Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
papapuff
New Contributor II

ask - Set authentication user for connect LAN/internet

hi there,

 

need advice here.

I have FG 60D,

can I set:

1. user authentication. whenever device want to connect our Network, it will require user authentication.

2. restrict some devices by hardware ID, either mac address, or else.

 

if those can, kindly please give reference where I can find "how to".

 

if I'm correct, I can set authentication based on IP.

 

thanks.

8 REPLIES 8
xsilver_FTNT
Staff
Staff

Hi papapuff,

 

ad 1. yes, how about captive portal or 802.1x ? So whenever some other device connect through FGT, user will be prompted to authenticate.

 

ad 2. yes, how about to have DHCP servere assigning IP addresses statically to known MAC (MAC-IP pair). So you will always has known MAC and device behind the IP. Be aware that MAC can be forged. Form this point of view it would need a bit more. Think about device base identity, but in FGT it is passive fingerprint only so might be inaccurate. Then you can harden the access even more via SSOMA, client app, standalone or part of FortiClient, reporting its presence to FAC and then being reported to FGT as well known client via FSSO.

 

For more info have a look to [link]http://KB.fortinet.com[/link] , [link]http://Docs.fortinet.com[/link] or http://cookbook.fortinet.com/

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

papapuff

hi there,

 

sorry to blow up this post again.

 

1. I searched for create access list based on mac address, but couldn't found.

any help?

I want to restricted unknown list, so they can't connect to our LAN.

 

2. also, if I use managed switch, and users connect LAN via that switch, can fortigate detect user's mac address?

 

3. can I create log for every device connected to fortigate (mac, device name, when, traffic data)?

if can, where I can find the log?

 

Thanks.

Sudarsan_Babu

1. I searched for create access list based on mac address, but couldn't found. any help? I want to restricted unknown list, so they can't connect to our LAN.

 

Firmware version: 5.2 

 

http://cookbook.fortinet.com/user-device-authentication/

 

Firmware version: 5.4 

 

http://cookbook.fortinet.com/user-device-authentication-54-video/

 

2. also, if I use managed switch, and users connect LAN via that switch, can fortigate detect user's mac address?

 

a.)yes, If you using DHCP server  in fortigate you can see mac address & device identification( CPU Usage may  high).

b.)If you using dhcp from windows server then you check logs from firewall. ( forticloud or syslog ).

 

3. can I create log for every device connected to fortigate (mac, device name, when, traffic data)? if can, where I can find the log?

 

Yes. you check in forticloud or fortianalyzer .

Device Name: can check device list under user & device option. You can also see mac address in device list. 

MAC: from dhcp server ---> depends on firmware version 5.2 (under network option), 5.4 ( Under Monitor). 

 

 

 

 

 

 

 

 

 

 

Regards,

Sudarsan Babu P

Regards, Sudarsan Babu P
xsilver_FTNT

if you want to beat unknown MAC addresses out of the net, then how about ...

 

1. old fashioned DHCP address assignment to known MAC addresses only. So basically pair known MAC to static IP in DHCP. Dynamically obtained static IP, sort of.

 

2. newer approach is 802.1x port based auth

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

papapuff

hi there,

 

after long research,

I found reserve IP not available for interface with no dhcp enable

 

also, list of Mac address can't be recorded and built. am I correct?

 

xsilver_FTNT

Hi,

 

"reserve IP not available for interface with no dhcp enable"

Yes, as IP reservation and MAC address lists are features of DHCP, then it's not possible to achieve that without DHCP.

But it does not necessarily has to be DHCP on FortiGate unit, FGT can forward requests to another DHCP.

As implementation in FGT is basic, then maybe some Linux based DHCP might be better choice.

For MAC address listing you can turn on device discovery on interface and FGT will tell you a bit more about connected devices.

But still without ability to assign/reserve IP if there is no DHCP.

 

Kind regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

papapuff

hi Tomas,

thank you for your answer.

 

how to make access list by MAC address?

so only certain device can connect to some ports?

 

thanks

xsilver_FTNT

Hi,

 

if you want to make that MAC based then simplest way from my point of view is then to have DHCP method ...

- DHCP assigning certain range to well known MAC based clients.

(for example 18:D2:F2:02:CA:F4 will always get 192.168.42.69/24 IP)

- refusing to assign IP to unknown hosts

Then has FW policy allowing just those known IPs or subnet. Drop the rest.

 

Alternatives mentioned are 802.1x (port access authentication) or some sort of user/guest management and allow access to just known users (identity based policies).

Solutions similar to those described bellow:

http://cookbook.fortinet.com/802-1x-with-vlan-switch-interfaces-on-a-fortigate/

http://cookbook.fortinet.com/wifi-using-fortiauthenticator-radius-certificates/

http://cookbook.fortinet.com/forticonnect-guest-boarding-using-rsso/

 

Kind regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

Labels
Top Kudoed Authors