Configuring X-Auth-User authentication

In a network topology where the downstream proxy performs the authentication (with basic, NTLM, Kerberos, and so on) and the upstream proxy performs the authorization, you can pass on authentication headers like x-authentication-user. In this example:

• FPX1 is the upstream proxy (authorization).
• FPX2 is the downstream proxy (authentication).
• Both FortiProxy units deploy in explicit proxy mode.
• The user browser points to FPX2 as the explicit proxy for the browser setting.
• Authentication is performed at FPX2, and FPX1 obtains the authentication information from the X-Authenticated-User header.
• FPX2 forwards all traffic to FPX1 using proxy chaining.
• FPX1 perform an SSO for the authenticated traffic from FPX2.

Step 1: Configure FPX2

1. Configure the LDAP server.

   config user ldap

   edit "open_ldap"

   set server "10.30.0.11"

   set cnid "cn"

   set dn "dc=domain,dc=com"

   set type regular

   set username "cn=admin,dc=domain,dc=com"

   set password password

   next

   end

2. Create the user group.

   config user group

   edit "open_ldap_group_fpx2"

   set member "open_ldap"

   next

   end

3. Create an authentication scheme.

   config authentication scheme

   edit "basic_auth"

   set method basic

   set user-database "open_ldap"

   next

   end

4. Create an authentication rule.

   config authentication rule

   edit "basic_auth_rule"

   set srcintf "any"

   set srcaddr "all"

   set dstaddr "all"

   set active-auth-method "basic_auth" <===== NOTE: This is the active-auth-method.

   next

   end

5. Configure the forwarding server.

   config web-proxy forward-server

   edit "FPX1"

   set ip 10.20.0.11

   set port 8080

   next

   end

6. Create the proxy profile.

   config web-proxy profile

   edit "XFF"

   set header-x-forwarded-for add <===== Insert the user's actual IP address

   set header-x-authenticated-user add <===== Insert the successfully authenticated user name

   set header-x-authenticated-groups add <===== Insert the successfully authenticated user group

   next

   end

7. Create a firewall policy.

   config firewall policy

   edit 1

   set type explicit-web

   set explicit-web-proxy "web-proxy"

   set dstintf "port1"

   set srcaddr "all"

   set dstaddr "all"

   set action accept

   set schedule "always"

   set service "webproxy"

   set logtraffic all

   set log-http-transaction enable

   set webproxy-profile "XFF"

   set webproxy-forward-server "FPX1" <===== Authenticated user traffic matching this policy will be forwarded to FPX1.

   set groups "open_ldap_group_fpx2"

   set utm-status enable

   set ssl-ssh-profile "FPX_deep_inspection"

   next

   end

Step 2: Configure FPX1

1. Configure the global web-proxy setting.

   config web-proxy global

   set proxy-fqdn "default.fqdn"

   set learn-client-ip enable <===== have FPX1 learn the actual user IP address

   set learn-client-ip-from-header x-forwarded-for <===== learn it from the x-forwarded-for header

   set learn-client-ip-srcaddr "all" <===== learn all the IP addresses from the header

   end

2. Configure the LDAP server (NOTE: FPX2 and FPX1 are integrated with the same LDAP server.).

   config user ldap

   edit "open_ldap"

   set server "10.30.0.11"

   set cnid "cn"

   set dn "dc=domain,dc=com"

   set type regular

   set username "cn=admin,dc=domain,dc=com"

   set password password

   next

   end

3. Create the user group.

   config user group

   edit "open_ldap_group"

   set member "open_ldap"

   next

   end

4. Create an authentication scheme.

   config authentication scheme

   edit "X-Auth-User"

   set method x-auth-user

   set user-database "open_ldap"

   next

   end

5. Create an authentication rule.

   config authentication rule

   edit "X-Auth-Rule"

   set srcintf "any"

   set srcaddr "all"

   set dstaddr "all"

   set sso-auth-method "X-Auth-User" <===== NOTE: This is the sso-auth-method.

   next

   end

6. Create the proxy profile.

   config web-proxy profile

   edit "XFF-FPX1"

   set header-x-forwarded-for add

   set header-x-authenticated-user add

   set header-x-authenticated-groups add

   next

   end

7. Create a firewall policy.

   config firewall policy

   edit 1

   set type explicit-web

   set explicit-web-proxy "web-proxy"

   set dstintf "port1"

   set srcaddr "all"

   set dstaddr "all"

   set action accept

   set schedule "always"

   set service "webproxy"

   set logtraffic all

   set log-http-transaction enable

   set webproxy-profile "XFF-FPX1"

   set groups "open_ldap_group"

   set utm-status enable

   set ssl-ssh-profile "FPX_deep_inspection"

   next

   end

Step 3: Verify that authentication was successful

1. On FPX2:

   FPX2 # diagnose wad user list

   ID: 3, IP: 10.30.0.11, VDOM: root

   user name : JaneDoe

   worker : 0

   duration : 17245

   auth_type : IP

   proxy_type : Explicit Proxy

   auth_method : Basic <===== Basic authentication method

   pol_id : 1

   g_id : 2

   user_based : 0

   expire : no

   LAN:

   bytes_in=55846 bytes_out=2022768

   WAN:

   bytes_in=2022264 bytes_out=62121

2. On FPX1:

   FPX1 # diagnose wad user list

   ID: 9, IP: 10.30.0.11, VDOM: root

   user name : JaneDoe

   worker : 0

   duration : 11

   auth_type : IP

   proxy_type : Explicit Proxy

   auth_method : x-auth-user <===== X-Auth-User SSO authentication method

   pol_id : 3

   g_id : 2

   user_based : 0

   expire : no

   LAN:

   bytes_in=61935 bytes_out=2022264

   WAN:

   bytes_in=2013467 bytes_out=56463

Summary

JaneDoe was authenticated at FPX2 using basic authentication.

Her traffic matched the policy and was forwarded to FPX1 with the additional HTTP header inserted by FPX2.

FPX1 picked up the traffic and looked at HTTP Header X-Authenticated-User for the authorization.

There will not be another prompt from the FortiProxy unit for authentication.