Hot!Guest user is seen as domain user

Author
Deltarr
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/22 06:12:02
  • Status: offline
2018/01/09 06:34:50 (permalink)
0

Guest user is seen as domain user

Hello,
 
Our webfilter is flow-based and we have several AD groups that each have specific web filtering profile (from no access to full access)
Everything is working fine for all users, the sites that need to be blocked are blocked.

My problem is when a guest connect to our Wifi. Sometimes (it's definitely not all the time), the web filter will restrict ALL sites.
I created a replacement page to get some information and I can see that the guest user (not in the domain) is referred to as a generic user that exist in our AD
 
Since english is not my main language, here is a short example
 
on the domain, user "ABC" is part of the group "No access"
This group is linked to a web filter profile on fortigate that allow no websites access
If I log with the user "ABC" and try to connect to any website, I get fortigate blocked page (wich is what I want)

Now, a guest comes in our office, connect to our wifi (sadly we don't have separate access) to get internet access.
Sometimes, he will be blocked as if he was user ABC (the username on the block page is "ABC")

How can I be sure that users that are not part of the domain, that use computer that are not part of the domain, don't get this problem ?

I hope I'm clear enough... 
Let me know if you need more information

Thank you for your help
 
 
#1
dmcquade
Bronze Member
  • Total Posts : 57
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/10/31 06:21:51
  • Status: offline
Re: Guest user is seen as domain user 2018/01/09 17:21:55 (permalink)
0
How do you have AD integrated with the Fortigate? If the group object is an FSSO group, make sure you enable FSSO on the rule in the advanced options
#2
Deltarr
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/22 06:12:02
  • Status: offline
Re: Guest user is seen as domain user 2018/01/10 01:01:13 (permalink)
0
I have 4 groups created in AD (All my AD users are member of 1 of these) and each one is member of a FSSO group on the Fortigate
Each one has a specific web filter rule (flow-based / SSL inspection) assigned to it
 
What options are you speaking of ?
 
 
What I don't understand is why a non-domain user using a non-domain computer is recognized as a domain user by the webfilter... note that he is never asked to enter any credentials at any time
He is logged with his local username
and to be clear, it has happened to other people (no relationship between them) as well
 
 
Thank you !
 
 
 
#3
dmcquade
Bronze Member
  • Total Posts : 57
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/10/31 06:21:51
  • Status: offline
Re: Guest user is seen as domain user 2018/01/13 09:36:16 (permalink)
0
This option is available via the CLI or if you are using a FortiManager, the advanced options section. From the CLI run
config firewall policy
edit <policyId>
set fsso enable
end
 
If this option is set to disabled (default setting) it will ignore FSSO users and groups. Your guests are not authenticated to your AD. They are simply being allowed on the rule because the groups assigned to the rule are being ignored.
 
Hope that helps.
d
#4
Deltarr
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/22 06:12:02
  • Status: offline
Re: Guest user is seen as domain user 2018/01/14 23:51:40 (permalink)
0
Thanks for your input.
I've double checked my settings and fsso is ENABLED (check the full config below)
 
I still don't get why some guests, while browsing, get the block page (as they are not part of any group) and why  they are identified on the FG as a specific user (always the same by the way) that is a member of the "No Access" AD Group used in one of the policy...
 
I used %%USERNAME%% on the block page to check and it returns always the same user
If I remove this user from the AD group linked to the FG profile, the guest can then has full access to all websites
 
Again, thanks for your help.
 
- Fabien
 
Here is the full config of one of the policy
 
policyid : 13
uuid : 794ceca8-5d42-51e5-afda-ef6d1c329723
srcintf:
 == [ internal1 ]
 name: internal1
dstintf:
 == [ wan1 ]
 name: wan1
srcaddr:
 == [ all ]
 name: all
dstaddr:
 == [ all ]
 name: all
rtp-nat : disable 
action : accept 
status : enable 
schedule : always 
schedule-timeout : disable 
service:
 == [ ALL ]
 name: ALL
utm-status : enable 
logtraffic : utm 
logtraffic-start : disable 
capture-packet : disable 
auto-asic-offload : enable 
wanopt : disable 
webcache : disable 
session-ttl : 0
vlan-cos-fwd : 255
vlan-cos-rev : 255
wccp : disable 
ntlm : disable 
ntlm-guest : disable 
ntlm-enabled-browsers:
fsso : enable 
rsso : disable 
fsso-agent-for-ntlm : 
groups:
 == [ BASIC_FILTERING ]
 name: BASIC_FILTERING
users:
devices:
auth-path : disable 
disclaimer : disable 
natip : 0.0.0.0 0.0.0.0
match-vip : disable 
diffserv-forward : disable 
diffserv-reverse : disable 
tcp-mss-sender : 0
tcp-mss-receiver : 0
comments : 
auth-cert : 
auth-redirect-addr : 
identity-based-route: 
block-notification : disable 
custom-log-fields:
tags:
replacemsg-override-group: 
srcaddr-negate : disable 
dstaddr-negate : disable 
service-negate : disable 
timeout-send-rst : disable 
delay-tcp-npu-session: disable 
profile-type : single 
av-profile : 
webfilter-profile : Basic_Filtering 
spamfilter-profile : 
dlp-sensor : 
ips-sensor : 
application-list : 
voip-profile : 
icap-profile : 
profile-protocol-options: default 
ssl-ssh-profile : certificate-inspection 
traffic-shaper : 
traffic-shaper-reverse: 
per-ip-shaper : 
nat : enable 
permit-any-host : disable 
permit-stun-host : disable 
fixedport : disable 
ippool : disable 
central-nat : disable 
redirect-url : 

 
 
post edited by Deltarr - 2018/01/14 23:52:55
#5
dmcquade
Bronze Member
  • Total Posts : 57
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/10/31 06:21:51
  • Status: offline
Re: Guest user is seen as domain user 2018/01/15 06:38:14 (permalink)
0
Can you check the logs and see what rule is blocking the user? What are you using to get the AD information? Do you have a FortiAuthenticator or just using the software installed on the Domain Controllers? Either way, the list of users identified should show up in the Monitor - Firewall Users. Have a guest connect and search for the IP address to see if they are in this list.
 
Regards
D
#6
Deltarr
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/22 06:12:02
  • Status: offline
Re: Guest user is seen as domain user 2018/01/16 00:41:03 (permalink)
0
We did the following:
 
AD:
4 groups populated by user accounts (Full, Basic, Strict and No Access)
 
Fortigate:
4 User Groups (Fortinet Single Sign-On) each one having AD group as a member
4 policies (using the 4 groups) + one without webfilter
 
Order of policies (LAN - WAN):
No Access
Strict
Basic
Full
All (no webfilter)
 
Detail of BASIC Webfilter policy:
 
 
 
The guest user gets the block page as if he was connected as one domain user (user account "VideoCad")
This is a generic user logged on several computers in the company
 
If I want to test this account, I open Chrome as this user (the account has a password) and I can check that the webfilter is working as intended. I tested to log to CNN.com
 
date=2018-01-16 time=09:32:06 logid=0316013056 type=utm subtype=webfilter eventtype=ftgd_blk level=warning vd="root" policyid=12 sessionid=61269217 user="VIDEOCAD" srcip=192.168.120.119 srcport=61020 srcintf="internal1" dstip=151.101.1.67 dstport=80 proto=6
 
service=HTTP hostname="www.cnn.com" profile="NO ACCESS" action=blocked reqtype=direct url="/favicon.ico" sentbyte=366 rcvdbyte=0 direction=N/A msg="URL belongs to a denied category in policy" method=domain cat=36 catdesc="News and Media" crscore=30 crlevel=high

 
Thanks again for your help :)

Attached Image(s)

#7
Jump to:
© 2018 APG vNext Commercial Version 5.5