5 ways to use LDAP/LDAPS Configuration with FortiGate firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we will configure our fortigate to connect to an ldap server or an ldap s server and then we'll go over five use cases as to how we can leverage that server on our 40 day firewall on our ldap server we have a group named test underscore group underscore one and then we have some members of that group the one that we'll be focusing on in general here is going to be testing one two three all right for us to add our ldap server we're gonna go to user and authentication ldap server and create new and then let's add windows server put in the ip address we'll leave the port the default here and then we'll put in the username and password so in this case we have the domain name fortinet.local um and then the the domain administrator is named administrator in this environment and we'll change the common name identifier to sam account name this is so that you can authenticate to the vpn or whatever you're trying to authenticate to via aldap using the fortigate you can use just the account name instead of you know maybe we would have a different case with something like user principle name where we want to use account name at domain.com for example but in our case let's go back and just leave it what this is the for the most part this is what you'd set up as sam account name and then when we hit browse here as long as our credentials are correct we should see a domain listing coming up here on the right hand side um as the 40g is able to pull in this this information from the ldap server we'll just hit ok i'm just specifying the top level here and then we'll hit ok all right and if we wanted to test it we can go back in and we could test with user credentials in this case i'm going to use that user testing123 put in the password and there we have it it's successful so you know this is a good test to run just to make sure that our communication between the fortigate and the ldap server is working our connector is set up and then at this point we could continue to uh you know configure other items that would be leveraging this server such as an ipsec vpn ssl vpn and a few others we'll get into in just a moment here all right so this next section here this is going to be optional so if if you're uh okay with just ldap being configured between the 40 gate and the server you can forward past up until the user group configuration or you can stay with me here and let's configure ldap s so we'll be modifying some settings to ensure that there's ssl encrypted communication between our fortigate and the server so we'll go into the configuration on the fortigate side and the server but just to start as to what is expected from um a certificate perspective this is the idea so in in my case here we're going to be creating a certificate authority named ttp fortinet and that certificate authority is going to sign a server certificate and that server certificate is going to be exported with both the public and private key it's important that we have both in this case and then also the the domain name or the computer name and the domain needs to be part of the cn value of the certificate that we're signing it seems to me based on some research that this is a requirement that windows has and finally the extended key usage must include server authentication as the extension so in my case what i did is i created this ttp fortinet certificate using a 40 authenticator you don't necessarily need to use 40 authenticator you could use windows server or any other third-party ca but this is an idea of what the server certificate looked like on the 4d authenticator and this is going to be the certificate that that i'm going to import onto the windows server in just a moment here all right now that we're on the server this is our server certificate here's our ca certificate and we're going to need both on the windows server side but we'll only need the ca certificate on the 48 so starting with the server certificate let's install this to the local machine and we'll put it in the personal store all right now we can take a look at the certificate that we just installed into the personal store so if we type in mmc.exe and then we'll add a new snap in and we'll specify certificates and let's add the computer account and then hit ok and now let's look at the personal store you can see there's a bunch of certificates in this particular case the one that i installed a moment ago was this one right here but you can see that there's there's a few other ones that are in here right we want to be able to specify that only this certificate that we just imported is the one that's going to be presented to the fortigate when it's trying to communicate via ldap s and i believe how this is done is based off of the expiration date on the certificate so um right now it's it's february 5th 2022 and then the expiration date is february 1st 2030 and that's the latest expiration date of any of the certificates that are in this store right now so i believe that's the reason why this certificate that we've just imported is going to be the one that gets presented to the fortigate okay so now since we've imported that certificate let's also import this ca certificate that's a requirement as well and then i like to select the store and the store will be the trusted root certificate authorities and there we have it so under our personal store we have the certificate the server certificate and then under trusted root certificate authorities you can scroll down and then here's the certificate uh the ca certificate now back to our 40 gate let's go to system certificates if we don't see the system certificates option here go to feature visibility enable certificates now we see the option let's import a ca certificate via a file and let's upload and reference our ca certificate here there we go now back to our ldap configuration so let's start by taking this in a bit of a phased approach so if we just enable a secure connection with ldap s let's save that configuration i like to just save the configuration and then come back into this screen to confirm that that that it's actually testing what i've uh the configuration changes that we've made there we go so that confirms that the ldap s works so in this case because we have not specified a certificate um all we're doing is just using the certificate that has presented by the ldap server so this is definitely a step above just using port 389 plain text with ldap but then we let's take it another step further here now too so the next step is let's specify a certificate so the certificate that we just imported that the ttp fortinet ca certificate that one will show up as cert ca underscore cert underscore one based on you know what we had configured under this certificate section so let's save that as well perfect so this next step here is confirming that the this ca underscore cert underscore 1 certificate did sign the certificate that is presented by the ldap server and just just for reference again that ca underscore cert underscore one if we go back to system certificates that's what it that's what we just um imported into the fortigate okay so as a final step let's go back once more into that server now let's let's turn on this server identity check what does that mean so that means that we're verifying the server domain name against the server certificate so once we enable that we hit ok we come back into it we notice right now that we cannot connect to the ldap server and the reason why that is is because our server ip name here is 192.168.111.105 which is not what we have configured as our cn as our cn we actually have the the full hostname of that server so we can fix that by first just making sure that we can actually reach that that server via the host name so just to make sure you know just make sure that your fortigate dns configuration is correct and we can access that same server via the the correct hostname and then we'll actually change that server ip name as well and then there we have it so now all the checks have passed and now we have that secure connection and you know a lot more secure than we had uh prior to enabling ldap s the next step now is to identify some to identify a group or some groups that we want to be able to leverage based off of certain fortigate configurations so let's go to user groups create new and let's just go you know let's just create a 40 gate group that's called test group 1 and that's going to reference a remote group where we reference that server that we just created and then we're importing all of these user groups here so let's just look for test group test group one so we'll add that group there we go okay perfect now let's use this user group in some real life scenarios let's start with administrator log on uh to the 48 itself so right now we're using the local user admin let's add an integration for for ldap so we'll go to system administrators we'll create a new administrator and in this case we're going to match all users in a remote server group and we'll make this we'll just name this just to be consistent test group one um you know admin and then we'll give super admin access and the remote user group is going to be test group one again this is the fortinet user group that references um test group one on the ldap server so let's specify that we can configure any type of extra restrictions or trusted hosts if we want but for this case let's just hit ok here all right and then let's log out and let's log back in with testing123 and our password and there we have it so just like that we're able to use ldap credentials to get into the fortigate by using our credentials on the ldap server and we we have a log which is good as well if we go to log and report events system events there we have it so we can see we can see the login event from user admin let's also see oh you know what this is going to the cloud there we go so now we can we have this login event this audit trail as well another item we can do is use ldap for our ssl vpn authentication so if we go to ssl vpn settings here and for full configuration settings for ssl vpn from from scratch take a look at the video that i've linked just right now that video will have all the steps but since this particular tutorial is specific to just ldap user groups we're only going to be changing the group information specific to the ssl vpn settings right now so to do this just a couple items that we would have to add so one would be add in our user group to our portal mapping so this is going to be test group one let's map it to full access for example here we'll hit apply and then we also do need to ensure that on our firewall policy we we allow for that as well so we'll find the correct firewall policy which is our ssl vpn to internal policy and then let's add the the new user group that we want as well so just two areas where we need to specify that user group okay and we'll just test with web mode um ssl vpn the same will apply if we were to use tunnel mode to 40 client so let's access that web mode configuration testing one two three put in our password and there we have it now we can access ssl vpn using those same ldap credentials now let's try ipsec vpn so if we go to vpn's ipsec tunnels let's click our dial-up tunnel that we've created in another video again i've i've linked the ipsec specific configurations from scratch if you'd like to have a look at that but then let's go into the group specific configuration which would be our x auth configuration here we'll change to test group one and we only have to do it on this ipsec configuration because we are only required to specify it on um the ipsec interface configuration with regards to ipsec but if we did want to specify it on the policy only we could click inherit from policy and then we would have to go to the policy in question and then add the user group there but in this case let's just stick with choosing the ldap server here and now let's test with our 40 client application using ipsec vpn perfect captive portal is another item where we can use our ldap user credentials so if we go to our firewall policy section and we pick a firewall policy where we want to enable a captive portal challenge in the source section for the user we can specify that test group and save our policy configuration and there we have it we were able to authenticate to the captive portal uh by using the the ldap credentials and now when we go back to the fortigate here um if we look at our user and devices or firewall users dashboard widget we can see information about the user that has authenticated successfully additionally any logs that are associated with that ip address now are going to be saved associated with that username testing123 so let's take a quick look at that too there we go in our log here we can we can scroll down and we can see that the policy id is number one and we also see that traffic prior to us successfully authenticating with this user it was all expectedly denied okay so now let's go and disable that captive portal user group on that policy policy id number one here okay and a couple other options which are going to they'll pretty much achieve the same end result as for the testing is so let's say for example we we didn't want to specify the the source user group for every single firewall policy that would be using the same source and or the same source interface then in that case we could actually apply captive portal to the interface so if we go to the interface the receiving interface in this case internal if i scroll down here we look at the security mode i could change um the security mode to be captive portal and set the authentication portal for local and then restrict it to the following groups in that case testing test group 1. and another option that we would have too would be for wi-fi access points broadcasting and ssid that requires a captive portal authentication as well so if we let's say we had 40 aps in our environment we can go to wi-fi and switch controller ssids we can create a new captive portal ssid in this case i've already created one and when we scroll down here as you can see is i've set that up as well where the captive portal uh security mode is enabled so that users will see this as an open ssid that's broadcast and then once they authenticate or once they connect to that open ssid then they will be required to authenticate to the captive portal before they're able to access the internet okay now the fourth and the last captive portal example that we can use here would be to require authentication based off of a specific web uh website category so let's start by going to security profiles web filter and then we'll just click a web filter that we want to focus on in this case we'll use the default web filter so if we go down to let's look for information technology i think it'll be general interest business okay and let's change this from allow to authenticate and then we will specify that same user and select ok and then we'll go to our firewall policy and we need to enable that security profile web filter default okay now let's go back to our client there we go so as we can see is yeah the whole entire category of information technology will require us to to authenticate first with a specific ldap group before being able to access that so just another way that we can use this captive portal feature all right so another item that we can do with our ldap server is be able to enable single sign-on so if we go to security fabric external connectors create new and we'll specify poll active directory server here now just a disclaimer before we actually configure this this is probably best suited for a fairly small environment a fairly small authentication environment the reason why is that in this particular case the fortigate is going to be polling our active directory server directly and it's going to be sifting through the event logs to be able to find the the specific logins that are happening right whereas if we took an approach such as this which is fsso agent on windows active directory then in that case we would be handing off this this load that that currently will be taken by the 40 gate we'd be handing off that load to um a different device so it might be our you know either an fsso collector agent or it would be a 40 authenticator so let's just keep that in mind again is that this is this would be best suited for a small environment but let's set it up anyway so that we get the idea of of how it works um you know additionally to our server would have to be configured to allow um auditing from external devices on our windows event log so that might be something that's external that you'd have to take a look at on your windows server so let's uh let's get into the configuration so we'll put in the ip address here and then we're also going to reference that ldap server i think it just might take a moment there we go okay it's up all right so now we have to specify the the user groups that we want the fortigate to be aware of so in this case i'm just gonna go to the user and group section on that connector and let's just scroll down and find test group one okay there we go so we have one user that we or one user group that we've added all right let's now let's go to our windows machine and authenticate here and let's go back to the 40k now okay so let's go to our user and devices firewall users dashboard widget we can't see anything here but in the top right corner click show all fsso logins and there we have it so we can see now that there's a user ip address and we have a user group associated with that specific source ip so why this is so valuable is that transparently the fortigate was able to be aware of the user ip and user group information about a particular machine without actually having to require the user to to authenticate independently of what they regularly would be authenticating to on their windows machine so what this will do is this will enrich our logs more similar to some of the other examples here what it will also do which is very valuable here is it allows us to have control in our firewall policies so for example we can change on certain policies we can expect that the source matches this fsso user group so that for example users will only be able to access the internet if they have uh successfully authenticated as a user within the test underscore group underscore one ldap user group all right so thanks for joining our ldap and ldap s fortigate configuration along with five use cases and we will see you in the next video thank you

Info

Channel: ToThePoint Fortinet

Views: 12,345

Rating: undefined out of 5

Keywords: Fortinet tutorial, fortigate tutorial, fortigate ldap, fortigate ldaps, captive portal, fsso, fsso ldaps, fsso ldap, fortigate certificate, fortigate ldaps certificate, ldap ssl vpn, ldap ipsec vpn

Id: Zzua63UKPys

Channel Id: undefined

Length: 23min 56sec (1436 seconds)

Published: Fri Feb 11 2022