Hot!ask - Set authentication user for connect LAN/internet

Author
papapuff
Silver Member
  • Total Posts : 67
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/05/24 20:31:44
  • Status: offline
2017/07/26 18:11:39 (permalink)
0

ask - Set authentication user for connect LAN/internet

hi there,
 
need advice here.
I have FG 60D,
can I set:
1. user authentication. whenever device want to connect our Network, it will require user authentication.
2. restrict some devices by hardware ID, either mac address, or else.
 
if those can, kindly please give reference where I can find "how to".
 
if I'm correct, I can set authentication based on IP.
 
thanks.
#1

8 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 235
    • Scores: 46
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: ask - Set authentication user for connect LAN/internet 2017/08/01 00:51:19 (permalink)
    0
    Hi papapuff,
     
    ad 1. yes, how about captive portal or 802.1x ? So whenever some other device connect through FGT, user will be prompted to authenticate.
     
    ad 2. yes, how about to have DHCP servere assigning IP addresses statically to known MAC (MAC-IP pair). So you will always has known MAC and device behind the IP. Be aware that MAC can be forged. Form this point of view it would need a bit more. Think about device base identity, but in FGT it is passive fingerprint only so might be inaccurate. Then you can harden the access even more via SSOMA, client app, standalone or part of FortiClient, reporting its presence to FAC and then being reported to FGT as well known client via FSSO.
     
    For more info have a look to http://KB.fortinet.com , http://Docs.fortinet.com or http://cookbook.fortinet.com/
    Best regards,
    Tomas

    Kind Regards,
    Tomas
    #2
    papapuff
    Silver Member
    • Total Posts : 67
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/05/24 20:31:44
    • Status: offline
    Re: ask - Set authentication user for connect LAN/internet 2017/09/26 18:00:13 (permalink)
    0
    hi there,
     
    sorry to blow up this post again.
     
    1. I searched for create access list based on mac address, but couldn't found.
    any help?
    I want to restricted unknown list, so they can't connect to our LAN.
     
    2. also, if I use managed switch, and users connect LAN via that switch, can fortigate detect user's mac address?
     
    3. can I create log for every device connected to fortigate (mac, device name, when, traffic data)?
    if can, where I can find the log?
     
    Thanks.
    #3
    Sudarsan Babu
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/04/24 03:18:50
    • Status: offline
    Re: ask - Set authentication user for connect LAN/internet 2017/09/26 18:25:42 (permalink)
    0
    1. I searched for create access list based on mac address, but couldn't found.
    any help?
    I want to restricted unknown list, so they can't connect to our LAN.
     
    Firmware version: 5.2 
     
    http://cookbook.fortinet.com/user-device-authentication/
     
    Firmware version: 5.4 
     
    http://cookbook.fortinet.com/user-device-authentication-54-video/
     
    2. also, if I use managed switch, and users connect LAN via that switch, can fortigate detect user's mac address?
     
    a.)yes, If you using DHCP server  in fortigate you can see mac address & device identification( CPU Usage may  high).
    b.)If you using dhcp from windows server then you check logs from firewall. ( forticloud or syslog ).
     
    3. can I create log for every device connected to fortigate (mac, device name, when, traffic data)?
    if can, where I can find the log?
     
    Yes. you check in forticloud or fortianalyzer .
    Device Name: can check device list under user & device option. You can also see mac address in device list. 
    MAC: from dhcp server ---> depends on firmware version 5.2 (under network option), 5.4 ( Under Monitor). 
     
     
     
     
     
     
     
     
     

     
    #4
    xsilver_FTNT
    Expert Member
    • Total Posts : 235
    • Scores: 46
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: ask - Set authentication user for connect LAN/internet 2017/09/27 07:15:40 (permalink)
    0
    if you want to beat unknown MAC addresses out of the net, then how about ...
     
    1. old fashioned DHCP address assignment to known MAC addresses only. So basically pair known MAC to static IP in DHCP. Dynamically obtained static IP, sort of.
     
    2. newer approach is 802.1x port based auth

    Kind Regards,
    Tomas
    #5
    papapuff
    Silver Member
    • Total Posts : 67
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/05/24 20:31:44
    • Status: offline
    Re: ask - Set authentication user for connect LAN/internet 2017/10/12 08:51:21 (permalink)
    0
    hi there,
     
    after long research,
    I found reserve IP not available for interface with no dhcp enable
     
    also, list of Mac address can't be recorded and built. am I correct?
     
    #6
    xsilver_FTNT
    Expert Member
    • Total Posts : 235
    • Scores: 46
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: ask - Set authentication user for connect LAN/internet 2017/10/13 05:02:55 (permalink)
    0
    Hi,
     
    "reserve IP not available for interface with no dhcp enable"
    Yes, as IP reservation and MAC address lists are features of DHCP, then it's not possible to achieve that without DHCP.
    But it does not necessarily has to be DHCP on FortiGate unit, FGT can forward requests to another DHCP.
    As implementation in FGT is basic, then maybe some Linux based DHCP might be better choice.
    For MAC address listing you can turn on device discovery on interface and FGT will tell you a bit more about connected devices.
    But still without ability to assign/reserve IP if there is no DHCP.
     
    Kind regards,
    Tomas

    Kind Regards,
    Tomas
    #7
    papapuff
    Silver Member
    • Total Posts : 67
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/05/24 20:31:44
    • Status: offline
    Re: ask - Set authentication user for connect LAN/internet 2017/10/15 09:41:08 (permalink)
    0
    hi Tomas,
    thank you for your answer.
     
    how to make access list by MAC address?
    so only certain device can connect to some ports?
     
    thanks
    #8
    xsilver_FTNT
    Expert Member
    • Total Posts : 235
    • Scores: 46
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: ask - Set authentication user for connect LAN/internet 2017/10/16 02:31:40 (permalink)
    0
    Hi,
     
    if you want to make that MAC based then simplest way from my point of view is then to have DHCP method ...
    - DHCP assigning certain range to well known MAC based clients.
    (for example 18:D2:F2:02:CA:F4 will always get 192.168.42.69/24 IP)
    - refusing to assign IP to unknown hosts
    Then has FW policy allowing just those known IPs or subnet. Drop the rest.
     
    Alternatives mentioned are 802.1x (port access authentication) or some sort of user/guest management and allow access to just known users (identity based policies).
    Solutions similar to those described bellow:
    http://cookbook.fortinet.com/802-1x-with-vlan-switch-interfaces-on-a-fortigate/
    http://cookbook.fortinet.com/wifi-using-fortiauthenticator-radius-certificates/
    http://cookbook.fortinet.com/forticonnect-guest-boarding-using-rsso/
     
    Kind regards,
    Tomas

    Kind Regards,
    Tomas
    #9
    Jump to:
    © 2017 APG vNext Commercial Version 5.5