Dead Packets

24/07/2014

Autenticação LDAP para acesso administrativo ao FortiGate

Filed under: fortinet — drak @ 11:00 AM

Após garantir o acesso à Internet no último post, dessa vez iremos explorar algumas opções para melhorar a segurança no acesso ao firewall, assim como a integração com o Domain Controller (AD W2K8 R2) para simplificar o acesso dos administradores.

O objetivo de hoje é fazer com que o acesso administrativo ao firewall seja feito utilizando as mesmas credenciais que o usuário possui na base LDAP (Active Directory). Para alcançar esse objetivo primeiro é necessário criar o servidor LDAP:


config user ldap                                        # User & Device:Authentication:LDAP Servers
    edit "baldur"
        set server "10.0.1.10"
        set cnid “cn"
        set dn "DC=ad,DC=deadpackets,DC=com”            # dn para ad.deadpackets.com
        set type regular
        set username “_svcFGT”                          # Usuário com direito de leitura no AD
        set password D3@dPacket$!#                        
    next
end

Após a configuração você pode testar a mesma usando o botão “Test” na GUI ou via CLI com a sintaxe abaixo:

FortiGate-VM64 # diag test authserver ldap baldur _svcFGT D3@dPacket$!#
authenticate '_svcFGT' against 'baldur' succeeded!
Group membership(s) - CN=Domain Users,CN=Users,DC=ad,DC=deadpackets,DC=com

Ok, conexão com AD validada! Agora seguimos criando o grupo no FGT que irá fazer a referência ao grupo do AD que deverá ter acesso, queremos que somente usuários do grupo “Information Technology” tenham acesso administrativo no firewall.

config user group                                       # User & Device:User:User Groups
    edit "Information Technology-FW"
        set member "baldur"
            config match
                edit 1
                    set server-name "baldur"
                    set group-name "CN=Information Technology,OU=HQ,DC=ad,DC=deadpackets,DC=com"
                next
            end
    next
end

Finalmente, basta criar um usuário de administração que fará a referência ao grupo de IT remoto.

config system admin                                     # System:Admin:Administrators
    edit "IT"
        set remote-auth enable
        set accprofile "super_admin"
        set wildcard enable
        set remote-group "Information Technology-FW"
    next
end

Agora testamos. Um usuário do grupo de administração é o John Wayne que naturalmente ao tentar logar usou seu nome de usuário ‘jwayne’ e… falha.

Voltamos ao debug, testamos com o próprio usuário via CLI:

FortiGate-VM64 # diag test authserver ldap baldur jwayne D3@dPacket$!#
authenticate 'jwayne' against 'baldur' failed!

Revendo a configuração do servidor LDAP nota-se que estamos utilizando o parâmetro ‘cn’ para a consulta, utilizando o ADSI Edit no AD investigamos a que valor corresponde essa chave para o usuário jwayne.

adsi_cn

Logo, como o cn corresponde ao nome do usuário no formato ‘John Wayne’ esse deve ser o valor utilizado, testamos novamente:

FortiGate-VM64 # diag test authserver ldap baldur 'John Wayne' D3@dPacket$!#
authenticate 'John Wayne' against 'baldur' succeeded!
Group membership(s) - CN=Information Technology,OU=HQ,DC=ad,DC=deadpackets,DC=com
                      CN=Domain Users,CN=Users,DC=ad,DC=deadpackets,DC=com

Sucesso! Porém esse não é o modo que queremos que nossos usuários utilizem, queremos utilizar o nome de usuário no formato “simplificado”, porém qual chave contém esse valor ?

Voltamos ao ADSI Edit e investigando as diversas chaves disponíveis encontramos a ideal:

adsi_sAMAccountName

Portanto para obter o comportamento esperado devemos trocar o parâmetro utilizado para a consulta LDAP.

config user ldap
    edit "baldur"
        set cnid "sAMAccountName"
end

Repetimos o teste:

FortiGate-VM64 # diag test authserver ldap baldur jwayne D3@dPacket$!#
authenticate 'jwayne' against 'baldur' succeeded!
Group membership(s) - CN=Information Technology,OU=HQ,DC=ad,DC=deadpackets,DC=com
                      CN=Domain Users,CN=Users,DC=ad,DC=deadpackets,DC=com

e sucesso 🙂

Finalmente vamos visualizar o processo de autenticação para um usuário do grupo “Information Technology” e depois o processo de tentativa e falha de login de um usuário fora desse grupo.

Primeiro iremos ver o processo de login do usuário autorizado, jwayne:

diag debug ena
diag debug reset
diag debug app fnbamd -1
diag debug ena

# Neste momento o usario jwayne realiza o login pela interface Web

fnbamd_fsm.c[1391] handle_req-Rcvd auth req 51 for jwayne in Information Technology-FW opt=16385 prot=9
fnbamd_auth.c[232] radius_start-Didn't find radius servers (0)
fnbamd_auth.c[588] auth_tac_plus_start-Didn't find tac_plus servers (0)
fnbamd_ldap.c[866] resolve_ldap_FQDN-Resolved address 10.0.1.10, result 10.0.1.10
fnbamd_ldap.c[352] start_search_dn-base:'DC=ad,DC=deadpackets,DC=com' filter:sAMAccountName=jwayne

fnbamd_ldap.c[1594] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[386] get_all_dn-Found DN 1:CN=John Wayne,OU=HQ,DC=ad,DC=deadpackets,DC=com

fnbamd_ldap.c[400] get_all_dn-Found 1 DN's
fnbamd_ldap.c[434] start_next_dn_bind-Trying DN 1:CN=John Wayne,OU=HQ,DC=ad,DC=deadpackets,DC=com
fnbamd_ldap.c[1642] fnbamd_ldap_get_result-Going to USERBIND state
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[640] start_multi_attribute_lookup-Adding attr 'memberOf'
fnbamd_ldap.c[661] start_multi_attribute_lookup-base:'CN=John Wayne,OU=HQ,DC=ad,DC=deadpackets,DC=com' filter:cn=*

fnbamd_ldap.c[1698] fnbamd_ldap_get_result-Entering CHKUSERATTRS state
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[789] get_member_of_groups-Get the memberOf groups.
fnbamd_ldap.c[699] check_primary_group-starting check...
fnbamd_ldap.c[706] check_primary_group-primary group id = 513
fnbamd_ldap.c[720] check_primary_group-number of sub auths 5
fnbamd_ldap.c[739] check_primary_group-base:'DC=ad,DC=deadpackets,DC=com' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\94\9f\a2\23\e8\75\97\81\7f\ad\3c\86\01\02\00\00))

fnbamd_ldap.c[815] get_member_of_groups- attr='memberOf', found 1 values
fnbamd_ldap.c[827] get_member_of_groups-val[0]='CN=Information Technology,OU=HQ,DC=ad,DC=deadpackets,DC=com'
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 51
fnbamd_ldap.c[771] get_primary_groups-primary group: CN=Domain Users,CN=Users,DC=ad,DC=deadpackets,DC=com
fnbamd_ldap.c[1529] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1834] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[2044] fnbamd_auth_poll_ldap-Result for ldap svr 10.0.1.10 is SUCCESS
fnbamd_auth.c[2061] fnbamd_auth_poll_ldap-Passed group matching
fnbamd_comm.c[146] fnbamd_comm_send_result-Sending result 0 for req 51
fnbamd_fsm.c[311] destroy_auth_session-delete session 51

Com o debug podemos ver claramente que o usuário pertence ao grupo “Information Technology” e que a verificação do grupo foi feita com sucesso.

Agora um usuário espertinho tenta acessar o firewall porém como ele não está no grupo autorizado é esperado que o acesso não seja realizado, vamos verificar:

Debug quando o usuário hford (que pertence ao grupo “Sales”) tenta o acesso ao firewall:

fnbamd_fsm.c[1391] handle_req-Rcvd auth req 53 for hford in Information Technology-FW opt=16385 prot=9
fnbamd_auth.c[232] radius_start-Didn't find radius servers (0)
fnbamd_auth.c[588] auth_tac_plus_start-Didn't find tac_plus servers (0)
fnbamd_ldap.c[866] resolve_ldap_FQDN-Resolved address 10.0.1.10, result 10.0.1.10
fnbamd_ldap.c[352] start_search_dn-base:'DC=ad,DC=deadpackets,DC=com' filter:sAMAccountName=hford

fnbamd_ldap.c[1594] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[386] get_all_dn-Found DN 1:CN=Harrison Ford,OU=HQ,DC=ad,DC=deadpackets,DC=com

fnbamd_ldap.c[400] get_all_dn-Found 1 DN's
fnbamd_ldap.c[434] start_next_dn_bind-Trying DN 1:CN=Harrison Ford,OU=HQ,DC=ad,DC=deadpackets,DC=com
fnbamd_ldap.c[1642] fnbamd_ldap_get_result-Going to USERBIND state
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[640] start_multi_attribute_lookup-Adding attr 'memberOf'
fnbamd_ldap.c[661] start_multi_attribute_lookup-base:'CN=Harrison Ford,OU=HQ,DC=ad,DC=deadpackets,DC=com' filter:cn=*

fnbamd_ldap.c[1698] fnbamd_ldap_get_result-Entering CHKUSERATTRS state
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[789] get_member_of_groups-Get the memberOf groups.
fnbamd_ldap.c[699] check_primary_group-starting check...
fnbamd_ldap.c[706] check_primary_group-primary group id = 513
fnbamd_ldap.c[720] check_primary_group-number of sub auths 5
fnbamd_ldap.c[739] check_primary_group-base:'DC=ad,DC=deadpackets,DC=com' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\94\9f\a2\23\e8\75\97\81\7f\ad\3c\86\01\02\00\00))

fnbamd_ldap.c[815] get_member_of_groups- attr='memberOf', found 1 values
fnbamd_ldap.c[827] get_member_of_groups-val[0]='CN=Sales,OU=HQ,DC=ad,DC=deadpackets,DC=com'
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 53
fnbamd_ldap.c[771] get_primary_groups-primary group: CN=Domain Users,CN=Users,DC=ad,DC=deadpackets,DC=com
fnbamd_ldap.c[1529] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1834] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[2044] fnbamd_auth_poll_ldap-Result for ldap svr 10.0.1.10 is SUCCESS
fnbamd_auth.c[2056] fnbamd_auth_poll_ldap-Failed group matching
fnbamd_comm.c[146] fnbamd_comm_send_result-Sending result 1 for req 53
fnbamd_fsm.c[311] destroy_auth_session-delete session 53

Podemos ver que embora a consulta tenha sido feita com sucesso (pois o usuário e senha estavam corretos) o acesso não foi dado devido a falha na verificação do grupo, como já era esperado.

Finalmente, vamos ver como seria o resultado do debug caso o usuário errasse a senha:

fnbamd_fsm.c[1391] handle_req-Rcvd auth req 83 for hford in Information Technology-FW opt=16385 prot=9
fnbamd_auth.c[232] radius_start-Didn't find radius servers (0)
fnbamd_auth.c[588] auth_tac_plus_start-Didn't find tac_plus servers (0)
fnbamd_ldap.c[866] resolve_ldap_FQDN-Resolved address 10.0.1.10, result 10.0.1.10
fnbamd_ldap.c[352] start_search_dn-base:'DC=ad,DC=deadpackets,DC=com' filter:sAMAccountName=hford

fnbamd_ldap.c[1594] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 83
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 83
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 83
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 83
fnbamd_ldap.c[1490] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 83
fnbamd_ldap.c[386] get_all_dn-Found DN 1:CN=Harrison Ford,OU=HQ,DC=ad,DC=deadpackets,DC=com

fnbamd_ldap.c[400] get_all_dn-Found 1 DN's
fnbamd_ldap.c[434] start_next_dn_bind-Trying DN 1:CN=Harrison Ford,OU=HQ,DC=ad,DC=deadpackets,DC=com
fnbamd_ldap.c[1642] fnbamd_ldap_get_result-Going to USERBIND state
fnbamd_fsm.c[1885] auth_ldap_result-Continue pending for req 83
fnbamd_ldap.c[418] start_next_dn_bind-No more DN left
fnbamd_ldap.c[1851] fnbamd_ldap_get_result-Auth denied
fnbamd_auth.c[2038] fnbamd_auth_poll_ldap-Result for ldap svr 10.0.1.10 is denied
fnbamd_comm.c[146] fnbamd_comm_send_result-Sending result 1 for req 83
fnbamd_fsm.c[311] destroy_auth_session-delete session 83

diag debug disable                                       # Não esqueça de desabilitar o debug

E além do debug, podemos também ver os logs de auditoria gerados pelos eventos de logon.

FortiGate-VM64 # exec log filter category ?
<category>    Category name, press enter for options.

FortiGate-VM64 # exec log filter category
Available categories:
11: utm-netscan
10: utm-application control
 9: utm-dlp
 8: utm-voip
 6: content
 5: utm-spam
 4: utm-ips
 3: utm-webfilter
 2: utm-virus
 1: event
 0: traffic

FortiGate-VM64 # exec log filter category 1

FortiGate-VM64 # exec log display                        # Log & Report:Event Log:System
4408 logs found.
10 logs returned.

1: date=2014-06-28 time=14:08:21 logid=0100040704 type=event subtype=system level=notice vd="root" action="perf-stats" cpu=0 mem=34 totalsession=3 msg="Performance statistics"

2: date=2014-06-28 time=14:05:17 logid=0100032001 type=event subtype=system level=information vd="root" user="jwayne" ui=https(172.16.86.1) action=login status=success reason=none profile="super_admin" msg="Administrator jwayne logged in successfully from https(172.16.86.1)"

3: date=2014-06-28 time=14:03:21 logid=0100040704 type=event subtype=system level=notice vd="root" action="perf-stats" cpu=0 mem=30 totalsession=3 msg="Performance statistics"

4: date=2014-06-28 time=14:00:13 logid=0100032002 type=event subtype=system level=alert vd="root" user="hford" ui=https(172.16.86.1) action=login status=failed reason="passwd_invalid" msg="Administrator hford login failed from https(172.16.86.1) because of invalid password"

5: date=2014-06-28 time=13:59:00 logid=0103026003 type=event subtype=router level=information vd="root" interface="port3" total=101 used=1 msg="DHCP statistics"

6: date=2014-06-28 time=13:58:20 logid=0100040704 type=event subtype=system level=notice vd="root" action="perf-stats" cpu=0 mem=29 totalsession=63 msg="Performance statistics"

7: date=2014-06-28 time=13:57:36 logid=0100032002 type=event subtype=system level=alert vd="root" user="hford" ui=https(172.16.86.1) action=login status=failed reason="passwd_invalid" msg="Administrator hford login failed from https(172.16.86.1) because of invalid password"

8: date=2014-06-28 time=13:53:21 logid=0100040704 type=event subtype=system level=notice vd="root" action="perf-stats" cpu=0 mem=31 totalsession=18 msg="Performance statistics"

9: date=2014-06-28 time=13:51:49 logid=0100032003 type=event subtype=system level=information vd="root" user="jwayne" ui=https(172.16.86.1) action=logout status=success duration=5 reason=exit msg="Administrator jwayne logged out from https(172.16.86.1)"

10: date=2014-06-28 time=13:51:44 logid=0100032001 type=event subtype=system level=information vd="root" user="jwayne" ui=https(172.16.86.1) action=login status=success reason=none profile="super_admin" msg="Administrator jwayne logged in successfully from https(172.16.86.1)"

Muito bem, agora já temos identificação única de todos os usuários de administração, e quando um deles foi demitido ou novas pessoas forem integradas à equipe basta incluir/remover os respectivos usuários do grupo “Information Technology” no AD.

Além disso, o servidor LDAP configurado também poderá ser aproveitado quando começarmos a configurar políticas de Webfilter baseadas em grupo.

Referências
Verifying that traffic is accepted by a security policy
Troubleshooting Tip : debug flow messages “iprope_in_check() check failed, drop” – “Denied by forward policy check” – “reverse path check fail, drop”
LDAP Attributes from Active Directory Users and Computers

Anúncios

1 Comentário »

  1. […] Agora voltamos para a configuração no FGT, é esperado que o LDAP Server já esteja configurado de acordo com este post: Autenticação LDAP para acesso administrativo ao FortiGate. […]

    Pingback por Acesso à Internet usando SSO, múltiplos grupos e SSL Inspection | Dead Packets — 24/09/2014 @ 6:10 AM | Responder


RSS feed for comments on this post. TrackBack URI

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s

Crie um website ou blog gratuito no WordPress.com.

%d blogueiros gostam disto: