Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lorenzo_mao
New Contributor

User authentication on non standard protocol

Hello All,

    I'm facing some issue in creating group based policy on non HTTP protocol.

let assume that I've a management network where all the admin interfaces of some equipment resides.

if the management interface is reachable in HTTP(S) i can just add the user group on the rules allowing this traffic and the user will be redirected to the authentication portal.

if the protocol indeed is something else (RDP for example) the fw authenication does not occour and the connection fail.

With other FW vendor we used to have a web page where a user can "spontaneously" authenticate, so that the subsequent sessions can be authorized by the firewall.

what is the solution with fortinet? is it possibile to create some kind of authentication portal like https://myfw.contoso.local/auth and have the users authenticating before trying to access the resource?

thanks

 

 

3 REPLIES 3
commutator
New Contributor III

Have you made any progress on this? I'm facing the same issue. I proposed to client that we create an "authentication" VLAN with a web server and essentially just custom "Hello World" HTML page. Admins needing access to sensitive management VLANs will browse to this page on the authentication VLAN and be challenged (unless already authenticated) for token+PIN. Then identity policies will let them access other VLANs as appropriate. I didn't see a way for the FG to host this auth portal. I've not been able to try it yet as we're working on another project first.

 

We've considered using SSL VPN while internal but ruled that out for now.

 

...Fred

lorenzo_mao

Hello,

    unfortunately not.

i was thinking the same but not implemented yet.

Lorenzo

commutator

We got to it yesterday afternoon. It works perfectly as I described above. We have two issues we'll play with yet. One is idle timeout. We set that to 30 mins but it times out at 60 mins. (You can observe the countdown using 'diag firewall auth list') Suspiciously, our SSL VPN settings specify 60 mins idle timeout.

 

Also on timeouts, I changed from default of 'session' to 'traffic' as in: 'set proxy-re-authentication-mode traffic'. Otherwise a single long RDP/SSH/whatever admin session will timeout at 60 mins as the timer doesn't reset until the TCP session ends. Using 'traffic' makes it easy for admins to defeat the timer but I found the keepalive page was worse in that sense because it automatically defeats the timer until a user chooses to logout.

 

The other issue is the login challenge page. We already use LDAP challenges on some other policies. It's the same login page so we can't customize it to show whether we're prompting for LDAP (AD account) or RADIUS (RSA token). Most identity-based policies use FSSO but I guess where we want to prompt for credentials we'll have to use either AD or RSA everywhere.

 

...Fred

Labels
Top Kudoed Authors