Nov 16, 2012

How To Configure Active Directory Users in Fortigate

I mentioned yesterday that I recently received a Fortigate 60C firewall. One of the main reasons for getting it, besides the awesome price, was it's ability to do DLP, web filtering and a bunch of other cool tools as a part of their unified threat management. Well yesterday I was playing with web filtering and I found a really interesting feature.

You can limit access to certain websites by user, and those users can be authenticated using active directory over LDAP. The issue I found with the default settings was that it's looking for a CN identifier  but I want my users to be able to use their regular username. For instance if your company uses first.last for the username, that's what I want to do.

To do that we first need to configure our LDAP server settings to point to our domain controller, then modify the settings to look for the AD username. To do that:

  • Go to User > Remote > LDAP
  • Click Create New
  • Give it a name
  • Enter the IP address of your domain controller
  • Leave the Server Port at 389
  • Change the Common Name Identifier to sAMAccountName <- AD Username!
  • Change the Bind Type to Regular
  • Enter the User DN for a domain administrator account (See below)
  • Enter the password for your domain administrator account
  • Now click the Browse button next to Distinguished Name and browse to the OU where your users are.
  • Click OK
Should look something like this:

If you don't know how to find the DN for a user account, the easiest way is to open ASDI Edit on your domain controller, browse to the user then right click and click Properties. The DN for the user can be found under distinguishedname. Just double click on it and you can copy the contents out and past it into your Fortigate.

That's it really. If you enter the DN and the password correctly for your domain administrator, then the browsing part will work. If the browsing part doesn't work, something is wrong. Either way, now you can create users that match their current AD user name for authentication on your Fortigate!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam