Hot!Only FSSO Agent Authentication working - Issues with NTLM and LDAP

Author
Rob_it
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/09/13 09:54:54
  • Status: offline
2018/09/20 05:29:16 (permalink)
0

Only FSSO Agent Authentication working - Issues with NTLM and LDAP

I am having a major headache with our 500D (Formware 5.6.5) and I’m sure it’s some fundamental setting I am missing.
 
FSSO configured on the Fortigate and FSSO user group pointing to AD user group for internet access.
IPv4 Policy setup as follows…..  Source: all+ FSSO Group above and…..  Dest: all     <--  This is working fine, logging IP and AD users!
 
I have been trying for some time to get an alternative method of authentication to help none domain devices and Apple Macs to get internet access. We just need a pop up box, or web authentication to verify an account to AD. 
 
So far I have tried;
 
NTLM authentication via an IPv4 policy (ntlm enabled via CLi) – no pop up box appears. Just fails with a page not found. Without the FSSO or LDAP user group tagged on the rule – the device gets internet.
 
NTLM, FSSO group and LDAP all tired using both a Transparent and Explicit proxy rules. Again the proxy policies both work fine without user groups - but when they are added I get “Access Denied – The page you requested has been blocked by a firewall policy restriction”
I followed Cookbook recipes such as this one for the above. 
 
I don’t mind if the device gets a pop up login box, or a web authentication box, but as soon as I introduce a user group, the policy fails.
Am I missing some global setting to allow these other methods of authentication? 
 
Help would be greatly appreciated.
 
Thank you for reading.
post edited by Rob_it - 2018/09/20 06:08:25
#1

3 Replies Related Threads

    AlfonsoGTS
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/04 05:41:47
    • Status: offline
    Re: Only FSSO Agent Authentication working - Issues with NTLM and LDAP 2018/10/04 07:46:43 (permalink)
    0
    Hi guys,
     
      Have a same situation with the same firmware.
    Please help.
     
    NTLM Enabled on the FSSO Collector
    NTLM Enabled on the Policy
    FSSO Working aprop
     
    Regards.
    Alfonso Pereira.
    #2
    Rob_it
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/13 09:54:54
    • Status: offline
    Re: Only FSSO Agent Authentication working - Issues with NTLM and LDAP 2018/10/04 10:37:44 (permalink)
    0
    Hi Alfonso, 
     
    Hope this helps, I ended up raising a ticket with their support. This was their reply. It worked for me. 
     
    Really hope it helps
    Rob
    ~~~~~~~~~~~~~~~~~~
    - You will need to change the groups to the FSSO groups you set up in the firewall proxy policy
    - Please add the following authentication schemes :
     
    config authentication scheme
    edit "NTLM"
    set method ntlm
    next
    end
     
    config authentication rule
    edit "NTLM-RULE"
    set srcaddr "all"
    set ip-based disable
    set active-auth-method "NTLM"
    next
    end"
     
    - Set the active-auth-scheme to "NTLM"
     
     
     
    #3
    dieter
    Bronze Member
    • Total Posts : 38
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/01/04 06:04:13
    • Status: offline
    Re: Only FSSO Agent Authentication working - Issues with NTLM and LDAP 2021/06/16 03:55:37 (permalink)
    0
    Sorry I have to respond on an old topic. What do you mean with "You will need to change the groups to the FSSO groups you set up in the firewall proxy policy" ?
     
    And how do you set the active-auth-scheme to "NTLM" ?
    post edited by dieter - 2021/06/16 03:57:49
    #4
    Jump to:
    © 2021 APG vNext Commercial Version 5.5