Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
keithli_FTNT
Staff
Staff

Created on ‎08-27-2021 11:35 AM Edited on ‎01-30-2024 02:30 AM By Community Manager

Article Id 195011

Technical Tip: Show authentication portal after user authenticated through firewall authentication

Description
After a user successfully authenticates via firewall authentication, you may want to give him an option to logout manually instead of waiting for the authentication timeout to occur. This article shows how users can access the authentication portal to perform the logout action.

Solution
Topology:
User PC <--> (port3) FortiGate (port1) <--> Internet

 
Part 1: Configuring user authentication
 

1. Create a local user. In this example, the local user is type Remote LDAP user.

2. From User & Authentication > User Definition, click Create New
Setting
 Value
User Type
 Remote LDAP User
LDAP Server
 Select your LDAP server
Remote Users
 Select your remote user

3. From Firewall Policy, create a new firewall policy from port3->port1. Apply the following settings.

Setting
 Value
Name Auth-out
Incoming Interface port3
Outgoing Interface port1
Source Address = all
User = User created in Step 4
Destination All
Schedule always
Service ALL
Action
 ACCEPT
NAT Enabled

4. Ensure no other port3->port1 policy allows traffic without authentication.

 
Our example configurations in CLI:

config user local
    edit "tgerber"
        set type ldap
        set ldap-server "WIN2K16-KLHOME-LDAPS"
    next
end
config firewall policy
    edit 36
        set name "Auth-out"
        set srcintf "port3"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
        set users "tgerber"
    next

end
 
Part 2: Configuring certificates

1. From User & Authentication > Authentication Settings, the following settings can be configured:
Setting
 Description
Authentication timeout Amount of time user can remain idle before he is logged out. Default 5mins
Protocol Support Protocols in which user can use to perform firewall authentication.
HTTP redirect Redirect HTTP challenge to a secure channel (HTTPS)
Certificate Certificate used for the authentication portal

2. It is recommended to enable HTTP redirect so that the authentication portal displayed on the browser always uses a secure channel (HTTPS)
 
3. The FortiGate uses the default FortiGate server certificate, Fortinet_Factory, for the authentication portal page. If a user has not trusted the CA that signed this certificate, accessing the portal from a browser may display a certificate warning or denied depending on the browser.
 
There are several options to secure your connection and avoid certificate errors.
 
3a. Use the built-in local CA certificate, Fortinet_CA_SSL, to sign the certificate used in the authentication portal. This can be done from the CLI:
config user setting
    set auth-ca-cert "Fortinet_CA_SSL"
    set auth-secure-http enable
end
The end user must trust this CA by importing the public CA certificate into the computer’s Certificate store.
The certificate can be downloaded by going to System > Certificates, then right clicking on Fortinet_CA_SSL and Download.
3b. Use a custom server certificate for the authentication portal. This can be configured from the CLI:
config user setting
    set auth-cert "authportal.fgdocs.com"
    unset auth-ca-cert
    set auth-secure-http enable
end
This assumes the authportal.fgdocs.com certificate was previously imported into the FortiGate.
The end user must also trust the CA that signed this custom server certificate.
3c. Use a custom CA certificate to sign the certificate used in the authentication portal. This can be configured from the CLI:
config user setting
    set auth-ca-cert "SigningAuth"
    set auth-secure-http enable
end
This assumes the SigningAuth CA certificate was previously imported into the FortiGate.
The end user must trust this CA by importing the public CA certificate into its Certificate store.
 
Verification:

1. From the User PC (192.168.20.10), ensure the appropriate certificate is installed on the PC’s Certificate store.
 
2. Open a browser and connect to www.fortinet.com

3. Browser will automatically redirect the user to the firewall authentication page. Enter the user credentials.
FirewallAuth1.png
 
4. Once authenticated, browser will redirect user back to www.fortinet.com
 
5. From the FortiGate CLI, use the following command to view the logged in user:
# diag firewall auth list
192.168.20.10, tgerber
        src_mac: 52:54:00:f8:c3:1c
        type: fw, id: 0, duration: 10, idled: 7
        expire: 293, allow-idle: 300
        server: WIN2K16-KLHOME-LDAPS
        packets: in 380 out 264, bytes: in 422626 out 51413
        user_id: 16777221
        group_id:
        group_name:
6. From the browser, open another tab. Go to https://<ip of FortiGate>:1003/portal?
FirewallAuth2.png
If HTTP redirect is disabled, the portal page can also be reached on http://<ip of FortiGate>:1000/portal?
 
7. From this authentication portal page, click logout to logout manually from firewall authentication.
 
8. From FortiGate CLI, use the following command to view the user has logged out:
# diag firewall auth list
----- 0 listed, 0 filtered ------



2373
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.