Validacion de usuarios por LDAP
Publicado: 23 Dic 2014, 21:30
Buenas tardes,
En la empresa desean realizar un filtro de internet mediante usuarios de active directory.
Hasta el momento no he logrado que el fortigate 800C valide los ususarios de AD por LDAP aunque si logre que baje los usuarios del FSSO que esta instalado en AD.
La configuracion del usuario LDAP es:
config user ldap
edit "LDAP_GRUPO"
set server "192.168.0.1"
set cnid "sAMAccountName"
set dn "DC=?,DC=com"
set type regular
set username "usuario\\ fortinet"
set password ENC
Creo que la politica esta bien pero la adjunto por si funciona para resolver el tema:
La politica de internet configurada es:
config firewall identity-based-route
end
config firewall policy
edit 24
set srcintf "Red_Local"
set dstintf "Internet"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 41
set srcintf "Red_local"
set dstintf "Internet"
set srcaddr "all"
set action accept
set fsso enable
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set logtraffic all
set utm-status enable
set groups "INTERNET_FULL_Access"
set dstaddr "all"
set service "ALL"
set av-profile "default"
set webfilter-profile "INTERNET_FULL"
set ips-sensor "default"
set application-list "INTERNET_FULL"
set profile-protocol-options "default"
set deep-inspection-options "default"
next
edit 5
set schedule "always"
set logtraffic all
set utm-status enable
set groups "INTERNET_NORMAL"
set dstaddr "all"
set service "ALL"
set av-profile "default"
set webfilter-profile "INTERNET_NORMAL"
set ips-sensor "default"
set application-list "INTERNET_NORMAL"
set profile-protocol-options "default"
set deep-inspection-options "default"
next
edit 6
set schedule "always"
set logtraffic all
set utm-status enable
set groups "INTERNET_RESTRINGIDO"
set dstaddr "all"
set service "ALL"
set av-profile "default"
set webfilter-profile "INTERNET_RESTRINGIDO"
set ips-sensor "default"
set application-list "INTERNET_RESTRINGIDO"
set profile-protocol-options "default"
set deep-inspection-options "default"
next
edit 4
set schedule "always"
set logtraffic all
set groups "FSSO_Guest_Users"
set dstaddr "all"
set service "ALL"
next
edit 7
set schedule "always"
set logtraffic all
set utm-status enable
set groups "SIN INTERNET"
set dstaddr "all"
set service "ALL"
set av-profile "default"
set webfilter-profile "SIN INTERNET"
set ips-sensor "default"
set application-list "INTERNET_RESTRINGIDO"
set profile-protocol-options "default"
set deep-inspection-options "default"
next
end
next
Al revisar los log de navegación todos los usuarios son identificados como "guest" y por supuesto no logran salir a internet.
En el perfil de AD ya estan configurados los grupos de internet.
Si alguien me pueda dar una luz se los agradezco
En la empresa desean realizar un filtro de internet mediante usuarios de active directory.
Hasta el momento no he logrado que el fortigate 800C valide los ususarios de AD por LDAP aunque si logre que baje los usuarios del FSSO que esta instalado en AD.
La configuracion del usuario LDAP es:
config user ldap
edit "LDAP_GRUPO"
set server "192.168.0.1"
set cnid "sAMAccountName"
set dn "DC=?,DC=com"
set type regular
set username "usuario\\ fortinet"
set password ENC
Creo que la politica esta bien pero la adjunto por si funciona para resolver el tema:
La politica de internet configurada es:
config firewall identity-based-route
end
config firewall policy
edit 24
set srcintf "Red_Local"
set dstintf "Internet"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 41
set srcintf "Red_local"
set dstintf "Internet"
set srcaddr "all"
set action accept
set fsso enable
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set logtraffic all
set utm-status enable
set groups "INTERNET_FULL_Access"
set dstaddr "all"
set service "ALL"
set av-profile "default"
set webfilter-profile "INTERNET_FULL"
set ips-sensor "default"
set application-list "INTERNET_FULL"
set profile-protocol-options "default"
set deep-inspection-options "default"
next
edit 5
set schedule "always"
set logtraffic all
set utm-status enable
set groups "INTERNET_NORMAL"
set dstaddr "all"
set service "ALL"
set av-profile "default"
set webfilter-profile "INTERNET_NORMAL"
set ips-sensor "default"
set application-list "INTERNET_NORMAL"
set profile-protocol-options "default"
set deep-inspection-options "default"
next
edit 6
set schedule "always"
set logtraffic all
set utm-status enable
set groups "INTERNET_RESTRINGIDO"
set dstaddr "all"
set service "ALL"
set av-profile "default"
set webfilter-profile "INTERNET_RESTRINGIDO"
set ips-sensor "default"
set application-list "INTERNET_RESTRINGIDO"
set profile-protocol-options "default"
set deep-inspection-options "default"
next
edit 4
set schedule "always"
set logtraffic all
set groups "FSSO_Guest_Users"
set dstaddr "all"
set service "ALL"
next
edit 7
set schedule "always"
set logtraffic all
set utm-status enable
set groups "SIN INTERNET"
set dstaddr "all"
set service "ALL"
set av-profile "default"
set webfilter-profile "SIN INTERNET"
set ips-sensor "default"
set application-list "INTERNET_RESTRINGIDO"
set profile-protocol-options "default"
set deep-inspection-options "default"
next
end
next
Al revisar los log de navegación todos los usuarios son identificados como "guest" y por supuesto no logran salir a internet.
En el perfil de AD ya estan configurados los grupos de internet.
Si alguien me pueda dar una luz se los agradezco