Embed Size (px)
Citation preview
Fortinet 1 05/2007
Description: FortiOS 3.0/MR4 – Proxy Authentication to Windows Active Directory via LDAP without FSAE Date of Bulletin: 05-25-2007 Fortinet Engineer: David Swift (CSE) Feature developed for: ACCD SSL VPN Authentication Top3 Ticket: N/A Mantis ID: N/A Fortinet Product: Fortigate’s OS Version: FortiOS v3.0 MR4+ Planned PD Release version: Limitations: User passwords are proxied clear text over the internal network. Workarounds: LDAP over IPSEC or LDAPS (certification export/import process and enabling LDAPS on Windows 2000/2003 is not straight forward)
Authentication – Active Directory via LDAP Technical
Bulletin
Fortinet 2 05/2007
Overview of Process: 1. Configure an LDAP Authentication Object on the FortiGate 2. Modify the user ldap server settings via the CLI to adjust the username, context on the AD
tree, and group to use for authentication. 3. Configure SSL-VPN Authentication (or Firewall or other auth), to use the LDAP server object
created in steps 1 & 2.
LDAP Active Directory Connection Options: 1. LDAP over port 389 proxy authentication is fully supported and functional, though syntax can be difficult to discern.
Two options exist: a. Unbound / Anonymous Queries – not supported by Microsoft Ad by default b. Bound queries – any active directory account can be used to attach to active directory to check
whether the proxied user / password combination are valid in the given Active Directory LDAP tree. i) The customer must create an account in active directory for the FortiGate proxy to
authenticate with before it is allowed to query for other user objects and contexts (this may also be part of the reason querying LDAP via the GUI fails to return data, see figure 1)
ii) bound queries are configured via the CLI with “SET TYPE REGULAR” on the LDAP server properties (see Figure 2).
Context can be important. LDAP queries often have no problems flowing from a higher level context (point on the tree), to a lower level context, but…from lower level (leaf level), back up, often fail. Active Directory Context Overview: Leave Object – user, folder, group – references with CN, or sAMAccountName DC = Domain Context - Root = Top of Tree
The AD term of OU (organizational unit), is referenced as DC= CN = Common Name Root | - Users and Computers (leaf) | | | user_for_auth | | - Domain Controllers (OU) ___________________ | | DC DC ____________ __________________ | | | | DC DC DC DC -Leaf - group - user - printer
Fortinet 3 05/2007
Note: a folder / leaf / group like object called Users & Computers exists in the root by default, this folder is references with CN= syntax, not OU= (i.e. CN=user_for_auth,CN=Users and Computer, DC=root) 2. LDAP over IPSEC is also supported reference http://kc.forticare.com/default.asp?id=1696&SID=&Lang=1 3. LDAPS (SSL encrypted), is supported over port 636, but Windows Active Directory configuration and successful certificate importation is non-trivial.
Overview of Process: Enable LDAPS on the Fortigate in the LDAP settings screen
a. Change the port to 636 b. Enable LDAPS on Windows
i. Configure a Certificate Authority Server (if one does not yet exist) ii. Enable Auto-Enrollment features in the Default Domain Controller Security
Policy. iii. Create and Submit a request for an Auto-Enrollment Domain Controller
Authentication Certificate. iv. Export the Certificate on Windows v. Import the Certificate on the Fortigate
Ed Lopez may have further insight on LDAPS configuration.
Detailed configurations and supporting information: This tech note covers option 1 – ldap over port 389 with links to other documents for options 2 and 3. LDAP Server Configuration with Regular Bindings config user ldap edit "Active_Directory" set server "192.168.1.200" set cnid "cn" set dn "CN=Users,DC=isp,DC=com" set type regular set username "fortinet" set password ENC Wi3zDbQY8PZg8fvXEkwbnaKJGrKobi7g0HwRciKEtu8ALxz/KCX7N5wOC05XEURA4Tg+h next LDAP Server Configuration Using Groups & sAMAccountName edit "AD_OU" set server "192.168.1.200" set cnid "sAMAccountName" set dn "cn=Users,dc=isp,dc=com" set type regular set username "cn=fortinet,cn=Users,dc=isp,dc=com" set password ENC dL4CTnyCBv5Lhxrx5fJ0vURWpPf/1X3C3fVpDlHMFRRqTu+i71Zn1+ set group "cn=sslvpn,cn=Users,dc=isp,dc=com" next
Fortinet 4 05/2007
Configuration as Tested: Windows 2003 Server in VMWare Server Active Directory Tree – isp.com User: fortinet – used for binding queries cn=fortinet,cn=Users,dc=isp.dc=root User: hasvpn – part of the sslvpn group – can authenticate to LDAP and is a member of the allowed group. User: novpn – can authenticate to LDAP, but…cannot access SSL vpn services, not part of group. Figure 1: Active Directory Users and Computers
Fortinet 5 05/2007
Figure 2: Group Membership
User: fortinet was added to the sslvpn users group for debug later.
Fortinet 6 05/2007
Figure 3: LDAP Query Fails Note: When Querying an LDAP Server – Query will fail (though on initial connect with black fields, may return some information about the domain/ldap structure)
Fortinet 7 05/2007
Figure 4: Bound LDAP Queries
Note: Two Combinations work 1. cnid cn with username fortinet Or 2. cnid sAMAccountName with username cn=fortinet,cn=Users,dc=isp,dc=com
Fortinet 8 05/2007
Troubleshooting: 1. Test Connectivity
FWF60M2906501170 # exec ping 192.168.1.200 PING 192.168.1.200 (192.168.1.200): 56 data bytes 64 bytes from 192.168.1.200: icmp_seq=0 ttl=128 time=2.5 ms 64 bytes from 192.168.1.200: icmp_seq=1 ttl=128 time=1.8 ms 64 bytes from 192.168.1.200: icmp_seq=2 ttl=128 time=1.8 ms 64 bytes from 192.168.1.200: icmp_seq=3 ttl=128 time=2.4 ms 64 bytes from 192.168.1.200: icmp_seq=4 ttl=128 time=3.4 ms --- 192.168.1.200 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.8/2.3/3.4 ms
2. Test a User account authentication from the CLI FWF60M2906501170 # diag test auth ldap Active_Directory fortinet fortinet authenticate 'fortinet' against 'Active_Directory' failed! Figure 5: Wireshark – AD not querying, but “pingable”
Fortinet 9 05/2007
3. Verify Firewall Rules allow connectivity Figure 6: Firewall Rules
Fortinet 10 05/2007
4. Test Connectivity (valid ARP of true AD host is replying / no proxy ARP) ‘All Valid, but FW blocking’ Exec ping, diag sniffer packet with Host filter, and confirm via IPCONFIG /ALL or ifconfig the MAC address of the server. Figure 7: Debugging, response with FW rule blocking access
Fortinet 11 05/2007
5. Successful Reply (after disabling FortiClient FW) Figure 8: Debugging – Valid Response
Fortinet 12 05/2007
6. Successful Reply Capture (Wireshark) Valid Response Packet Capture
7. Basic LDAP Server Configuration FWF60M2906501170 (ldap) # show config user ldap edit "Active_Directory" set server "192.168.1.200" set cnid "cn" set dn "CN=Users,DC=isp,DC=com" set type regular set username "fortinet" set password ENC Wi3zDbQY8PZg8fvXEkwbnaKJGrKobi7g0HwRciKEtu8ALxz/KCX7N5wOC05XEURA4Tg+h next
Fortinet 13 05/2007
8. Failed User Authentication (valid IP, valid mac, valid user) Failed Query
Fortinet 14 05/2007
9. Failed User Auth Packet Capture (Wireshark) Packet Capture – Failed Authentication
Fortinet 15 05/2007
10. Successful Authentication with Groups Successful Authentication Test & Configurations
11. LDAP configuration with Group and sAMAccountName
edit "AD_OU" set server "192.168.1.200" set cnid "sAMAccountName" set dn "cn=Users,dc=isp,dc=com" set type regular set username "cn=fortinet,cn=Users,dc=isp,dc=com" set password ENC dL4CTnyCBv5Lhxrx5fJ0vURWpPf/1X3C3fVpDlHMFRRqTu+i71Zn1+ set group "cn=sslvpn,cn=Users,dc=isp,dc=com" next
Fortinet 16 05/2007
12. Packet Capture of Successful LDAP bound query with Group Authentication
Fortinet 17 05/2007
13. Packet Capture of failed authentication (valid user, not member of group)
Fortinet 18 05/2007
14. Packet Capture – Bound Query to LDAP using Group
Two steps – A. validate user before querying tree B. validate who is a member of the group
Fortinet 19 05/2007
Troubleshooting: 1. Verify Valid/Correct MAC (no ARP proxy reply), L3 connectivity (ping) Screens show sniffer capture with valid MAC, valid host IP, reachable source/destination, but firewall rule blocking LDAP
2. Simplify the Configuraiton remove group and filter
use the simple “cn =cn” rather than sAMAccountName and any other non-required for initial connectivity unset any miscellaneous options (watch and remove filter ‘ ‘ )
Fortinet 20 05/2007
Active Directory User Properties / LDAP Mappings in ADSIEDIT sAMAccountName refers to the short name for a given User, and is likely the preferred choice for customers to allow the short name rather than full first,middle,last combination that cn would require.
Fortinet 21 05/2007
ADSIEDIT.MSC (Microsoft Management Console Snap-In Tool) Adsiedit.msc – Microsoft Management Console plug-in (MMC.EXE) Displays Active Directory Objects in LDAP naming more closely matching Fortinet/OpenLDAP.
Fortinet 22 05/2007
Can be accessed by going to Help & Support from the start menu, then tools, the Installing Windows Support Tools (Accessing ADSIEDIT)
Fortinet 23 05/2007
Installing Windows Support Tools ADSIEDIT.MSC
Other Windows Utilities: CertReq.exe Certificate Request Tool CertUtil.exe Certificate Generation Tool LDP.Exe LDAP Browser Tool
Fortinet 24 05/2007
LDAPS on Windows 2003 AD Per Jeff Wang … The LDAPS use same certificate as IIS ( HTTPS), so just try to get the CA certificate at http://x.x.x.x/certenroll/ ( x.x.x.x is your AD server IP address) and inport it to FGT on GUI:VPN:Certificate->CA certificate. config user ldap edit "ldapsrv" set server "172.18.5.14" set cnid "cn" set dn "OU=jeff,DC=test,DC=com" set port 636 set filter '' set secure ldaps set ca-cert "CA_Cert_1" next end #dia deb application fnbamd 255 fnbamd_fsm.c[739] handle_req-Rcvd auth req 5 for jeff1 in ra opt=0 prot=0 fnbamd_auth.c[169] radius_start-Didn't find radius servers (0) fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 172.18.5.14, result 172.18.5.14 fnbamd_ldap.c[133] set_cacert_file-CA file: '/etc/cert/ca/CA_Cert_1.cer' fnbamd_ldap.c[587] fnbamd_ldap_get_result-Auth accepted fnbamd_ldap.c[673] fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth.c[955] fnbamd_auth_poll-Result for ldap svr 172.18.5.14 is SUCCESS fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 0 for req 5
Fortinet 25 05/2007
Enabling LDAPS on Windows 2003 AD 1. Configure Certificate Services if Not Installed (or run the next commands on the Enterprise CA Server) Configuring Certificate Services
Fortinet 26 05/2007
2. Create a Certification for import to both AD and the FortiGate http://support.microsoft.com/default.aspx?scid=kb;en-us;321051 Certificate Request File ;----------------- request.inf ----------------- [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=RL-SERVER,OU=Domain Controllers,DC=isp, DC=COM ; the FQDN of the DC KeySpec = 1 KeyLength = 1024 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication ;----------------------------------------------- Windows Certificate Utilities: CertUtil –template Lists Valid Templates CertUtil –viewstore Lists valid installed certificates Ldp.exe – windows tool to verify LDAP/LDAPS connectivity (part of Windows 2000 Support Tools) CertReq –new <file.inf> outputfile.req creates a request file CertReq –submit –attrib “CertificateTemplate:DomainControllerAuthentication” (submit with attribute override) CertUtil outputfile.req imports a certificate CertReq –accept <file>.cer Imports a certificate
Fortinet 27 05/2007
Windows Reference Links: Enabling a Certificate Authority http://technet2.microsoft.com/WindowsServer/en/library/bc61880a-ab80-4803-a76a-7646804155e91033.mspx?mfr=true Enabling Auto-Enrollment http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx Enabling Auto-Enrollment / LDAPS / INF File Syntax http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx#ENSAE Microsoft Knowledge Base on LDAPS http://support.microsoft.com/kb/321051 Advanced Certificate Enrollment http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx Certificate Authority Best Practices http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx Certificated Templates http://technet2.microsoft.com/windowsserver/en/library/c71d2cd3-82ef-4e3c-8746-1340d0ef4e9a1033.mspx?mfr=true LDAP / IAS http://www.microsoft.com/technet/isa/2004/plan/workgroup_ee.mspx#Testing%20LDAPS%20Connectivity Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders. Disclaimer Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.
FAQ999
