the 3rd-party switch
The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly. set system services dhcp pool 10.1.2.0/24 address-range low 10.1.2.220 set system services dhcp pool 10.1.2.0/24 address-range high 10.1.2.230 set system services dhcp pool 10.1.2.0/24 domain-name fortiad.net set system services dhcp pool 10.1.2.0/24 name-server 10.1.2.122 set system services dhcp pool 10.1.2.0/24 router 10.1.2.1 set system services dhcp pool 10.1.2.0/24 server-identifier 10.1.2.27 set interfaces ge-0/0/0 unit 0 family ethernet-switching #no vlan assigned to printer port, this will be allocated based on Group attributes set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator set interfaces vlan unit 10 family inet address 10.1.2.27/24 set protocols dot1x authenticator authentication-profile-name profile1 set protocols dot1x authenticator interface ge-0/0/0.0 mac-radius restrict #forces mac address as username over RADIUS set access radius-server 10.1.2.29 secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39" set access profile profile1 authentication-order radius set access profile profile1 radius authentication-server 10.1.2.29 set vlans engineering vlan-id 10 set vlans engineering l3-interface vlan.10 No configuration is required on the endpoint.
5. Results
Connect the wired device (in this case, the printer).
Using `tcpdump`, FortiAuthenticator shows receipt of an Incoming Authentication Request (`tcpdump host 10.1.2.27 -nnvvXs`): tcpdump: listening on port1, link-type EN10MB (Ethernet), capture size 262144 bytes 17:36:19.110399 IP (tos 0x0, ttl 64, id 18417, offset 0, flags [none], proto UDP (17), length 185) 10.1.2.27.60114 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 157 Access-Request (1), id: 0x08, Authenticator: b77fe0657747891fc8d53ae0ad2b0e7a User-Name Attribute (1), length: 14, Value: 0022681af1a0 #Switch forces username to be endpoint MAC address, no configuration needed on endpoint 0x0000: 3030 3232 3638 3161 6631 6130 NAS-Port Attribute (5), length: 6, Value: 70 0x0000: 0000 0046 EAP-Message Attribute (79), length: 19, Value: . 0x0000: 0200 0011 0130 3032 3236 3831 6166 3161 0x0010: 30 Message-Authenticator Attribute (80), length: 18, Value: .y{.j.%..9\|es.'x 0x0000: a679 7b82 6344 2593 f639 7c65 73eb 2778 Acct-Session-Id Attribute (44), length: 24, value: 802.1x81fa002500078442 0x0000: 384f 322e 3178 3831 6661 3030 3235 3030 0x0010: 3037 3834 3432 NAS-Port-rd Attribute (87), length: 12, Value: ge-0/0/0.0 0x0000: 6765 2430 2f30 2f30 2e30 Calling-Station-Id Attribute (31), length: 19, value: 00-22-68-1a-fl-a0 0x0000: 3030 2032 3220 3638 2031 6120 6631 2461 0x0010: 30 Called-Station-Id Attribute (30), length: 19, Value: a8-40-e5-b0-21-80 0x0000: 6138 2464 3024 6535 2d62 302d 3231 2d38 0x0010: 30 NAS-Port-Type Attribute (61), length: 6, value: Ethernet 0x0000: 0000 000f
Go to Logging > Log Access > Logs to verify the device authentication. The Debug Log (at `https://<fac-ip>/debug/radius`) should also confirm successful authentication.
Continuing with `tcpdump`, authentication is accepted from FortiAuthenticator and authorization attributes returned to the switch: 17:36:19.115264 IP (tos Ox0, ttl 64, id 49111, offset 0, flags [none], proto UDP (17), length 73) 10.1.2.29.1812 > 10.1.2.27.60114: (bad udp cksum 0x1880 -> 0x5ccel] RADIUS, length: 45 Access-Accept (2), id: 0x08, Authenticator: b5c7b1bb5a316fb483a622eaae58ccc2 Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13 0x0000: 0000 000d Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802 0x0000: 0000 0006 Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering 0x0000: 656e 6769 6e65 6572 696e 67 0x0000: 4500 0049 bfd7 0000 4011 a293 0a01 021d E..I....@ ....... 0x0010: 0a01 021b 0714 ead2 0035 1880 0208 002d 5 0x0020: b5c7 blbb 5a31 6fb4 83a6 22ea ae58 ccc2 ....21o..."..X.. 0x0030: 4006 0000 0000 4106 0000 0006 510d 656e @ A Q en 0x0040: 6769 6e65 6572 696e 67 gineering
Post-authentication DHCP transaction is picked up by FortiAuthenticator (`tcpdump` continued): 17:36:22.955537 IP (tos Ox0, ttl 1, id 18546, offset 0, flags [none], proto UDP (17), length 328) 10.1.2.27.67 > 255.255.255.255.68: judo sum ok] BOOTP/DHCP, Reply, length 300, xid Ox9fc8f40c, Flags (Broadcast] (0x8000) Your-IP 10.1.2.224 Client-Ethernet-Address 00:22:68:1a:fl:a0 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: ACK Server-ID Option 54, length 4: 10.1.2.27 Lease-Time Option 51, length 4: 86400 Subnet-Mask Option 1, length 4: 255.255.255.0 Default-Gateway Option 3, length 4: 10.1.2.1 Domain-Name-Server Option 6, length 4: 10.1.2.122 Domain-Name Option 15, length 11: "fortiad.net"
The Switch CLI shows a successful dot1x session: root# run show dotlx interface ge-0/0/0.0 802.1X Information: Interface Role State MAC address User ge-0/0/0.0 Authenticator Authenticated 00:22:68:1A:F1:A0 0022681af1a0 The MAC address interface has been dynamically placed into correct VLAN: root# run show vlans engineering Name Tag Interfaces engineering 10 ge-0/0/0.0, ge-0/0/11.0 And the printer shows as available on the network: root# run show arp interface vlan.10 MAC Address Address Name Interface Flags 00:0c:29:5b:90:68 10.1.2.29 10.1.2.29 vlan.10 none 6c:70:9f:d6:ae:al 10.1.2.220 10.1.2.220 vlan.10 none b8:53:ac:4a:d5:f5 10.1.2.221 10.1.2.221 vlan.10 none 00:22:68:1a:fl:a0 10.1.2.224 10.1.2.224 vlan.10 none a4:c3:61:24:b9:07 10.1.2.228 10.1.2.228 vlan.10 none Total entries: 5 {master:0}[edit] root* run ping 10.1.2.224 PING 10.1.2.224 (10.1.2.224): 56 data bytes 64 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=2.068 ms 64 bytes from 10.1.2.224: icmp_seq=1 tt1=128 time=2.236 ms 64 bytes from 10.1.2.224: icmp_seq=2 tt1=128 time=2.699 ms --- 10.1.2.224 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.068/2.334/2.699/0.267 ms

Alternatively, you can use the Import option to import from a CSV file.

The post MAC authentication bypass with dynamic VLAN assignment appeared first on Fortinet Cookbook.

↧

Wired 802.1x EAP-TLS with computer authentication

November 20, 2017, 10:00 am

≫ Next: Wired 802.1x EAP-TLS with user authentication

≪ Previous: MAC authentication bypass with dynamic VLAN assignment

In this recipe, you will configure and demonstrate wired 802.1x EAP-TLS with computer authentication.

In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer. The FortiAuthenticator will authenticate user interaction using the domain computer and client certificate (no username or password).

The example includes a native Windows 7 supplicant and a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. It also includes dynamic VLAN assignment on the switch as per the FortiAuthenticator RADIUS attributes.

1. Active Directory prerequisites
Key considerations: computers must exist in AD Groups that correspond with their VLAN dNSHostName attribute for the username
2. Configuring the certificates
Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA.
Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS.
Go to RADIUS Service > EAP and set up the EAP configuration. If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA. In this example, FortiAuthenticator creates the client certificates.
Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the full DNS name of the intended computer. Export the PKCS#12 file and passphrase protect it.
The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually.
3. Manually importing the client certificate – Windows 7
Manual import can be completed using MMC as shown. Open Command Prompt and type `mmc` and hit Enter. On the File menu, click Add/Remove Snap In.
Once imported, the certificate should show up under Local Computer and not Current User. Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)).
4. Configuring the FortiAuthenticator AD Server
Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server. Ensure that Username attribute matches the entry in the AD configuration in Step 1.
Go to Authentication > User Management > Realms and create a new realm for these users.
5. Configuring the user group
Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown.
6. Configuring remote user sync rules
Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule.
Go to Authentication > User Management > Remote Users and check to see if the sync rule worked.
7. Configuring the FortiAuthenticator RADIUS client
Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator.
8. Configuring the switch
The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly. set system services dhcp pool 10.1.2.0/24 address-range low 10.1.2.220 set system services dhcp pool 10.1.2.0/24 address-range high 10.1.2.230 set system services dhcp pool 10.1.2.0/24 domain-name fortiad.net set system services dhcp pool 10.1.2.0/24 name-server 10.1.2.122 set system services dhcp pool 10.1.2.0/24 router 10.1.2.1 set system services dhcp pool 10.1.2.0/24 server-identifier 10.1.2.27 set interfaces ge-0/0/1 unit 0 family ethernet-switching #windows 7 machine port, no VLAN assigned, will be allocated dynamically set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator set interfaces me0 unit 0 family inet address 10.1.1.1/24 set interfaces vlan unit 10 family inet address 10.1.2.27/24 set protocols dot1x authenticator authentication-profile-name profile1 set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single #802.1x configuration requiring supplicant set access radius-server 10.1.2.29 secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39" set access profile profile1 authentication-order radius set access profile profile1 radius authentication-server 10.1.2.29 set vlans engineering vlan-id 10 set vlans engineering l3-interface vlan.10
9. Results
The authentication flow should initiate as soon as the wired computer starts up (while connected to the domain).
Using `tcpdump`, FortiAuthenticator shows receipt of an Incoming Authentication Request (`tcpdump host 10.1.2.27 -nnvvXs`): 02:18:48.572998 IP (tos 0x0, ttl 64, id 32483, offset 0, flags [none], proto UDP (17), length 203) 10.1.2.27.60114 > 10.1.2.29.1812: [udp sum ok] RADIUS. length: 175 Access-Request (1), id: 0x4d, Authenticator: 27e45f0edbfa7026318d583ccf915776 User-Name Attribute (11. length: 23. Value: host/leno.fortiad.net 0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961 0x0010: 642e 6e65 74 NAS-Port Attribute (5), length: 6, Value: 71 0x0000: 0000 0047 EAP-Message Attribute (79), length: 28, Value: . 0x0000: 0200 001a 0168 6f73 742f 6c65 6e6f 2e66 0x0010: 6f72 7469 6164 2e6e 6574 Message-Authenticator Attribute (80), length: 18, Value: ...0S2 ....... .M 0x0000: b60f 874f 5332 c9a7 e2f5 d90e 8c20 e64d Acct-Session-Id Attribute (44), length: 24, Value: 802.1x81fa00370003dd64 0x0000: 384f 322e 3178 3831 6661 3030 3337 3030 0x0010: 3033 6464 3634 NAS-Port-Id Attribute (87), length: 12, Value: ge-0/0/1.0 0x0000: 6765 2d30 2f30 2f31 2e30 Calling-Station-Id Attribute (31), length: 19, Value: 00-22-68-1a-ft-a0 0x0000: 3030 2d32 322d 3638 2d31 612d 6631 2d61 0x0010: 30 Called-Station-Id Attribute (30), length: 19, Value: a8-d0-e5-b0-21-80 0x0000: 6138 2d64 302d 6535 2d62 302d 3231 2d38 0x0010: 30 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f
Continuing with `tcpdump`, Access-Challenge is issued from FortiAuthenticator to the Switch: 02:18:48.578465 IP (tos 0x0, ttl 64, id 29725, offset 0, flags [none], proto UDP (17), length 108) 10.1.2.29.1812 > 10.1.2.27.60114: [bad udp cksum 0x18a3 -> 0x7f96!] RADIUS, length: 80 Access-Challenge (11), id: 0x4d, Authenticator: 8140836b0192a5ef12630d4d049d05e6 EAP-Message Attribute (79), length: 24, Value: .. 0x0000: 0101 0016 0410 bc6b 992d bbfc 141f 3bbl 0x0010: 1908 2978 2030 Message-Authenticator Attribute (80), length: 18, Value: .#...:&%N.z.7... 0x0000: dc23 d299 Of3a 2625 4eed 7a9c 37d9 ef97 State Attribute (24), length: 18, Value: ........ ...m.q. 0x0000: c2lb 819c c2la 85b8 20c3 b2b7 6dla 71d6
Access-Accept message with RADIUS attributes are returned to the Switch: 02:18:48.919099 IP (tos Ox0, ttl 64, id 29732, offset 0, flags [none], proto UDP (17), length 236) 10.1.2.29.1812 > 10.1.2.27.60114: [bad udp cksum 0x1923 -> Oxae5a!] RADIUS, length: 208 Access-Accept (2), id: 0x54, Authenticator: 668c7cbb00d96161c278906918ce2291 Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 17, Length: 50, Value: .p<.6..A [y)..E)......Y..(..P...Xd@..aB.k. 0x0000: 0000 0137 1134 f270 3cbf 360b 1d41 f5e5 0x0010: c87f e8eb b9e9 955b 7929 0915 4529 fa92 0x0020: 8c02 Ofec 59a0 e528 889e 50b9 f506 5864 0x0030: 4018 ff61 429a 6bb8 Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 16, Length: 50, Value: ..G......Q...............x.=xA/......i.r..a.%R.^.. 0x0000: 0000 0137 1034 ff86 47fc 00f1 99d9 cc51 0x0010: fclf 1ae2 b9e3 00a7 1ec9 baf4 031d fa78 0x0020: 8d3d 7841 2114 0313 a2e8 9e69 dc72 efed 0x0030: 61b2 2552 995e fbf4 EAP-Message Attribute (79), length: 6, Value: .. 0x0000: 0307 0004 Message-Authenticator Attribute (80), length: 18, Value: .8............30 0x0000: 0438 c613 8719 caa2 eaf0 a106 ffb4 3330 User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net 0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961 0x0010: 642e 6e65 74 Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13 0x0000: 0000 000d Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802 0x0000: 0000 0006 Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering 0x0000: 656e 6769 6e65 6572 696e 67
Post-authentication DHCP transaction is picked up by FortiAuthenticator (`tcpdump` continued): 02:18:52.384838 IP (tos Ox0, ttl 1, id 32640, offset 0, flags [none], proto UDP (17), length 328) 10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid Oxf79d54fa, Flags [Broadcast] (0x8000) Your-IP 10.1.2.224 Client-Ethernet-Address 00:22:68:1a:fl:a0 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: ACK Server-ID Option 54, length 4: 10.1.2.27 Lease-Time Option 51, length 4: 86400 Subnet-Mask Option 1, length 4: 255.255.255.0 Default-Gateway Option 3, length 4: 10.1.2.1 Domain-Name-Server Option 6, length 4: 10.1.2.122 Domain-Name Option 15, length 11: "fortiad.net"
Go to Logging > Log Access > Logs to verify the device authentication. The Debug Log (at `https://<fac-ip>/debug/radius`) should also confirm successful authentication.
The Switch CLI shows a successful dot1x session: root# run show dotlx interface ge-0/0/1.0 802.1X Information: Interface Role State MAC address User ge-0/0/1.0 Authenticator Authenticated 00:22:68:1A:F1:A0 host/leno.fortiad.net
The Domain Computer interface is dynamically placed into the correct VLAN: root# run show vlans Name Tag Interfaces default ge-0/0/0.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, engineering 10 ge-0/0/1.0, ge-0/0/11.0
And the domain computer shows as available on the network: root# run show arp interface vlan.10 MAC Address Address Name Interface Flags 00:0c:29:5b:90:68 10.1.2.29 10.1.2.29 vlan.10 none 98:b8:e3:a0:c6:lb 10.1.2.220 10.1.2.220 vlan.10 none b8:78:2e:38:3e:28 10.1.2.222 10.1.2.222 vlan.10 none 00:22:68:1a:f1:a0 10.1.2.224 10.1.2.224 vlan.10 none 54:e4:3a:d5:16:a0 10.1.2.226 10.1.2.226 vian.l0 none Total entries: 5 {master:0}[edit] root# run ping 10.1.2.224 PING 10.1.2.224 (10.1.2.224): 56 data bytes 54 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=4.651 ms 54 bytes from 10.1.2.224: icmp_seq-1 ttl-128 time-2.385 ms --- 10.1.2.224 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.385/3.518/4.651/1.133 ms

Note that to view certificates in the local machine store, you must be in the Administrator role.

If the Authentication tab is not visible under your LAN properties then you may need to configure the Wired AutoConfig service to automatically start.

This rule automatically imports computers in the AD Group VLAN10 into the FortiAuthenticator User Group VLAN10.

Users/computers should be visible under Remote Users. Certificate bindings must be manually completed.

Certificate CN has to match the Remote User Computer Name.

The post Wired 802.1x EAP-TLS with computer authentication appeared first on Fortinet Cookbook.

↧

Wired 802.1x EAP-TLS with user authentication

November 22, 2017, 7:00 am

≫ Next: Wireless 802.1x EAP-TLS with computer authentication

≪ Previous: Wired 802.1x EAP-TLS with computer authentication

In this recipe, you will configure and demonstrate wired 802.1x EAP-TLS with user authentication.

In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer.

The example includes an Odyssey supplicant and a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. It also includes dynamic VLAN assignment on the switch as per the FortiAuthenticator RADIUS attributes.

1. Configuring the certificates
Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA.
Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS.
Go to RADIUS Service > EAP and set up the EAP configuration. If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA. In this example, FortiAuthenticator creates the client certificates.
Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the user sAMAccountName. Export the PKCS#12 file and passphrase protect it.
The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually.
2. Manually importing the client certificate – Windows 7
Manual import can be completed using MMC as shown. Open Command Prompt and type `mmc` and hit Enter. On the File menu, click Add/Remove Snap In.
Once imported, the certificate should show up under Local Computer and not Current User. Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)).
3. Configuring the FortiAuthenticator AD Server
Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server. Ensure that Username attribute matches the entry in the AD configuration (sAMAccountName).
Go to Authentication > User Management > Realms and create a new realm for these users.
4. Configuring the user group
Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown. The group will automatically populate with the Remote Sync Rule configured below.
5. Configuring remote user sync rules
Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule.
Go to Authentication > User Management > Remote Users and check to see if the sync rule worked.
6. Configuring the FortiAuthenticator RADIUS client
Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator.
7. Configuring the switch
The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly. set system services dhcp pool 10.1.2.0/24 address-range low 10.1.2.220 set system services dhcp pool 10.1.2.0/24 address-range high 10.1.2.230 set system services dhcp pool 10.1.2.0/24 domain-name fortiad.net set system services dhcp pool 10.1.2.0/24 name-server 10.1.2.122 set system services dhcp pool 10.1.2.0/24 router 10.1.2.1 set system services dhcp pool 10.1.2.0/24 server-identifier 10.1.2.27 set interfaces ge-0/0/1 unit 0 family ethernet-switching #odyssey machine port, no VLAN assigned, will be allocated dynamically set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator set interfaces me0 unit 0 family inet address 10.1.1.1/24 set interfaces vlan unit 10 family inet address 10.1.2.27/24 set protocols dot1x authenticator authentication-profile-name profile1 set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single #802.1x configuration requiring supplicant set access radius-server 10.1.2.29 secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39" set access profile profile1 authentication-order radius set access profile profile1 radius authentication-server 10.1.2.29 set vlans engineering vlan-id 10 set vlans engineering l3-interface vlan.10
8. Results
In the Odyssey Access Client Manager, click Connect to the network. Once connected, the Status should read open and authenticated. The authentication flow should initiate as soon as the supplicant makes a connection attempt (while connected to the domain).
Using `tcpdump`, FortiAuthenticator shows receipt of an Incoming Authentication Request (`tcpdump host 10.1.2.27 -nnvvXs`): 16:10:25.051118 IP (tos 0x0, ttl 64, id 22102, offset 0, flags [none], proto UDP (17), length 169) 10.1.2.27.51296 > 10.1.2.29.1812: [udp sum ok] RADIUS. length: 141 Access-Request (1), id: 0x18, Authenticator: 4c69f617666fcdaadbcdb14700c57551 User-Name Attribute (1), length: 6, Value: kash 0x0000: 6b61 7368 NAS-Port Attribute (5), length: 6, Value: 71 0x0000: 0000 0047 EAP-Message Attribute (79), length: 11, Value: .A 0x0000: 0241 0009 016b 6173 68 Message-Authenticator Attribute (80), length: 18, value: ..C....- .....o.> 0x0000: 8a86 43bf a7d9 8a2d 8cef e0bf 036f 9f3e Acct-Session-Id Attribute (44), length: 24, Value: 802.1x81fb00610008e3c1 0x0000: 384f 322e 3178 3831 6662 3030 3631 3030 0x0010: 3038 6533 6331 NAS-Port-Id Attribute (87), length: 12, Value: ge-0/0/1.0 0x0000: 6765 2d30 2f30 2f31 2e30 Calling-Station-Id Attribute (31), length: 19, Value: 00-22-68-1a-ft-a0 0x0000: 3030 2d32 322d 3638 2d31 612d 6631 2d61 0x0010: 30 Called-Station-Id Attribute (30), length: 19, Value: a8-d0-e5-b0-21-80 0x0000: 6138 2d64 302d 6535 2d62 302d 3231 2d38 0x0010: 30 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f
Continuing with `tcpdump`, Access-Challenge is issued from FortiAuthenticator to the Switch: 16:10:25.057286 IP (tos 0x0, ttl 64, id 50545, offset 0, flags [none], proto UDP (17), length 108) 10.1.2.29.1812 > 10.1.2.27.51296: [bad udp cksum 0x18a3 -> 0x0722!] RADIUS, length: 80 Access-Challenge (11), id: 0x18, Authenticator: f0a3636e1b2ddf8b76f96239feece6bb EAP-Message Attribute (79), length: 24, Value: .B 0x0000: 0142 0016 0410 87a4 a938 54dd 43b6 9ff4 0x0010: 7ddc b515 1591 Message-Authenticator Attribute (80), length: 18, Value: ..mu.l..0..o.ht. 0x0000: 0f09 6d75 e76c 87c3 30f3 b76f f368 74e3 State Attribute (24), length: 18, Value: s...s...L@..._K. 0x0000: 73de c494 739c c0lf 4c40 c6ce 815f 4bd5 The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the Switch
Access-Accept message with RADIUS attributes are returned to the Switch: 16:10:25.479480 IP (tos Ox0, ttl 64, id 50552, offset 0, flags [none], proto UDP (17), length 219) 10.1.2.29.1812 > 10.1.2.27.51296: [bad udp cksum 0x1912 -> 0xef88I] RADIUS, length: 191 Access-Accept (2), id: Oxlf, Authenticator: Sb463667865b7dacf8a742aea5424f20 Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 17, Length: 50, Value: ......3.y.3..T.1z..[m..W. .c. Zv a rpa.z 0x0000: 0000 0137 1134 831d 27be +0af 4aae 7990 0x0010: 33da 0954 b631 7ad7 e15b 6dd4 8557 83cb 0x0020: a83c f4e0 155a 76fd dd61 c7f5 fd0a d8d1 0x0030: 08e8 eb72 7061 b27a Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 16, Length: 50, Value: ..^D0b...z..9:e+....]+2X • / WF ..... 4..K...Pt. 0x0000: 0000 0137 1034 8f91 Se44 4f62 9d7f f513 0x0010: 7abb 942a 213a 652b 0fc5 b488 5d2b 3258 0x0020: ce3a ded5 dd2f d757 4698 9a94 b205 34a2 0x0030: ed4b 83bb a250 74f6 EAP-Message Attribute (79), length: 6, Value: .H 0x0000: 0348 0004 Message-Authenticator Attribute (80), length: 18, Value: .".Z.T..X....@. 0x0000: ca22 aasa f354 17bc 58dc ccd7 cf40 7fb4 User-Name Attribute (1), length: 6, Value: kash 0x0000: 6b61 7368 Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13 0x0000: 0000 000d Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802 0x0000: 0000 0006 Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering 0x0000: 656e 6769 6e65 6572 696e 67
Post-authentication DHCP transaction is picked up by FortiAuthenticator (`tcpdump` continued): 16:10:25.569855 IP (tos Ox0, ttl 1, id 22153, offset 0, flags [none], proto UDP (17), length 328) 10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid Ox91fced0e, Flags [Broadcast] (0x8000) Your-IP 10.1.2.224 Client-Ethernet-Address 00:22:68:1a:f1:a0 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: ACK Server-ID Option 54, length 4: 10.1.2.27 Lease-Time Option 51, length 4: 86400 Subnet-Mask Option 1, length 4: 255.255.255.0 Default-Gateway Option 3, length 4: 10.1.2.1 Domain-Name-Server Option 6, length 4: 10.1.2.122 Domain-Name Option 15, length 11: "fortiad.net"
Go to Logging > Log Access > Logs to verify the device authentication. The Debug Log (at `https://<fac-ip>/debug/radius`) should also confirm successful authentication.
The Switch CLI shows a successful dot1x session: root# run show dotlx interface ge-0/0/1.0 802.1X Information: Interface Role State MAC address User ge-0/0/1.0 Authenticator Authenticated 00:22:68:1A:F1:A0 kash
The Domain Computer interface is dynamically placed into the correct VLAN: root# run show vlans Name Tag Interfaces default ge-0/0/0.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, engineering 10 ge-0/0/1.0, ge-0/0/11.0
And the domain computer shows as available on the network: root# run show arp interface vlan.10 MAC Address Address Name Interface Flags 00:0c:29:5b:90:68 10.1.2.29 10.1.2.29 vlan.10 none 98:b8:e3:a0:c6:lb 10.1.2.220 10.1.2.220 vlan.10 none b8:78:2e:38:3e:28 10.1.2.222 10.1.2.222 vlan.10 none 00:22:68:1a:f1:a0 10.1.2.224 10.1.2.224 vlan.10 none 54:e4:3a:d5:16:a0 10.1.2.226 10.1.2.226 vian.l0 none Total entries: 5 {master:0}[edit] root# run ping 10.1.2.224 PING 10.1.2.224 (10.1.2.224): 56 data bytes 54 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=4.651 ms 54 bytes from 10.1.2.224: icmp_seq-1 ttl-128 time-2.385 ms --- 10.1.2.224 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.385/3.518/4.651/1.133 ms

Note that to view certificates in the local machine store, you must be in the Administrator role.

If the Authentication tab is not visible under your LAN properties then you may need to configure the Wired AutoConfig service to automatically start.

This rule automatically imports computers in the AD Group VLAN10 into the FortiAuthenticator User Group VLAN10.

Users/computers should be visible under Remote Users. Certificate bindings must be manually completed.

Certificate CN has to match the Remote User Computer Name.

The post Wired 802.1x EAP-TLS with user authentication appeared first on Fortinet Cookbook.

↧

Wireless 802.1x EAP-TLS with computer authentication

November 23, 2017, 7:00 am

≫ Next: Wireless 802.1x EAP-TLS with user authentication

≪ Previous: Wired 802.1x EAP-TLS with user authentication

In this recipe, you will configure and demonstrate wireless 802.1x EAP-TLS with computer authentication.

In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer. The FortiAuthenticator will authenticate without user interaction using the domain computer and client certificate (no username or password).

The example includes an Intel PROSet supplicant as well as a dynamically assigned group on a FortiWiFi using RADIUS attributes.

1. Active Directory prerequisites
Key considerations: computers must exist in AD Groups that correspond with their VLAN dNSHostName attribute for the username
2. Configuring the certificates
Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA.
Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS.
Go to RADIUS Service > EAP and set up the EAP configuration. If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA. In this example, FortiAuthenticator creates the client certificates.
Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the full DNS name of the intended computer. Export the PKCS#12 file and passphrase protect it.
The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually.
3. Manually importing the client certificate – Windows 7
Manual import can be completed using MMC as shown. Open Command Prompt and type `mmc` and hit Enter. On the File menu, click Add/Remove Snap In.
Once imported, the certificate should show up under Local Computer and not Current User. Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)).
4. Configuring the Intel PROSet Supplicant (Windows 7)
The supplicant will automatically select the certificate associated with the computer, based on the configuration shown. Under General Settings, set Operating Mode to Network [Infrastructure] – Connect to WiFi networks and/or the Internet.
Under Security Settings, be sure to enable Use the certificate issued to this computer. With this configuration, no user interaction is required for 802.1x EAP-TLS, on startup or attempting to connect to the WiFi, the authentication and authorization process will be transparent to the user.
5. Configuring the FortiAuthenticator AD Server
Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server. Ensure that Username attribute matches the entry in the AD configuration in Step 1.
Go to Authentication > User Management > Realms and create a new realm for these users.
6. Configuring the user group
Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown.
7. Configuring remote user sync rules
Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule.
Go to Authentication > User Management > Remote Users and check to see if the sync rule worked.
8. Configuring the FortiAuthenticator RADIUS client
Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator.
9. Configuring the FortiWiFi
Go to User & Device > Authentication > RADIUS Servers and set the FortiAuthenticator as the RADIUS server for the FortiWiFi.
Go to WiFi & Switch Controller > WiFi Network > SSID and configure the WiFi SSID interface.
Go to System > Network > Interfaces and configure a software switch combining the physical and WiFi interfaces.
10. Results
The authentication flow should initiate as soon as the wired computer starts up (while connected to the domain).
Using `tcpdump`, FortiAuthenticator shows receipt of an Incoming Authentication Request (`tcpdump host 10.1.2.27 -nnvvXs`): 01:09:34.674298 IP (tos Ox0, ttl 64, id 40954, offset 0, flags [none], proto UDP (17), length 212) 10.1.2.27.1025 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 184 Access-Request (1), id: 0x76, Authenticator: 4b859401ddb6c0fb95261e99fc8ef66a User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net 0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961 0x0010: 642e 6e65 74 NAS-IP-Address Attribute (4), length: 6, Value: 0.0.0.0 0x0000: 0000 0000 NAS-Port Attribute (5), length: 6, Value: 0 0x0000: 0000 0000 Called-Station-Id Attribute (30), length: 28, Value: 88-DC-96-27-72-68:fortinet 0x0000: 3838 2d44 432d 3936 2d32 372d 3732 2d36 0x0010: 423a 666f 7274 696e 6574 Calling-Station-Id Attribute (31), length: 19, Value: 6C-88-14-C6-3D-58 0x0000: 3643 2d38 382d 3134 2d43 362d 3344 2d35 0x0010: 38 Framed-MTU Attribute (12), length: 6, Value: 1400 0x0000: 0000 0578 NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11 0x0000: 0000 0013 Connect-Info Attribute (77), length: 24, Value: CONNECT 11Mbps 802.11b 0x0000: 434f 4e4e 4543 5420 3131 4d62 7073 2038 0x0010: 3032 2e31 3162
Continuing with `tcpdump`, Access-Challenge is issued from FortiAuthenticator to the Switch: 01:09:34.679881 IP (tos Ox0, ttl 64, id 58896, offset 0, flags [none], proto UDP (17), length 108) 10.1.2.29.1812 > 10.1.2.27.1025: [bad udp cksum 0xl8a3 -> 0xbe6al) RADIUS, length: 80 Access-Challenge (11), id: 0x76, Authenticator: a4c016a41e6a0f46c17da49ff813bd6e EAP-Message Attribute (79), length: 24, Value: .. 0x0000: 0101 0016 0410 f23e 13dd 795e 18fa SddS 0x0010: 3e83 cb34 a99c Message-Authenticator Attribute (80), length: 18, Value: 0x0000: eac9 2509 cbec 6895 804a deac 5de7 d6f8 State Attribute (24), length: 18, value: ... ....... 0x0000: 2af7 lbfd 2af6 lfb9 8db9 f1f8 20ad 9cd4 The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the FortiWiFi.
Access-Accept message with RADIUS attributes are returned to the Switch: 01:09:36.517763 IP (tos Ox0, ttl 64, id 58903, offset 0, flags (none), proto UDP (17), length 225) 10.1.2.29.1812 > 10.1.2.27.1025: (bad udp cksum 0x1918 0x1f60!) RADIUS, length: 197 Access-Accept (2), id: Ox7d, Authenticator: 989626b68773ac50c060d8306287984a Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 17, Length: 50, Value: ?...e....NA=E.5.9..y........Q ^R=i..!j ......... 0x0000: 0000 0137 1134 80e3 aefl 65e0 1383 c34e 0x0010: 413d 4Sbd 350d 39be ac79 04b8 90fa 1551 0x0020: a4b7 10d3 09b6 f902 5e52 3d69 b3b4 216a 0x0030: b48f 0ef2 0c08 9cd0 Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 16, Length: 50, Value: z 0x0000: 0000 0137 1034 8883 7a9b bllb 9488 f181 0x0010: d179 29ba 7538 lleb 8311 3c22 1b62 9176 0x0020: d0be f763 4617 670c d8ca 8659 7a14 dl2c 0x0030: 8064 5955 942b ccla EAP-Message Attribute (79), length: 6, Value: .. 0x0000: 0307 0004 Message-Authenticator Attribute (80), length: 18, Value: ....>k....? ...( 0x0000: 9aec 02c0 3e6b af8e defb 8020 e50b 0728 User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net 0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961 0x0010: 642e 6e65 74 Vendor-Specific Attribute (26), length: 14, Value: Vendor: Fortinet (12356) Vendor Attribute: 1, Length: 6, Value: VLAN10 0x0000: 0000 3044 0108 564c 414e 3130
Post-authentication DHCP transaction is picked up by FortiAuthenticator (`tcpdump` continued): 01:09:39.765661 IP (tos 0x0, ttl 64, id 15537, offset 0, flags [none], proto UDP (17), length 300) 10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 272, hops 2, xid Ox5a6b3f9e, Flags [none] (0x0000) Client-IP 10.1.2.9 Gateway-IP 10.1.2.27 Client-Ethernet-Address 6c:88:14:c6:3d:58 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: ACK Server-ID Option 54, length 4: 10.1.2.1 Default-Gateway Option 3, length 4: 10.1.2.1 Domain-Name-Server Option 6, length 8: 212.159.6.9,212.159.6.10 Time-Zone Option 2, length 4: 3600
On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication. The Debug Log (at `https://<fac-ip>/debug/radius`) should also confirm successful authentication.
On the FortiWifi, go to WiFi & Switch Controller > Monitor > Client Monitor and note that the Group is the RADIUS attribute sent from FortiAuthenticator. Any Firewall policy using that Group will now be enabled for the user.

Note that to view certificates in the local machine store, you must be in the Administrator role.

If the Authentication tab is not visible under your LAN properties then you may need to configure the Wired AutoConfig service to automatically start.

This rule automatically imports computers in the AD Group VLAN10 into the FortiAuthenticator User Group VLAN10.

Users/computers should be visible under Remote Users. Certificate bindings must be manually completed.

Certificate CN has to match the Remote User Computer Name.

The post Wireless 802.1x EAP-TLS with computer authentication appeared first on Fortinet Cookbook.

↧

Wireless 802.1x EAP-TLS with user authentication

December 6, 2017, 7:00 am

≫ Next: SAML 2.0 FSSO with FortiAuthenticator and Google G Suite

≪ Previous: Wireless 802.1x EAP-TLS with computer authentication

In this recipe, you will configure and demonstrate wireless 802.1x EAP-TLS with user authentication.

In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer.

The example includes an Odyssey supplicant as well as a dynamically assigned group on a FortiWiFi using RADIUS attributes.

1. Configuring the certificates
Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA.
Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS.
Go to RADIUS Service > EAP and set up the EAP configuration. If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA. In this example, FortiAuthenticator creates the client certificates.
Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the AD user name. Export the PKCS#12 file and passphrase protect it.
The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually.
2. Manually importing the client certificate – Windows 7
Manual import can be completed using MMC as shown. Open Command Prompt and type `mmc` and hit Enter. On the File menu, click Add/Remove Snap In.
Once imported, the certificate should show up under Local Computer and not Current User. Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)).
3. Configuring the FortiAuthenticator AD Server
Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server. Ensure that Username attribute matches the entry in the AD configuration in Step 1.
Go to Authentication > User Management > Realms and create a new realm for these users.
4. Configuring the user group
Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown.
5. Configuring remote user sync rules
Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule.
Go to Authentication > User Management > Remote Users and check to see if the sync rule worked.
6. Configuring the FortiAuthenticator RADIUS client
Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator.
7. Configuring the FortiWiFi
Go to User & Device > Authentication > RADIUS Servers and set the FortiAuthenticator as the RADIUS server for the FortiWiFi.
Go to WiFi & Switch Controller > WiFi Network > SSID and configure the WiFi SSID interface.
Go to System > Network > Interfaces and configure a software switch combining the physical and WiFi interfaces.
8. Results
In the Odyssey Access Client Manager, click Connect to the network. Once connected, the Status should read open and authenticated. The authentication flow should initiate as soon as the supplicant makes a connection request.
Using `tcpdump`, FortiAuthenticator shows receipt of an Incoming Authentication Request (`tcpdump host 10.1.2.27 -nnvvXs`): 02:04:09.790423 IP (tos Ox0, ttl 64, id 9792, offset 0, flags [none], proto UDP (17), length 178) 10.1.2.27.1025 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 150 Access-Request (1), id: Ox9c, Authenticator: 874c50b16efbb87e593a5851e8361f10 User-Name Attribute (1), length: 6, Value: kash 0x0000: 6b61 7368 NAS-IP-Address Attribute (4), length: 6, Value: 0.0.0.0 0x0000: 0000 0000 NAS-Port Attribute (5), length: 6, Value: 0 0x0000: 0000 0000 Called-Station-Id Attribute (30), length: 28, Value: 88-DC-96-27-72-6B:fortinet 0x0000: 3838 2d44 432d 3936 2d32 372d 3732 2d36 0x0010: 423a 666f 7274 696e 6574 Calling-Station-Id Attribute (31), length: 19, Value: 00-26-C6-6A-E6-B2 0x0000: 3030 2d32 362d 4336 2d36 412d 4536 2d42 0x0010: 32 Framed-MTU Attribute (12), length: 6, Value: 1400 0x0000: 0000 0578 NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11 0x0000: 0000 0013 Connect-Info Attribute (77), length: 24, Value: CONNECT 11Mbps 802.11b 0x0000: 434f 4e4e 4543 5420 3131 4d62 7073 2038 0x0010: 3032 2e31 3162
Continuing with `tcpdump`, Access-Challenge is issued from FortiAuthenticator to the Switch: 01:09:34.679881 IP (tos Ox0, ttl 64, id 58896, offset 0, flags [none], proto UDP (17), length 108) 10.1.2.29.1812 > 10.1.2.27.1025: [bad udp cksum 0xl8a3 -> 0xbd921] RADIUS, length: 80 Access-Challenge (11), id: 0x9c, Authenticator: c67b8d0f8805db68e57e9757deda20d0 EAP-Message Attribute (79), length: 24, Value: .. 0x0000: 0101 0016 0410 8b8c ae75 4696 0a47 96fd 0x0010: 7c26 528a 097e Message-Authenticator Attribute (80), length: 18, Value: ..... 1.!.q._.*[. 0x0000: @ad flfd e931 1321 f571 f85f dl2a Sbd3 State Attribute (24), length: 18, Value: .!&.. "..9[~.... 0x0000: ad21 2611 ad20 22e2 e539 5b7e 94e2 9a87 The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the FortiWiFi.
Access-Accept message with RADIUS attributes are returned to the Switch: 2:04:10.000998 IP (tos Ox0, ttl 64, id 44468, offset 0, flags (none), proto UDP (17), length 208) 10.1.2.29.1812 > 10.1.2.27.1025: (bad udp cksum 0x1918 0x77e9I) RADIUS, length: 180 Access-Accept (2), id: Ox7d, Authenticator: 144538f6ifd7f4b12d768e76f05709ae2 Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 17, Length: 50, Value: ..S.\|..W...^.. ..h0p.U..~..{. P..\|b7"............s.. 0x0000: 0000 0137 1134 80e3 aefl 65e0 1383 c34e 0x0010: 413d 4Sbd 350d 39be ac79 04b8 90fa 1551 0x0020: a4b7 10d3 09b6 f902 5e52 3d69 b3b4 216a 0x0030: b48f 0ef2 0c08 9cd0 Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 16, Length: 50, Value: .t._M.,...a...a.JhFz5.....2.;".."...D.y.=..{./..?. 0x0000: 0000 0137 1034 8883 7a9b bllb 9488 f181 0x0010: d179 29ba 7538 lleb 8311 3c22 1b62 9176 0x0020: d0be f763 4617 670c d8ca 8659 7a14 dl2c 0x0030: 8064 5955 942b ccla EAP-Message Attribute (79), length: 6, Value: .. 0x0000: 0307 0004 Message-Authenticator Attribute (80), length: 18, Value: .c.b..m.G.ZH.'.6 0x0000: 9aec 02c0 3e6b af8e defb 8020 e50b 0728 User-Name Attribute (1), length: 6, Value: kash 0x0000: 6b61 7368 Vendor-Specific Attribute (26), length: 14, Value: Vendor: Fortinet (12356) Vendor Attribute: 1, Length: 6, Value: VLAN10 0x0000: 0000 3044 0108 564c 414e 3130
On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication. The Debug Log (at `https://<fac-ip>/debug/radius`) should also confirm successful authentication.
On the FortiWifi, go to WiFi & Switch Controller > Monitor > Client Monitor and note that the Group is the RADIUS attribute sent from FortiAuthenticator. Any Firewall policy using that Group will now be enabled for the user.

Note that to view certificates in the local machine store, you must be in the Administrator role.

If the Authentication tab is not visible under your LAN properties then you may need to configure the Wired AutoConfig service to automatically start.

This rule automatically imports computers in the AD Group VLAN10 into the FortiAuthenticator User Group VLAN10.

Users/computers should be visible under Remote Users. Certificate bindings must be manually completed.

Certificate CN has to match the Remote User Computer Name.

The post Wireless 802.1x EAP-TLS with user authentication appeared first on Fortinet Cookbook.

↧

SAML 2.0 FSSO with FortiAuthenticator and Google G Suite

July 3, 2018, 9:30 am

≫ Next: Preventing certificate warnings (CA-signed certificate)

≪ Previous: Wireless 802.1x EAP-TLS with user authentication

In this example, you provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution using FortiAuthenticator in conjunction with Google G Suite. The FortiAuthenticator acts as the authentication Service Provider (SP) and Google as the Identity Provider (IdP). The FortiGate has a WAN IP address of 172.25.176.92, and the FortiAuthenticator has the WAN IP address...

The post SAML 2.0 FSSO with FortiAuthenticator and Google G Suite appeared first on Fortinet Cookbook.

↧

Preventing certificate warnings (CA-signed certificate)

July 25, 2018, 11:00 am

≫ Next: FortiToken Mobile Push two-factor authentication with RADIUS on a FortiAuthenticator

≪ Previous: SAML 2.0 FSSO with FortiAuthenticator and Google G Suite

In this recipe, you prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you’re using a CA-signed certificate, as presented here, your FortiGate’s default certificate, or a self-signed certificate. When you enable full SSL inspection, your FortiGate impersonates the...

The post Preventing certificate warnings (CA-signed certificate) appeared first on Fortinet Cookbook.

↧

FortiToken Mobile Push two-factor authentication with RADIUS on a FortiAuthenticator

August 20, 2018, 7:45 am

≫ Next: SAML 2.0 FSSO with FortiAuthenticator and Centrify

≪ Previous: Preventing certificate warnings (CA-signed certificate)

There is no excerpt because this is a protected post.

The post FortiToken Mobile Push two-factor authentication with RADIUS on a FortiAuthenticator appeared first on Fortinet Cookbook.

↧

SAML 2.0 FSSO with FortiAuthenticator and Centrify

September 4, 2018, 11:00 am

≫ Next: Replacing a power supply in FortiAuthenticator devices

≪ Previous: FortiToken Mobile Push two-factor authentication with RADIUS on a FortiAuthenticator

There is no excerpt because this is a protected post.

The post SAML 2.0 FSSO with FortiAuthenticator and Centrify appeared first on Fortinet Cookbook.

↧

Replacing a power supply in FortiAuthenticator devices

September 6, 2018, 11:10 am

≫ Next: Installing FortiAuthenticator VM in vSphere

≪ Previous: SAML 2.0 FSSO with FortiAuthenticator and Centrify

If the power supply unit (PSU) for your FortiAuthenticator device is not working, you can either purchase a replacement PSU from Fortinet, or send the device back to the Fortinet RMA (Return Merchandise Authorization) department for replacement. For FortiAuthenticator models that support hot swapping, you can replace the failed PSU with a replacement without shutting...

The post Replacing a power supply in FortiAuthenticator devices appeared first on Fortinet Cookbook.

↧

Installing FortiAuthenticator VM in vSphere

June 8, 2016, 9:05 am

≫ Next: WiFi with WSSO using FortiAuthenticator RADIUS and Attributes

≪ Previous: Replacing a power supply in FortiAuthenticator devices

In this recipe, you will install and register FortiAuthenticator VM in a VMware ESXi environment and configure basic network settings in the vSphere console tab. This recipe assumes that you have already configured the VMware ESXi environment, installed the vSphere client, and acquired a FortiAuthenticator VM registration code, redeemable for a license file. 1. Downloading the FortiAuthenticator VM Log...

↧