AnsweredHot!Authentication Ruleset, where is the decision which will be used?

Author
Wurstsalat
Bronze Member
  • Total Posts : 24
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/18 01:05:35
  • Status: offline
2018/02/01 07:51:08 (permalink) 5.6
0

Authentication Ruleset, where is the decision which will be used?

Hi there,
for example i have this (after upgrading 5.4 to 5.6)
    edit "auth-rule4pol7"
        set srcaddr "Inside-Network-Clients" "Inside-Network-Server" "VPNs"
        set ip-based disable
        set active-auth-method "auth-sch4pol7"
    next
    edit "auth-rule4pol3"
        set srcaddr "Inside-Network-Clients" "Inside-Network-Server" "VPNs"
        set ip-based disable
        set active-auth-method "auth-sch4pol3"

So basically both has the same criteria...so both may fit. Now i have watched at my previous explicit Proxy rules, there is not mentioned which authentication rule will be used. So how do i prioritise the authentication rule over another one? Or how do i say this Proxy policy should use this rule like it was in 5.4?
 
Hope someone can help
#1
Fishbone_FTNT
Gold Member
  • Total Posts : 56
  • Scores: 27
  • Reward points: 0
  • Joined: 2015/02/02 02:13:08
  • Status: offline
Re: Authentication Ruleset, where is the decision which will be used? 2018/02/01 07:54:58 (permalink) ☼ Best Answerby Wurstsalat 2018/02/01 22:41:39
0
Hi Wurstsalat,
rules are evaluated top-down. So first will match it all. Second is just the leftover from upgrade process.
 
EDIT:
You are basically selecting which authentication to use based on source IP address in the rule. Once rule is matched, authentication scheme specified in it will be used.
 
Fishbone)(
post edited by Fishbone_FTNT - 2018/02/01 07:58:22
#2
Wurstsalat
Bronze Member
  • Total Posts : 24
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/18 01:05:35
  • Status: offline
Re: Authentication Ruleset, where is the decision which will be used? 2018/02/01 22:43:23 (permalink)
0
Hi,
thanks for the Response. So how do i reorder? Delete all existing and create it in the order i want to?
Kind regards
#3
Fishbone_FTNT
Gold Member
  • Total Posts : 56
  • Scores: 27
  • Reward points: 0
  • Joined: 2015/02/02 02:13:08
  • Status: offline
Re: Authentication Ruleset, where is the decision which will be used? 2018/02/02 00:50:22 (permalink)
0
Hi Wurstsalat,
(btw awesome nickname! :))
You didn't share with us the auth schemes. But if they are same, you can have only single pair of rule->scheme mapping.
You need to think of it as policy-like selection of authentication methods. Top-down, first match of rule selects authentication methods, depending if it's passive (ie FSSO or RSSO), or active (Negotiate, Ntlm, etc..).
 
Cheers,
Fishbone)(
#4
Wurstsalat
Bronze Member
  • Total Posts : 24
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/18 01:05:35
  • Status: offline
Re: Authentication Ruleset, where is the decision which will be used? 2018/02/02 01:06:44 (permalink)
0
No prob if it helps, here they are.

 
config authentication scheme
    edit "auth-sch4pol7"
        set method ntlm
    next
    edit "auth-sch4pol3"
        set method ntlm
    next
    edit "auth-sch4pol5"
        set method ntlm
    next
    edit "sso-auth-sch4pol5"
        set method fsso
    next
    edit "auth-scheme-basic"
        set method basic
        set user-database "DC01" "DC02"
    next
    edit "auth-scheme-negotiate"
        set method negotiate
    next
end
 

I understand first match but how can i reorder? For example i want to test browser auth through Kerberos instead of NTLM, the first rule which matches my clients uses an ntlm scheme, while my browser support ntlm...so no further processing of the rules or other schemes
-> so i need to place a rule with Kerberos scheme for the IP (Range) of my testclient at the top. Currently i only see, delete all rules and recreate them in the wanted order
 
Anyway my keytab file wasnt created as described in http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Configuration%20-%20Explicit%20Proxy/Kerberos%20authentication%20for%20explicit%20proxy%20users.htm ... or is it only created after a Client tried to Access through Kerberos Auth?
post edited by Wurstsalat - 2018/02/02 01:13:41
#5
Fishbone_FTNT
Gold Member
  • Total Posts : 56
  • Scores: 27
  • Reward points: 0
  • Joined: 2015/02/02 02:13:08
  • Status: offline
Re: Authentication Ruleset, where is the decision which will be used? 2018/02/02 03:41:53 (permalink)
0
Hi Wurstsalad,
for rules, you can use "move" CLI command. For example:


config authentication rule
    move auth-rule4pol3 before auth-rule4pol7
end

For testing purposes, you can create separate rule, add src match, and move on the top of rule list.
 
Kerberos keytab should be created immediately you load it. So referring to the link you gave, it's nothing in /tmp/kt directory (see section 2.5)?
 
Fishbone)(
 
#6
Wurstsalat
Bronze Member
  • Total Posts : 24
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/18 01:05:35
  • Status: offline
Re: Authentication Ruleset, where is the decision which will be used? 2018/02/02 06:13:17 (permalink)
0
Fishbone
For testing purposes, you can create separate rule, add src match, and move on the top of rule list. Kerberos keytab should be created immediately you load it. So referring to the link you gave, it's nothing in /tmp/kt directory (see section 2.5)? Fishbone)(

yep there is nothing in /tmp/kt

Base64 string is valid (rechecked twice)
Dont know whats wrong here
 
Thanks for the move ;)
#7
Fishbone_FTNT
Gold Member
  • Total Posts : 56
  • Scores: 27
  • Reward points: 0
  • Joined: 2015/02/02 02:13:08
  • Status: offline
Re: Authentication Ruleset, where is the decision which will be used? 2018/02/02 06:16:52 (permalink)
0
If base64 is okay ... is it a single line?
Sometimes people adding correct base64 as the block with newlines how it's produced by default. lines has to be concatenated to single line.
#8
Wurstsalat
Bronze Member
  • Total Posts : 24
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/18 01:05:35
  • Status: offline
Re: Authentication Ruleset, where is the decision which will be used? 2018/02/02 06:47:13 (permalink)
0
concated it to one line, no spaces, no line feeds
 
 
 
 
#9
darhan
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/11 20:49:14
  • Status: offline
Re: Authentication Ruleset, where is the decision which will be used? 2018/02/11 21:14:20 (permalink)
0
Good afternoon, the question is, you need to save the browser password in the operating system, because to access the Internet a new provider requires you to enter credentials in the browser window, only after that the Internet will work. And it is necessary that when you turn on the computer, the password that you enter in the browser is automatically stored in the system, and you do not need to enter the password in the browser window (or even when the saved password is in the browser, you need to press continue) so that the system itself is authorized. In short, you need to save the password to the browser in Windows.

Attached Image(s)

#10
Wurstsalat
Bronze Member
  • Total Posts : 24
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/18 01:05:35
  • Status: offline
Re: Authentication Ruleset, where is the decision which will be used? 2018/02/11 23:50:01 (permalink)
0
nope, you are talking about forms based authentication...if you use ntlm/kerberos authentication there is no need for the user to enter any credentials after domain logon at the Computer, this works with the most Browsers such as firefox (configuration required), Chrome based, Internet Explorer and Edge. This works for explicit Proxy as follows
- Client sends unauthenticated request
- Explicit Proxy replies with http 407
- Client sends automaticaly authentication information
- Depending on the Proxy rules, Client gets access
 
Anyway this was never the question ;)
#11
MarioRuisi
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/11 01:39:00
  • Status: offline
Re: Authentication Ruleset, where is the decision which will be used? 2019/02/11 01:48:45 (permalink)
0
Hi Guys,
 
is there a way to build a rule with no authentication?
 
I have build up explicit Proxy in 5.6.7 with FSSO authentication. Anyway there are some systems which are not member of our domain which needs to access to the internet.
 
For some reasons I do not have the possibility to set up a authentication scheme/rule for no authentication.
 
Can someone help me?
 
Best regards
Mario
#12
Jump to:
© 2019 APG vNext Commercial Version 5.5