64. Lecture-64:FortiGate Passive Authentication (AD).
Method is pace of authentication with active directory which we call them 14 eight single sign on FSSO and this is seamless authentication. No need of anything, you can integrate them to active directory, end depth anything and it is best solution. But all the PC has to join the domain then it will work and normally organization you will see such type of integration of 40 gate to the active directory which we call them pays pace means there is no prompt to come in. Put the username and password and tease the user all the time to put the user whenever you log in from your domain user authentication the same user credential will be used. But for this purpose you need to install FSSO agent which you can download from their website.
So I have FSSO setup with 564 bit and you can install this one by normal application. Next accept them where to install. This should be install in your active directory domain controller put the username and password which method you want to use. Advanced method of standard method install and launch after launch it will get the active directory IP automatically otherwise you have to put this the default agent is nothing but they will exchange the information between active directory and 40 gate firewall.
That’s why we call them agent. Choose your domain. In my case domain is test lab and choose the group. In this case we have HR group and sale group. Okay and then the pulling procedure. There are two method. One is to check the event log and other one is to install as a services. The first one is install as a services. It’s up to you. Both method will work and then change the default password. There is the default password and this agent change that one and now integrate them with the fortinet single sign n which is in security favorite just like a cloud edition injection in this FortiGate firewall and we will choose active directory and the rest of every method is the similar.
So now let’s go how we can do it? So click on active directory open it so when we integrate them after that we will create the same way the group. But the group will be not a firewall. This time will be 14 eight single sign in. So it’s asking the username and password use different. So our username is administrator at the rate test lab and password is ABC at the rate 12345. Okay so I want to log into my domain controller okay active directory and I need that agent to copy here to install so that’s the agent right click on agent you can download from your website. I will show you okay and paste them here and domain controller. Okay we are doing second method paste for pace. If you need to install this application first on active directory, give it to your system administrator and tell them that these are the step. And install this agent on your active directory.
That I want to integrate my firewall. With your active directory. They will get username and detail from there passively. And whenever system joined the domain, the same username and password will be used to authenticate them to firewall. So the user will now no need to type the username and password all the time. Click next accept the license where to install choose the direction and it’s the password A-B-C at the rate 12345 okay next I want to use advanced method it’s up to you. I already explain you and install until it’s installed. Let’s go to firewall and remove the other method because we already integrate them. So go to system sorry, where was user and device? Go to LDAP and remove the old method. You can use both as well by the way but I don’t want to confuse you so let me it’s not deleting why? Because it’s used click on reference and where it’s using HR delete that HR. Okay in HR there are still there using the reference and policy. So I need to go to so many places. So delete the policy one then delete policy two because we call them in policy now coming here and again it’s four places in use so HR group we created two group. Delete those group delete another group. Now you can delete this one delete will be enabled now and create LDAP remove and if you go to user group nothing is there, it’s deleted automatically user definition user is not there and when you go to policy I already delete policies. One is manual and other is calling there nothing is there now so go to user and device and LDAP nothing is there now. So I remove the other method.
Now we are doing the other so that’s the application click finish so they collect the IP automatically. There’s the port and next test that this is our domain. Next which user remove administrator they don’t call administrator. We are using this for group so sale and sell to HR n cell so it’s okay. Next we use the default method. Next finish so that the agent has been installed. Basically this agent will integrate with their two directory. They will pull in the detail and will give them the detail. Okay. And if I click on the agent now to change the default password, they have one default password. Give them A-B-C? Any password? I am giving this password. Okay. And apply. So I just so that’s the detail, they are using this port to listen on these three port. This three port has to be open if you have another firewall in the middle. Okay. And you can see the logs and everything from here. This done. Now go to active directory how we will integrate. So for that purpose you have to go to security fabric not here and there is security. There is fabric connector and fabric connector click create new. Okay so they have so many method to integrate with this firewall. The one which we are using single sign on which has to be somewhere. Yeah this is single sign on identity and this is the one which we are using fortinet single sign and agent and we already install agent there and click on this one they say what name you want to give? I say active directory plus because last time we gave the active directory so maybe you confused so I gave them a new directory plus. And what is active directory? IP 109, 21681, 200 this is the IP. Now this one and what is the password? A-B-C 12345 okay and again it’s asking me the SSL, the secure one. So I say apply and refresh. So it will apply if the password is correct. So it will integrate them to the active directory through that agent. So let’s check now and let’s okay and let’s see it’s down arrow until it’s green and up. So it means it’s not integrated. So you need to wait either just refresh until it’s showing green otherwise there is something wrong in your setup. So let me refresh still we have this one. Okay so 100 is okay. I don’t know password is correct or not apply and refresh. So let’s see. Okay now let’s see still it’s okay. After a while it will become green if everything is okay and if we did not type password wrong. So what we’ve done up to this point so we came here in single sign n. Okay we put the name correct again and apply and refresh.
Okay, after a while it has to show anyway, let’s wait for a while sometime it takes time to integrate them and let’s go to the year and view logs and let’s see show service, show login, user save and close. Let me enable it because we changed the password maybe that one is okay and now let’s go back there and let refresh. Maybe this time still it’s down arrow anyway let’s wait still let me check connectivity execute ping 192, 168, 1200 yes, we have reachability another thing we need to check firewall. Maybe firewall is blocking so let’s go there and see if in case firewall is enabled window firewall let’s turn off firewall for a test purpose. Okay and now let’s go back there. Yeah it’s green now. So the issue was firewall. Now let’s get the user, all the user because there are by default so many user okay and when you click on it you will see so it’s okay now all the group is there. Now go to the same thing where is our user and device? Go to user group and this time create new group. Suppose HR group which we don’t but this time not a firewall. Basically firewall is just the name for active directory. This is also active directory but this is different method and this is different method. Now I will use 14 eight single sign in and click on member and it will use the active directory to show you all the active directory. The group I need is HR. This is the HR click and add. So this time HR group I is 14 a single sign n and click create new and the other group is sell so cell group choose single click and choose your cell and okay so my two group is integrated here. But another way almost similar thing.
Now go to policy and object IP four policy and just like the other one create to policy lane to when the user will come from lane they want to go to when source should be lane subnet and user should be HR and sale group. It can be anyone and the destination is all. Services is all and all session record them. So LAN is done. Now I need to create for DMZ as well. DMZ to when user will come from DMZ. They will go to when source should be DMZ zone which we create the subnet you remember last time. But user will be also authenticated HR n cells and destination should be all, service should be all and it will allow native and everything and okay. Now let’s test. Do you think the user will go like last time? This is my one PC. If I tried to go to Facebook I don’t think so. It will work. And neither it will ask me the username and password to put even though I have the IP and everything is correctly. This one is the inside PC. And there was another PC. This one which we from DMZ. Again try them. It will not go. Let me close the browser. Maybe you think that’s the whole history but it will not reach to the Internet. Neither it will access any resources because now the method is different passive. So if I try to reach any Google or anything, it will not work. Why? And neither asking the username and password because you are not using active. Now this PC has to join the domain. How to join the domain. So right click on my computer, go to properties. So this is a standalone PC workgroup. They have to join the domain, click change and click here the domain. So our domain is test lab and okay if everything is okay and no issue. And this PC is reachable there. So it will authenticate with active directory and it will join the domain. So let’s see it’s giving error or not. Another PC from LAN is also not reachable. Here I will try right click properties change, setting change and this time I will use IP 192, 168, 1200 to join this domain and okay, okay maybe I will get DNS issue. But anyway let’s see. This is what I was expecting. So you can type test simple and try again an issue. Why? Because this PC will reach the domain and we are using different DNS or DNS is this 1100 to change the DNS to the which you want to join. So type only DNS 192, 168 1200 okay and now let’s try test I hope so this time it will work again an issue this time type test label. Okay this is due to DNS because we are using our firewall DNS and we are reaching now integrated with this one. So more detail it’s the same thing. I know this is the issue up domain controller. Okay let me go to the other PC until this will cover up. No, not this one. Okay so this one is also get error. So what we need to do go to go to the interface change interface and we are using one two but our DNS is different one. So remove this IP four, IPV six and type DNS 192, 168 1200 and 192, 168 100 our firewall one. Okay and now let’s see it’s using our DNS and now let’s try for the last time.
Okay and change setting change domain and type test lab. So now it’s correct and what was administrator and ABC at rate 12345. This the administrative account in active directory and okay it will prompt you to welcome message and you need to reboot the system now this user PC will change from workgroup to domain and now straight away is done. Okay and now straight away this PC can let me change the PC name as well because both have same name. Okay so no need restart now. And now let’s go to the other PC. We will join two PC with the domain. So this one is not working why? Because of DNS. So let’s go to here change it after setting. So we are using 100 but the issue is IPV six is enabled and also you need to put 192, 168, 100 and now change them and put test lab before let me change the PC one. Okay and hope so this time it will reach.
I need to check if I’m reachable or not ping 109, 21681, 200 yeah so I’m not reachable. Why? Because I put restriction here as a user. So for a while what you need to do either let me create one quick rule because it’s not reachable. Let’s ask him username so my piece is not reachable there type allow just for test purpose. I will say from DMZ to lane that there is no way and it should be all. It should be all and services should be all and station and okay now let’s try now this one. Where is my second PC? And let’s try now can I ping? Yes now I can reach and now type okay hopefully this time it will be reachable because there was no policy so username is ed ministrator and password is ABC at the rate 12345 and okay I hope so it will give you a welcome message. So I joined one PC from DMZ to Domain Controller. And I join one PC from LAN. Now I will log in one PC with HR and one PC I will log in with sale group automatically. It will be authenticated. They will not prompt them anything restart. And now let’s go. Maybe the other PC is now available. This one. So this is my domain controller. Now let’s see here. So click on this one lane. PC already joined, so I hope so it will be available now. And now I can use my active directory user and group to join PC and directly log in with this one. Okay, so this is our active directory. Let me show you. Let them come. We created these group. We will log in with this group. Okay, keep in mind. So let’s go back. Your PC is asking now. So now we need to type other username and password. Which one? HR one at the ratetest lab. This is PC.
Okay. And password is one, two, three and okay, you got the idea. Now PC is under domain and password. I think we put one, two, three login under your computer. You must click on allow login through terminal services. Okay, what the hell. Now I need to change this one because it’s remotely stopped. So they are not allowing them. So stop them and change them to edit VNC. This is really headache. Okay, and now start them. So unfortunately we will do in this one as well. Stop and start. And now start them in VNC. Because domain PCs cannot be logged in through remote desktop, they have distraction. Either way I need to go to active directory and set permission for every user to log in through remote control. So it’s better to log in them here with this one. So now I will log in with HR and one with sale group and then we will see them. Okay, so let’s see and also let me on this DMZ PC as well. Okay, I did not change this one. Unfortunately I need to change this to VNC. Okay and start anyway until that time land PC will be available. Now it’s come up. But how we will log in? We will use these user. Okay, keep in mind. Okay. And before login let’s see from here it will show you show login user. Look at issuing HR. I try there. So that’s why the HR is now here in the logs.
One agent. So now send control or delete and type switch user and other user. Here type HR. No, sorry. Sale one and password is one, two, three. This is what we do normally in organization you have to use your own username and password to login. And then when you log in your username and password you don’t need to authenticate again to firewall. They will use this same credential and this is called passive authentication. And now if I go there and refresh they will show sales that sales from user PC with one, two IP they are using sales group and they log in and what they will do, they will send this detail from active directory to firewall that allowed this person now. And that’s the things which the firewall will say okay, you are allowed, I already authenticate you. And whatever you restriction here, you have a restriction, it will follow. Maybe you put some restriction here, they will follow that method and they can reach anywhere. So now let’s see and until that time let on the other PC as well. Okay and here we will log in with HR group so that we can test both. So let me log in switch user other and here HR two and one, two, three is the password. So one from TMZ, another is from LAN so we will test both. Let’s see which one is coming. So this one came.
Now I am logging under domain. Okay this is my user cell one and my PC already joined a domain. Let me revise you again. If I go to my computer go to property so it will show me the domain. Okay this user PC test lab and test lab is my domain and okay now I can go directly to Internet without any restriction because I allowed him everything. Now rest of the thing is beside authentication you have to set the rule what they can access, what they cannot access but related to authentication, that issue is already sort out because he already log in and is showing here who login now two user says one and HR two. So they send this traffic to this agent because it’s the name is agent and if I go to internet before it was not working I hope. So this time it has to work. If I say Google. com, so it will reach to google. com it has to work because yes, the DNS was the issue. So I need to change the DNS now I believe because I joining the domain so I changed the DNS. So for that purpose yes they are using still their DNS so we need require administrative access. What the hell.
Okay so unfortunately one small doubt which I forgot to change them. So let me log off and log in with the administrative account to change the DNS entry. This way it’s not reachable, otherwise it’s okay now everything for joining I change the DNS. So switch user and this time let me log in with administrator and password is ABC at the rate 12345 but administrator at the test lab to change their DNS thing again, this one also will not work. So even everything is okay. So logo small thing, we need to uncheck the DNS which I forgot to do it before. So let me log in with administrator at the redtest lab and password ABC at the rate 12345 and now let’s go back to this PC. Okay, still coming up. Okay so I’m just waiting for these two PC to log in as administrator. Even they will okay, administrator will not show because we remove administrator don’t show administrator because they will never log in from client system. You remember when we installing this agent so we uncheck administrator. Okay, so administrator is logging now I can change the thing. So let me go and change the properties and change IPV four and make them automatic. Okay, let’s see and also let’s go to this one. Okay, still this one is coming up okay and I hope so it’s changed now. Yes. And now let’s log off and log in with proper user. So logo and also this one has come up. So until that one and let me log in now with switch user which one? HR one. Suppose HR one and one, two, three. And now let’s go to the other system and change the IP DNS, sorry, DNS entry which we put just for joining. Okay. And obtain automatically. Okay, now this time I’m logging with HR one with this PC window four. Okay this one window four showing window four. I’m logging with HR and here I’m changing the DNS entry to log in with another user before. So it’s done. And now let me log off and log in with proper user.
Okay. And now let’s try their HR here I will try 1123. Okay. Now let’s wait for the user to log in and there will be no need to put the username and password in the prompt but they will authenticate directly and we can see the authentication here as well. And if we refresh now HR one and cell one I log in and also from firewall let’s go to Firewall. Till now we can see monitor and it should be no, it will not show this one show all FSSO login. Here you can see HR one is login and cell was login their user group detail duration 1 minute and 36 seconds. One, two and 10 IP. By the way it’s wrong. And these are the detail and method is 48 single sign on method. Okay. If you click on this one you can de authenticate them and refresh them. You can see them. Okay. And if you click directly it will show you the other user. If you click it will show you normal user firewall. When you click here it will show you if SSO login. So I hope so one of them has login not yet. Both are tried to log in to create their profile. First time when user is login so they need to create a profile. So that’s why it’s take time and I hope so. The last thing we need to test when the user is logging, they have to access internet directly because in our policy we allow them everything. If you want to put the restriction per user now you can put the restriction here and also here. Now this is the restriction area per user either per group. But anyway we allowed everything. It’s the DMC subnet and HR and Sale, they can go anywhere. Okay? And from here for the view we can see all the session for these two users.
Okay? And also if we go to dashboard, top lane DMZ, you will see the IP detail and user detail and it will be changed after a while because they are still logging and also from logs and report forwarding traffic. You can verify from here. So HR one this time HR one, HR one they are going to DNS. Right now they are reaching DNS. I think it’s done or not yet still this one is preparing the desktop. So let them so this way, let’s go there if I miss something. So we integrate the group, we create a policy same like other one and we join the domaintest lab. We put the detail and we log in with HR. And from here show login user we can see promptive directory and when you log in it will show you the detail. And also when you click show all FSSO login. So it will show from monitor firewall user monitor. And when you go to forwarding traffic it will show the user detail and if when you go to source, it will show you the detail in all session again it will show you the detail. And also from the agent side, these are the agent detail monitor user login okay, monitor user login a one it means that monitored user whenever user login monitor them when you uncheck, it will not support NTLM authentication. This is the old method authentication. It will support collect agent status whenever the agent is collect the agent detail. All the things are mentioned here, they are using these two port, okay? TCP and UDP. This one is the agent and this one is for SSL.
And this is the 40 gate one log even which log you want to select and you want to see the log and how much space you want to give the logs. This is the password for this authentication, okay? For the agent authentication. And these are the timer of the details. And from here you can see Show Services, show monitor, DC, show login user show monitor more of the detail you can see which I mentioned here one by one. You can go through them if you need more detail. Okay? And that’s it. So now let’s see this last thing. It has to access the Internet without any prompt. So let’s go to Google. com and let’s see we can access or not. Okay, and any BBC. com, BBC so I hope so it has to work because everything is configured perfectly and they will authenticate passively and they can access Google and everything. Okay. And for better thing what you can do, you can test here as well pinga ed so it’s reachable and it means it’s working, EI. Google is coming now and also BBC will be there after a while. It’s slow but it’s okay. Different story. Okay, so it’s working.
Yes. No prompt, no nothing. Because they already been authenticated with domain login, with HR because this is a pace of method. Yeah, so it’s come up. And also BBC will be after a while. So we test two website. It’s working. So definitely it’s working. Okay. And from here now you can see forwarding log as well. Okay. This is HR one. HR one is the user and also we verify from monitor. And here is firewall user monitor. So here is login and showing also you can want to deauthenticate as well. It will reauthenticate in case you want. Okay. So I hope so. It’s enough. No need to show you from the other user. It’s the same but it’s taking some time. If it has come up quickly, we will try from here as well. Window two. So window two is this one DMZ one. So it’s better if it has come up. So it’s okay to test properly. But anyway it will work. So this is the story how to integrate and how to integrate firewall two different method active and passive method and how to authenticate user with active directory how to join the domain okay, so I believe it’s taking much time so don’t waste your time. It’s okay, you can test your own if any issue, let me know.
