beautypg.com

Allowing guests to access fsae policies, Testing the configuration, Ntlm authentication – Fortinet FSAE User Manual

Page 17: Understanding the ntlm authentication process

background image

Using FSAE on your network

Testing the configuration

Fortinet Server Authentication Extension Version 1.5 Technical Note
01-30005-0373-20071001

17

Allowing guests to access FSAE policies

Optionally, you can allow guest users to access FSAE firewall policies. Guests are
users unknown to the Windows AD network and servers that do not log on to a
Windows AD domain. To allow guest access, use the FortiGate GUI or CLI to
specify a guest protection profile for your FSAE firewall policy. For example

config firewall policy

edit FSAE_policy

set fsae-guest-profile strict

end

You can specify any existing protection profile. If you prefer, you can create a
custom protection profile to assign to guest users. For more information, see the
Firewall Protection Profile chapter of the FortiGate Administration Guide.

Testing the configuration

To verify that you have correctly configured FSAE on your network and on your
FortiGate units:

1

From a workstation on your network, log on to your domain using an account that
belongs to a group that is configured for authentication on the FortiGate unit.

2

Try to connect to the resource that is protected by the firewall policy requiring
authentication via FSAE.

You should be able to connect to the resource without being asked for username
or password.

3

Log off and then log on using an account that does not belong to a group you
have configured for authentication on the FortiGate unit.

4

Try to connect to the resource that is protected by the firewall policy requiring
authentication via FSAE.

Your attempt to connect to the resource should fail.

NTLM authentication

In system configurations where it is not possible to install FSAE clients on all AD
servers, the FortiGate unit must be able to query the AD servers to find out if a
user has been properly authenticated. This is achieved using the NTLM
messaging features of Active Directory and Internet Explorer.

Understanding the NTLM authentication process

1

The client (user) attempts to connect to an external HTTP resource (internet) and
issues an unauthenticated request via the FortiGate unit.

2

The FortiGate is aware that this client has not authenticated previously, so
responds with a 401 Unauthenticated status code, and tells the client which
authentication method to come back with via the header:
Proxy-Authenticated: NTLM

. The session is dismantled.