Fortinet Fortinet 1.5, Техническая заметка

Страница: 17 / 20

Using FSAE on your network Testing the configuration
Fortinet Server Authentication Extension Version 1.5 Technical Note
01-30005-0373-20071001
17
Allowing guests to access FSAE policies
Optionally, you can allow guest users to access FSAE firewall policies. Guests are
users unknown to the Windows AD network and servers that do not log on to a
Windows AD domain. To allow guest access, use the FortiGate GUI or CLI to
specify a guest protection profile for your FSAE firewall policy. For example
config firewall policy
edit FSAE_policy
set fsae-guest-profile strict
end
You can specify any existing protection profile. If you prefer, you can create a
custom protection profile to assign to guest users. For more information, see the
Firewall Protection Profile chapter of the
FortiGate Administration Guide .
Testing the configuration
To verify that you have correctly configured FSAE on your network and on your
FortiGate units:
1 From a workstation on your network, log on to your domain using an account that
belongs to a group that is configured for authentication on the FortiGate unit.
2 Try to connect to the resource that is protected by the firewall policy requiring
authentication via FSAE.
You should be able to connect to the resource without being asked for username
or password.
3 Log off and then log on using an account that does not belong to a group you
have configured for authentication on the FortiGate unit.
4 Try to connect to the resource that is protected by the firewall policy requiring
authentication via FSAE.
Your attempt to connect to the resource should fail.
NTLM authentication
In system configurations where it is not possible to install FSAE clients on all AD
servers, the FortiGate unit must be able to query the AD servers to find out if a
user has been properly authenticated. This is achieved using the NTLM
messaging features of Active Directory and Internet Explorer.
Understanding the NTLM authentication process
1 The client (user) attempts to connect to an external HTTP resource (internet) and
issues an unauthenticated request via the FortiGate unit.
2 The FortiGate is aware that this client has not authenticated previously, so
responds with a
401 Unauthenticated
status code, and tells the client which
authentication method to come back with via the header:
Proxy-Authenticated: NTLM
. The session is dismantled.