Firewall Authentication Flashcards
(23 cards)
To monitor authenticated users:
Can see on the GUI after enabling the Firewall User monitor
On CLI, use diagnose firewall auth list
Session flag that states the used has been authenticated
authed
next to the may_dirty flag
Real Time debug for Authentication:
diagnose debug application authd -1
Three methods (or binds) that FGT can use to access LDAP:
simple
anonymous
and regular (most common, versatile, and complex)
Four steps of Regular Bind Flow for LDAP
- Bind Request: FortiGate logs into (binds to) the LDAP server using an LDAP admin account. FortiGate only knows the username, but not where the branch is located.
- Search Request: FortiGate does a search query in the LDAP database to find the user’s location or DN. Once successful, Fortigate logs out of (unbinds from) the LDAP server
- Another bind request, but this time with the user credentials by sending the DN obtained from the previous step
- Bind Response success: Obtain user group information. Generally done by an LDAP query
Commands to check what DN is correct on Active Directory Server:
dsquery user -name (full_user_name)
or
ds query user -samid (login_username)
Example:
dsquery user -samid jsmith
“cn=John Smith, cn=users, dc=california, dc=fortinet, dc=com
correct DN would be:
dc=californica,dc=fortinet, dc=com
What is the Bind DN?
AKA the user DN. It is the full DN of the LDAP admin account.
can use the dsquery user commands and get the FULL DN with the admins username
Windows AD Regular Bing Config on FGT
Common Name identifier: CN (John Smith) or sAMAccountName (jsmith)
Distinguished Name is found by querying the user’s DN using commands on the server.
Username is the FULL DN from the query for admin on the server
Password is the password of the admin
Authentication Test Command for LDAP
diagnose test authserver ldap (server_name) (user) (password)
can be run as soon as LDAP config is set up, even before adding and users or groups or auth policies to FGT
Real-time debug command for both LDAP and RADIUS
diagnose debug application fnbamd -1
FOR LDAP:
in the output, you can see message start_search_dn, which indicates FGT is performing step two of the Bind. Message Found DN followed by the user’s full DN means the LDAP server found the user.
Then you can see step three and four in the output
If problem with step 1 or 3 with LDAP process, you can
sniff the traffic.
diagnose sniffer packet any “port 389” 3
If bind fails, the LDAP server will return error code:
0x525 - user not found
0x52e - invalid credentials
0x530 - not permitted to logon at this time
0x531 - not permitted to logon from this workstation
0x532 -password expired
0x533 - account disabled
0x701 - account expired
0x773 - user must reset password
0x775 - account locked out
LDAP Real Time Debug message: No More DN left
means that LDAP server couldn’t find the user in the tree
LDAP Real Time Debug message: Auth Denied
Either user creds are wrong or user account is not active
LDAP Real Time Debug message: get_member_of_groups-attr=(attribute name) - found 0 values
Means that a problem occurred in step four.
User creds are correct, but no user group information was found
RADIUS overview
Provides Authentication, Authorization, and Accounting (AAA) services
Begins with Access-Request and responses are:
Access-Accept
Access-Reject
Access-Challenge (if MFA is enabled)
Testing RADIUS command
diagnose test authserver radius (server_name) (scheme) (user) (password)
Supported Schemes for RADIUS
chap, pap, mschap, and mschap2
Result for RADIUS request in Real-Time Debug
0: Authentication Successful
1: Authentication failed
Sniffing RADIUS Traffic
UDP port 1812 for authentication or port 1813 for accounting
diagnose sniffer packet any “port 1812” 3
Can capture various types of data such as:
user creds
RADIUS Attributes
Authentication requests, responses, and accounting information
Timing and frequency of authentication requests and responses
SAML is supported for these features:
On FGT:
Admin Login
SSL VPN
Outbound Firewall Authentication
Proxy Policies
Wireless (captive portal)
IPsec VPN
Checking SAML Metadata commands
diagnose vpn ssl saml-metadata
diagnose sys saml metadata
SAML Real-Time Debug command
diagnose debug application samld -1
better used in combination with the feature that is using SAML:
sslvpnd
iked
cw-acd (wireless)
was (Proxy policies)
Useful sections of Real-Time debug output for SAML:
SP Login Dump section: contains the client’s request based on information provided by the SP.
Assertion Dump: Provides the client authentication request to FGT acting as the SP based on information received from the IdP
