| Solution |
FortiAuthenticator on a virtual machine can be used to give authentication services, but there are some limitations using a Bridge Interface under KVM: when using Bridge mode, the system does not allow internet access. It allows only the communication to the subnet currently being used. To have full internet access, the solution is to use a NAT interface under KVM instead, but this solution has the disadvantage of losing internal resources.
This example procedure will use Ubuntu as server machine host for KVM and vFAC.
- Configure nmtui under Terminal side from Ubuntu, it is part of NetworkManager package, the use is dedicated to manage network settings.
Execute this command with root access:
nmtui
- In this example, this new Bridge connection 1 was created. Select Add:
In this case, this segment is used in the 10.10.70.0/24 network. This interface has the IP 10.10.70.70, and a GW and DNS server.
Press OK each time when prompted and Quit:
- Verify the interface is a UP created under Ubuntu:
ifconfig | grep -e nm-bridge -e 10.10.70.70
nm-bridge: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.70.70 netmask 255.255.255.0 broadcast 10.10.70.255
- Open KVM, run virtual FortiAuthenticator, and assign the IP address. In this example case, 10.10.70.90:
- Under KVM, go to the NIC Interface, select Bridge device, enter the exact name created before (nm-bridge), and press the reload button:
Now, access will be available to the inside network resources 10.10.70.0/24:
exe ping 10.10.70.254
PING 10.10.70.254 (10.10.70.254): 56 data bytes
64 bytes from 10.10.70.254: seq=0 ttl=255 time=0.936 ms
64 bytes from 10.10.70.254: seq=1 ttl=255 time=0.905 ms
64 bytes from 10.10.70.254: seq=2 ttl=255 time=1.099 ms
64 bytes from 10.10.70.254: seq=3 ttl=255 time=0.408 ms
- Allow full internet access to vKVM with the bridge interface. Go to Network -> Static Routing and create a default route with the GW. In this case, 254:
- Validate internet connection:
exe ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=116 time=5.369 ms
64 bytes from 8.8.8.8: seq=1 ttl=116 time=5.414 ms
64 bytes from 8.8.8.8: seq=2 ttl=116 time=5.140 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 5.140/5.307/5.414 ms
> exe ping hotmail.com
PING hotmail.com (204.79.197.212): 56 data bytes
64 bytes from 204.79.197.212: seq=0 ttl=117 time=4.848 ms
64 bytes from 204.79.197.212: seq=1 ttl=117 time=4.873 ms
64 bytes from 204.79.197.212: seq=2 ttl=117 time=4.679 ms
^C
--- hotmail.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 4.679/4.800/4.873 ms
> exe ping youtube.com
PING youtube.com (192.178.56.78): 56 data bytes
64 bytes from 192.178.56.78: seq=0 ttl=116 time=5.033 ms
64 bytes from 192.178.56.78: seq=1 ttl=116 time=5.393 ms
64 bytes from 192.178.56.78: seq=2 ttl=116 time=5.370 ms
^C
--- youtube.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 5.033/5.265/5.393 ms
>
|
