ZTNA HTTPS access proxy with basic authentication example
This example expands on the previous example (ZTNA HTTPS access proxy example), adding LDAP authentication to the ZTNA rule. Users are allowed based on passing the client certificate authentication check, user authentication, and security posture check.
Users that are in the AD security group ALLOWED-VPN are allowed access to the access proxy. Users that are not part of this security group are not allowed access.
This example assumes that the FortiGate EMS fabric connector is already successfully connected.
LDAP/Active Directory Users and Groups:
-
Domain: KLHOME.local
-
Users (Groups):
-
radCurtis (Domain Users, ALLOWED-VPN)
-
radKeith (Domain Users)
-
To configure a secure connection to the LDAP server in the GUI:
-
Go to User & Authentication > LDAP Servers and click Create New.
-
Configure the following settings:
Name
WIN2K16-KLHOME-LDAPS
Server IP/Name
192.168.20.6
Server Port
636
Common Name Identifier
sAMAccountName
Distinguished Name
dc=KLHOME,dc=local
Exchange server
Disabled
Bind Type
Regular
Enter the Username and Password for LDAP binding and lookup.
Secure Connection
Enabled
-
Set Protocol to LDAPS
-
Enable Certificate and select the CA certificate to validate the server certificate.
Server identity check
Optionally, enable to verify the domain name or IP address against the server certificate.
-
-
Click Test Connectivity to verify the connection to the server.
-
Click OK.
To configure a secure connection to the LDAP server in the CLI:
config user ldap
edit "WIN2K16-KLHOME-LDAPS"
set server "192.168.20.6"
set cnid "sAMAccountName"
set dn "dc=KLHOME,dc=local"
set type regular
set username "KLHOME\\Administrator"
set password <password>
set secure ldaps
set ca-cert "CA_Cert_1"
set port 636
next
end
To configure a remote user group from the LDAP server in the GUI:
-
Go to User & Authentication > User Groups and click Create New.
-
Set the name to KLHOME-ALLOWED-VPN.
-
Set Type to Firewall.
-
In the Remote Groups table click Add:
-
Set Remote Server to WIN2K16-KLHOME-LDAPS.
-
Locate the ALLOWED-VPN group, right-click on it, and click Add Selected.
-
Click OK.
-
-
Click OK.
To configure a remote user group from the LDAP server in the CLI:
config user group
edit "KLHOME-ALLOWED-VPN"
set member "WIN2K16-KLHOME-LDAPS"
config match
edit 1
set server-name "WIN2K16-KLHOME-LDAPS"
set group-name "CN=ALLOWED-VPN,DC=KLHOME,DC=local"
next
end
next
end
Authentication scheme and rules
After the LDAP server and user group have been configured, an authentication scheme and rule must be configured.
|
To configure authentication schemes and rules in the GUI, go to System > Feature Visibility and enable Explicit Proxy. |
Authentication scheme
The authentication scheme defines the method of authentication that is applied. In this example, basic HTTP authentication is used so that users are prompted for a username and password the first time that they connect to a website through the HTTPS access proxy.
To configure an authentication scheme in the GUI:
-
Go to Policy & Objects > Authentication Rules and click Create New > Authentication Scheme.
-
Set the name to ZTNA-Auth-scheme.
-
Set Method to Basic.
-
Set User database to Other and select WIN2K16-KLHOME-LDAPS as the LDAP server.
-
Click OK.
To configure an authentication scheme in the CLI:
config authentication scheme
edit "ZTNA-Auth-scheme"
set method basic
set user-database "WIN2K16-KLHOME-LDAPS"
next
end
Authentication rule
The authentication rule defines the proxy sources and destination that require authentication, and what authentication scheme is applied. In this example, active authentication through the basic HTTP prompt is used and applied to all sources.
To configure an authentication rule in the GUI:
-
Go to Policy & Objects > Authentication Rules and click Create New > Authentication Rule.
-
Set the name to ZTNA-Auth-rule.
-
Set Source Address to all.
-
Set Protocol to HTTP.
-
Enable Authentication Scheme and select ZTNA-Auth-scheme.
-
Click OK.