4 Creating User Groups using LDAP and Applying them to Firewall Policies

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone this is Devin Adams I'm a four Dannette instructor here in Tempe Arizona and this is another video in our authentication with the FortiGate to demo so anyways in our last video we saw how to set up a lap and I kind of got carried away guys I'm sorry about that I wanted to actually stop there and then and then you know make the video shorter but I went off on a tangent doing all the all the admin accounts so anyways the only thing I really want to add about the last video if you're gonna use the LDAP connector for anything even if you don't want to authenticate users through the firewall at least do it for the admin accounts right I mean that way you don't have to you know manage any of your admin accounts or what-have-you even for yourself even if you're the person that only uses the FortiGate you can still do an LDAP to tie it to your Windows credentials just so you know you have one password policy to maintain you have one whatever so anyway it's but moving on like I said I'm really trying to keep these shorts and of course I'm doing these really late at night so I'm sorry if I start slurring my words but in this video we have a goal in that goal now that we have remote authentication tied into our Active Directory domain controller down here is to make the remote groups so the whole idea here is that as people get hired into our organization as they get assigned to user groups right we can then have them authenticate actively through the firewall and that's the key word there actively they're gonna be prompted but we can control their access right by their group membership now we kind of did that earlier in our first video right when we did local accounts it's the same thing so I'm actually gonna I made some decisions here I'm not going to get too too picky about that in this video I'm not gonna I might save the different authentication levels or access levels when I do passive authentication all right and so because honestly once the groups are there once they are authenticated it doesn't matter if it's active or passive in the sense of access control right it's it's just like this this group bring our lists of how they authenticate right is gonna match this firewall policy which are allowed these certain things are not allowed these certain things so anyways but let's dive into it all right so we have not assigned any users into any groups on the firewall so before I get started I'm gonna click into my domain controller and this is the domain controller that we set up in the test lab or in the C for test lab so if I go to my users and computers and I even pinned it down here because I'm gonna be going here all the time just as a little review how do you get there for you that might not be as adapt with Windows Server you can go to the server manager tools users and computers I just right clicked and pinned it on them on the taskbar cuz we're gonna be coming here quite a bit so you guys saw in the last video we had Bill and Devin that were part of the support group so that is one of our groups all right we also have the sales group see the security group sales we also have a marketing group and we also have a management group so those are the groups I'm gonna make on the on the FortiGate so instead of defining individual users I'm just gonna say hey you know for this remote group do a query right to the Active Directory see what users authenticating bring back their group membership and then match them to these groups that we're doing so let's do that right now okay so let's go to our FortiGate and I'm gonna go to my users and devices and user groups all right here we go so I'm gonna say create new and this group is a firewall group alright and so and we're gonna call this let's just start with support and we're going to say use the domain controller and anyone that authenticates and comes to comes through as a support group associated with this with this user group we just created on the FortiGate alright and you can kind of see it right there now hit okay all right we also had a and we're gonna do just for all of our groups that we have so we also have a management group alright for our domain controller all right there nope management Hey okay there we go now when you click this make sure that it actually adds you can verify it right there to management management alright so you can you see how you can see the schema you could actually do individual users who you want to do but there's a lot of work we're just gonna hit okay alright now what else do we got here so alright so we have a support group we have our management group let's do our sales group I saw that one earlier so here we go sales alright freakin beans okay cuz we don't want to be maintaining accounts and in several places guys it's not that's not best practice so here we go sales might as well let our sysadmin z-- do it they're too busy blaming us on the firewall anyways so here we go alright what else did we have we had a marketing group and I think that's it in this example so marketing here we are and going let's see here all right there we go excellent so there you guys go I mean that is that is it not too shabby huh so you know what I'm gonna do a catch-all all right guys ready a catch-all so anyone that authenticates into the domain controller is automatically part of the domain user groups so I can do something like this if I just wanted a generic Windows users right or domain users and add them there to just something I thought of off the top of my head here all right so domain users perfect all right let's see what we got here okay so let's go back to our our firewall policy all right policy and objects IP for all right poor ping er poor poor beans here anyways but here we're gonna say not users okay so we're done with with these guys but we are gonna want the marketing group the management group right the sales group okay and also the support group and this way when someone logs in we can actually see their individual management now if we didn't do any of those and we use just Windows users they'd still authenticate through and that's fine but it would show them just as Windows users I actually want to see their departments that's why we went through the work to do that so here we are alright I'm gonna hit okay and I am I'm done with the pork and beans one so here we go let's just delete this policy no big deal so they're still going to be prompted right but in theory just because they're all matching the same firewall policy here because like I said I'll do you access control more when we do passive authentication just so I don't have to do the same lesson twice but if I hop back over to my my 48 and I look at my users I mean in theory I could pick any one of these people all right Sally Jane right Devon bill and I should be able to to pass the row so let's uh let's check it out so all right oh let's do this so where should we go guys eBay eBay spun oh but doing coal is that even a word all right let's try it Jane all right did work does she authenticate are we at ever we had eBay holy smokes we are happy times all right not too bad okay so let's see what happened there so if we go to our user and devices and we go to our nope come on see I still think user monitors or so underneath use their own devices all right here we go well users Oh Jane there she is lovely times management right so all right Jane into the line let's try someone else I'm gonna try Paul this time so Paul's trying to get to I don't know plenty of fish comm it's a dating website ah I'll see who are you well I'm Paul good old Paul alright Paul our sales guy all right yeah he's there he's looking for his Paul at anyways see our way up all in the sales group so you guys see how this goes beyond just just having an IP address right I mean that's that's that's getting to the point of like and I know it's not the right term but non-repudiation right people can't repudiate that it was them or not if we have enough of these layers of authentication so but as you can see it's still pretty intrusive alright so in other words they're being interrupted and being prompted so I had someone in one of my classes be like no you know I I work at a cord system you get one of those judges right and they're very smart people but if I if they have to authenticate through a webpage they're just gonna be like oh heck no not gonna do it so that's gonna lead us into passive authentication now the passive authentication I've already recorded a demo on FSS oh it's it's a very basic one though all right now what I want to do here is to kick it up a notch okay kick it up a notch so I'm actually gonna try on purpose to be as complicated as possible in the sense of detail wise alright and so complicated was probably the the wrong word that was a Freudian slip complex setup as we can get so with as little resources as we have here in our testing environment so anyways guys so there you go and then obviously we can write different firewall policies for different user groups have them have them be able to go to different websites or access different resources according to their user group membership ah let's try it one more time let's let's get rid of Paul let's just let's just try it for fun here we go let's go to I let's see here amazon.com sure oh no okay look you won't even let me click through to get the cert I'll go that's so weird okay let's try here ah Aliexpress continue anyways continuing anyways I mean now it gave me the Sahara those were that it did it before so I'm gonna have to do a whole nother series on sir tears because I think that one has value too so okay here we go let's try a Sally is trying to go to ollie what is it ollie Express maybe get some box of widgets or something no no here we are you know there you go I mean she got through so and what's nice though you know as people people change job roles change groups I mean we don't have to do anything on the firewall it's just this person matches this group based off of their domain controller or domain group membership and and our firewall rules will do the rest so it's just so fun I had to do it twice oh I was even there alright guys there you go same marketing yes Allie so there you guys go that is that is remote authentication right with active authentication so or a remote authentication server using LDAP and active authentication now when we get back very many very many videos coming up I don't know how many I can do tonight it's getting close to 11 over here in Arizona but what you call it we're just gonna take it very slow and we're gonna do the f SSO which is the for net single sign-on solution and yeah we're gonna try to be as complex as possible and try to fix every little caveat instead of just using this this magic of YouTube right where we can boss and fixing so alright I hope someone found that helpful and yeah I'll see you guys just here in a few all right take care

Info

Channel: Devin Adams

Views: 13,613

Rating: undefined out of 5

Keywords: FortiGate, Authentication, Remote Groups

Id: TzBzrPSSLZ8

Channel Id: undefined

Length: 14min 28sec (868 seconds)

Published: Fri Apr 13 2018