Case Scenario
Result of logging in:
You have to two groups of users attempting to access the Internet through the FortiGate. Most users need to be restricted in their access to the Internet. A few select users are permitted unrestricted access to the Internet.
General Question
How can the FortiGate distinguish between the two sets of users?
The solution is to enforce firewall authentication against two distinct user groups. The remainder of the document will explain how to configure this.
Although it is not necessary to use LDAP to implement the above scenario, LDAP is useful for customers who already have users defined in Active Directory. This document will focus on implementations using LDAP.
Configuration
Two implementations using LDAP will be explained (the latter approach can also be used with a Radius server).
For the sake of this technote, the protection profiles being referenced are as follows:
Restricted Users use: “block-yahoo” protection profile (no access to “yahoo.com” permitted) – see below
Unrestricted Users use: “unfiltered” protection profile
Implementation A
Two users group with users defined in unique OUs (Organization Units)
The restricted and unrestricted users must already be defined in separate organizational units in Active Directory:
1) Define the LDAP servers
config user ldap
edit "Unrestricted OU"
set dn "ou=Unrestricted,dc=cs,dc=vanc,dc=ca"
set server "172.16.87.83"
next
edit "Restricted OU"
set dn "ou=Restricted,dc=cs,dc=vanc,dc=ca"
set server "172.16.87.83"
next
2) Define user groups
config user group
edit "unrestricted"
set member "Unrestricted OU"
set profile "unfiltered"
set types-in-group 4
next
edit "restricted"
set member "Restricted OU"
set profile "block-yahoo"
set types-in-group 4
next
3) Enable firewall authentication
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
…
set authentication enable
set groups "unrestricted" "restricted"
next
How to login?
In this example, end users should use the full name
to login
Result of logging in:
note: you must reload the page after you receive this message
Blocking of yahoo site (for restricted user):
What LDAP query occurs in the background?
for an unrestricted user (first bind is successful) …
for a restricted user (second bind is successful) …
What is the full name anyway and how does it differ from display name or login name?
Implementation B
Two user groups & LDAP authentication but no OUs (the exception to the rule)
Note: this method can be used with Radius servers also
In this case, users are not neatly defined in separate OUs in Active Directory. In this case, we can exempt users on a case by case basis.
1) Define the LDAP servers
<as above>
2) Define user groups
In this example, “joe smith” will be exempted. Everyone else will be blocked from accessing “yahoo.com”.
config user ldap
edit "AD -- Display Name"
set server "172.16.87.83"
next
! if “joe smith” logins, authenticate against LDAP
config user local
edit "joe smith"
set type ldap
set ldap_server "AD -- Display Name"
next
config user group
! majority of users
edit "restricted"
set member " AD -- Display Name "
set profile "block-yahoo"
set types-in-group 4
next
!”joe smith” is treated differently than other logins
edit "exception"
set member "joe smith"
set profile "unfiltered"
set types-in-group 16
next
3) Enable firewall authentication
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
…
set authentication enable
set groups "exception" "restricted"
next
How to login?
In this example, end users should use the
display name to login
What LDAP query occurs in the background?
In this whether the user is one of the exempt users OR the restricted group, only 1 bind request is made: