Hello. I hope this time I am clearer!
The idea of the project is as follows: To make it so that when a client connects to my branch's guest network, they are redirected to a captive portal and, if authentication is successful, access is granted. Our scenario is as follows: We have two companies, one being the branch and the other our headquarters. We have an instance of Packetfence installed at the headquarters and serving as a captive portal for the guest networks. In the current configuration of our headquarters, Packetfence serves as a gateway for our guest networks and authentication works perfectly both via LDAP and via SMS. Our difficulty is as follows: We have already managed to make a RADIUS connection between the FortiGate at our branch and the Packetfence at the headquarters. The connection is successful. We configured the FortiGate as a Switch in Packetfence and created an Authentication Source. However, when we try to perform a user test on FortiGate, the following error always returns: "Authentication failed on PacketFence". The idea of our project is not to configure VLANs for registration, isolation and production, but rather for Packetfence to authenticate users via captive portal, using authentication via RADIUS, LDAP, E-mail and SMS and forward this to FortiGate. The VPN I mentioned earlier is only for business-to-business connections and not an SSLVPN connection. Atenciosamente, [cid:image001.jpg@01DAFD49.2D625570] De: Aaron Zuercher via PacketFence-users <packetfence-users@lists.sourceforge.net> Enviada: quarta-feira, 28 de agosto de 2024 15:59 Para: Mark Amber <m...@splchicago.com> Cc: Aaron Zuercher <aaron.techge...@gmail.com>; packetfence-users@lists.sourceforge.net Assunto: Re: [PacketFence-users] Authentication PacketFence + Radius + FortiGate Mark, You are correct about RSSO roles/groups working on Fortigate. We have that part working but I needed more granular controls for a select user and tried to setup a policy for just that. One work around you mention would be making groups for individual users, I just worked around it by setting a dhcp reservation on that particular device and setting my policy for that IP. Aaron On Wed, Aug 28, 2024 at 9:36 AM Mark Amber <m...@splchicago.com<mailto:m...@splchicago.com>> wrote: I am also not clear on exactly the desired setup, perhaps respond to this message with a goal rather than what you did. As for fortigate SSO, you create Roles and use those roles in user policies on the ftg. Wouldn’t you want this anyways instead of making policies for individual users? You could always make a role for each individual user that needs to have a specific policy. The setup is fairly straightforward using the RSSO external connector within security fabric, and a couple things on the command line/config. I can expand on this when I have time, if you are still interested. For me, I created some specific groups and created corresponding RSSO groups on the FTG. I setup an LDAP authentication source and authentication rules to grant PF roles based on memberOf equals conditions. I found it useful to cascade the rules starting with higher privilege first, in case a user is a member of both high and low privilege groups. This could be used for The thing I don’t think people are understanding is your comment about VPN. If you are having users use the Forticlient anyways, and authenticating using LDAP, then you can develop far more user friendly and granular rules directly in fortigate. You can also splurge for their EMS product and get SSO over IPsec vpn and more metrics like group policy and antivirus enforcement. If you are using the VPN fortigate can do this natively. I just don’t understand why this VPN is part of the problem domain yet. Maybe if you elaborated we could help better. -- Mark Amber ________________________________ From: Aaron Zuercher via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> Sent: Tuesday, August 27, 2024 2:08:19 PM To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> Cc: Aaron Zuercher <aaron.techge...@gmail.com<mailto:aaron.techge...@gmail.com>> Subject: Re: [PacketFence-users] Authentication PacketFence + Radius + FortiGate Hello, i'm not sure if I understand your design fully but I know Fortigate doesn't support Radius (RSSO) users in its profiles. Here is a forum thread that explains the problem: https://community.fortinet.com/t5/Support-Forum/Using-RSSO-usernames-in-policies/td-p/11235 I have put in a feature request with Fortigate to add this. If this is affecting you I recommend contacting Fortinet to add support to this feature request. Aaron On Wed, Aug 21, 2024 at 2:41 PM Guilherme Assis via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: Hello everyone. Can you help me with a configuration? I am working on a deployment that requires integrating my FortiGate Firewall with Packetfence RADIUS. The idea is to have clients connect to my Wi-Fi network through a Site-To-Site VPN to authenticate via Captive Portal and RADIUS return whether the user was authorized or not, thus freeing up the client's internet. However, I am having difficulties with this configuration. FortiGate has already managed to connect to RADIUS, but when I create a local user in Packetfence for testing, I am unsuccessful when trying to authenticate. For this configuration to be possible, do I need to synchronize the SSO Firewall? Today I have configured FortiGate in the Switches and SSO Firewall tabs. Another question is how should I create the authentication source for this configuration to work. I appreciate everyone's help! Best regards, [cid:image001.jpg@01DAFD49.2D625570] _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
