Created on 08-27-2021 11:35 AM Edited on 01-30-2024 02:30 AM By Kate_M
Description
After a user successfully authenticates via firewall authentication, you may want to give him an option to logout manually instead of waiting for the authentication timeout to occur. This article shows how users can access the authentication portal to perform the logout action.
Solution
Topology:
User PC <--> (port3) FortiGate (port1) <--> Internet
1. Create a local user. In this example, the local user is type Remote LDAP user.
Setting |
Value |
User Type |
Remote LDAP User |
LDAP Server |
Select your LDAP server |
Remote Users |
Select your remote user |
3. From Firewall Policy, create a new firewall policy from port3->port1. Apply the following settings.
Setting |
Value |
Name | Auth-out |
Incoming Interface | port3 |
Outgoing Interface | port1 |
Source | Address = all User = User created in Step 4 |
Destination | All |
Schedule | always |
Service | ALL |
Action |
ACCEPT |
NAT | Enabled |
4. Ensure no other port3->port1 policy allows traffic without authentication.
config user local
edit "tgerber"
set type ldap
set ldap-server "WIN2K16-KLHOME-LDAPS"
next
end
config firewall policy
edit 36
set name "Auth-out"
set srcintf "port3"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
set users "tgerber"
next
Setting |
Description |
Authentication timeout | Amount of time user can remain idle before he is logged out. Default 5mins |
Protocol Support | Protocols in which user can use to perform firewall authentication. |
HTTP redirect | Redirect HTTP challenge to a secure channel (HTTPS) |
Certificate | Certificate used for the authentication portal |
config user setting
set auth-ca-cert "Fortinet_CA_SSL"
set auth-secure-http enable
end
The end user must trust this CA by importing the public CA certificate into the computer’s Certificate store.
The certificate can be downloaded by going to System > Certificates, then right clicking on Fortinet_CA_SSL and Download.
3b. Use a custom server certificate for the authentication portal. This can be configured from the CLI:This assumes the authportal.fgdocs.com certificate was previously imported into the FortiGate.
config user setting
set auth-cert "authportal.fgdocs.com"
unset auth-ca-cert
set auth-secure-http enable
end
The end user must also trust the CA that signed this custom server certificate.
3c. Use a custom CA certificate to sign the certificate used in the authentication portal. This can be configured from the CLI:
config user settingThis assumes the SigningAuth CA certificate was previously imported into the FortiGate.
set auth-ca-cert "SigningAuth"
set auth-secure-http enable
end
The end user must trust this CA by importing the public CA certificate into its Certificate store.Verification:
1. From the User PC (192.168.20.10), ensure the appropriate certificate is installed on the PC’s Certificate store.2. Open a browser and connect to www.fortinet.com
3. Browser will automatically redirect the user to the firewall authentication page. Enter the user credentials.4. Once authenticated, browser will redirect user back to www.fortinet.com5. From the FortiGate CLI, use the following command to view the logged in user:
# diag firewall auth list6. From the browser, open another tab. Go to https://<ip of FortiGate>:1003/portal?
192.168.20.10, tgerber
src_mac: 52:54:00:f8:c3:1c
type: fw, id: 0, duration: 10, idled: 7
expire: 293, allow-idle: 300
server: WIN2K16-KLHOME-LDAPS
packets: in 380 out 264, bytes: in 422626 out 51413
user_id: 16777221
group_id:
group_name:If HTTP redirect is disabled, the portal page can also be reached on http://<ip of FortiGate>:1000/portal?7. From this authentication portal page, click logout to logout manually from firewall authentication.8. From FortiGate CLI, use the following command to view the user has logged out:
# diag firewall auth list
----- 0 listed, 0 filtered ------
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.