FSSO DC Agent Mode, how to handle user logins from "non-domain-joined" devices?

thrillseeker · ‎11-25-2017

Hi,

For one of our customers we would like to implement FSSO in Agent Mode (FOS 5.4.x).

We will use FSSO only to control direct Internet access and therefore map the Webfilter-Profiles based on FSSO-User-Group in the firewall policy.

The question now is, how can we handle users logging in to the network on "non-domain-joined" clients (e.g. BYOD's like MacBook)?

I was just thinking about just using additional firewall policies with simple LDAP-Groups added to the source, so Users with "non-domain-joned" clients get presented a login form in their browsers when accessing the network for the first time. Unfortunately users then need to re-authenticate manually at least all 24h and this is definitely not what the customer want...

Of course the best solution would be to domain-join the BYOD devices like MacBooks but this is a more political then technical discussion I don't want to start yet...

Any ideas? How about your FSSO projects?

Thanks a lot for feedback

Regards

Thrillseeker

thrillseeker · ‎11-25-2017

Nobody? Really? ;)

Thanks

Thrillseeker

xsilver_FTNT · ‎11-27-2017

Hi,

there I see plenty of possibilities but you have to think about what you have in hands.

For example:

- the MacBooks can be joined to domain and utilize FSSO fully

- those BYODs are probably connected to WiFi, which might be RADIUS authenticated towards NPS on DC, so users log in with their corporate creds , so RSSO can be applied

- how about NTLM through Collector in policies so those with capable browser and with settings that FGT is in trusted NTLM URLs will provide creds to FGT via NTLM automatically whenever 401/407 auth required happen, others will be prompted

- how about Kerberos based Negotiate auth model in explicit proxy

.. just to name 4 different approaches which just came to my mind during few minutes thinking.

So check your resources and then choose the path suitable the most to your needs.

Best regards,

Tomas

BTW: nobody was interested past two days as we enjoyed a weekend. No big thrill, but still pleasant 2 days.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

thrillseeker · ‎11-27-2017

Hi Tomas,

Thanks for your feedback. You are right, it was weekend and next time will be more patient, I promise.

Regarding your thoughts:

- To join the MacBooks to the domain is my primary goal of course, but not it's a more political than technical challenge. But I will try to keep up the discussion with the customer again.

- WirelessLAN is out-of-scope for FSSO since this is a completely separated network with no connectivity to the corporate LAN today.

- Explicit proxy on FGT is also no solution since various limitations in FOS 5.4.x (some fixed in 5.6.x) customer wants to have all UTM features transparently on FGT.

- Yes a solution with NTLM would maybe be an option. Will this work in parallel with existing FSSO firewall policies let say as fallback option or do I need to create an exact copy of the existing FSSO policies just with NTLM option enabled? Do you know if NTLM option in firewall polices is supported with FMG 5.4.4 as well? Unfortunately I had no time to test NTLM in my lab, that's why I ask so many stupid questions..;-)

Thanks a lot

Cheers

Thrillseeker

xsilver_FTNT · ‎12-11-2017

NTLM is quite usually used as fall-back method to complement FSSO in case user fail in automatic FSSO.

How about to 'show full firewall policy X | grep ntlm' where X is IBP you've created with FSSO user group inside ?

You should see "set ntlm disable" and "set fsso-agent-for-ntlm '' " as default, while "set fsso enable" is there.

So you can set NTLM and also specify FSSO Agent used for it's processing, pointing to Collector Agent on some of your DC.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff