Solution |
FortiAuthenticator on a virtual machine can be used to give authentication services, but there are some limitations using a Bridge Interface under KVM: when using Bridge mode, the system does not allow internet access. It allows only the communication to the subnet currently being used. To have full internet access, the solution is to use a NAT interface under KVM instead, but this solution has the disadvantage of losing internal resources.
This example procedure will use Ubuntu as server machine host for KVM and vFAC.
- Configure nmtui under Terminal side from Ubuntu, it is part of NetworkManager package, the use is dedicated to manage network settings.
Execute this command with root access:
nmtui
- In this example, this new Bridge connection 1 was created. Select Add:
In this case, this segment is used in the 10.10.70.0/24 network. This interface has the IP 10.10.70.70, and a GW and DNS server.
Press OK each time when prompted and Quit:
- Verify the interface is a UP created under Ubuntu:
ifconfig | grep -e nm-bridge -e 10.10.70.70 nm-bridge: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.10.70.70 netmask 255.255.255.0 broadcast 10.10.70.255
- Open KVM, run virtual FortiAuthenticator, and assign the IP address. In this example case, 10.10.70.90:
- Under KVM, go to the NIC Interface, select Bridge device, enter the exact name created before (nm-bridge), and press the reload button:
Now, access will be available to the inside network resources 10.10.70.0/24:
exe ping 10.10.70.254 PING 10.10.70.254 (10.10.70.254): 56 data bytes 64 bytes from 10.10.70.254: seq=0 ttl=255 time=0.936 ms 64 bytes from 10.10.70.254: seq=1 ttl=255 time=0.905 ms 64 bytes from 10.10.70.254: seq=2 ttl=255 time=1.099 ms 64 bytes from 10.10.70.254: seq=3 ttl=255 time=0.408 ms
- Allow full internet access to vKVM with the bridge interface. Go to Network -> Static Routing and create a default route with the GW. In this case, 254:
- Validate internet connection:
exe ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: seq=0 ttl=116 time=5.369 ms 64 bytes from 8.8.8.8: seq=1 ttl=116 time=5.414 ms 64 bytes from 8.8.8.8: seq=2 ttl=116 time=5.140 ms ^C --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 5.140/5.307/5.414 ms > exe ping hotmail.com PING hotmail.com (204.79.197.212): 56 data bytes 64 bytes from 204.79.197.212: seq=0 ttl=117 time=4.848 ms 64 bytes from 204.79.197.212: seq=1 ttl=117 time=4.873 ms 64 bytes from 204.79.197.212: seq=2 ttl=117 time=4.679 ms ^C --- hotmail.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 4.679/4.800/4.873 ms > exe ping youtube.com PING youtube.com (192.178.56.78): 56 data bytes 64 bytes from 192.178.56.78: seq=0 ttl=116 time=5.033 ms 64 bytes from 192.178.56.78: seq=1 ttl=116 time=5.393 ms 64 bytes from 192.178.56.78: seq=2 ttl=116 time=5.370 ms ^C --- youtube.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 5.033/5.265/5.393 ms >
|