I’ve blogged on using the SSL VPN to renew passwords if they expire before using LDAPS, but I have not blogged on doing this through Radius authentication.
One awesome aspect of this is that by default, the max LDAP servers you can configure on a Fortigate is 10 – so if you have a lot of different domains – as I do with one client – you might be pushed to go to Fortiauthenticator for the ability to have more, or use dual factor. Using Radius to authenticate can help remedy this issue because you can authenticate as many domains as you like behind 1 radius server. You can also have that server allow users to change their password if it expires, or if you set the policy in AD to make the user change their password.
To authenticate many different groups through radius for the SSL VPN you have to configure a vendor specific option. I wrote an entry not long ago on how to do this found here – https://travelingpacket.com/2016/01/26/fortigate-radius-group-authentication/ That was written for 5.2 but same stuff applies to 5.4 and 5.6 .
Once NPS is setup, the Radius server is created on the FGT, User groups are created on the FGT and of course SSL VPN policies are good to – you can modify the server in CLI and set the options to allow passwords to be change if expired.
In this case my server is called Presrv04 – The below is the setup for that server
Then we need to modify the options in CLI
Next I changed my account to force me to change my password at next login – check this out.
There we go! once I change my password to something that meets the complexity requirements of my organization it will allow me directly into the VPN – and change my password.
SNTP is used to synchronize time from a switch (HP in this case) with any time server. SNTP is actually fully compatible with NTP so life is easy in that respect . SNTP is a scaled down version off NTP. There are a few difference between the protocols – some being simplicity in how the time is synchronized between server and client, and processing of server failures.
I had to configure SNTP on a few HP Procurves (2500, 3800, 2900, 2500) of all makes and models today and thought it would be good to document/share. I was setting SNTP on the switch to synchronize time with an AD controller within the network for timestamps in logs, etc.
On the 2530 Code is as follows:
config t
sntp server priority 1 10.44.130.10 — Sets the server priority, and the server IP/NAME
sntp unicast — changes from Broadcast to Unicast.
timesync sntp — Sets timesync to use SNTP instead of NTP or other options.
On some older HP firmwares/switches I found that the priority command was not avaliable.
After these changes you can check the time with the “show time” command, and dig deeper with “Show sntp” commands.
Fortigate traffic shaping is awesome, lots of options and it all works really well. Going from 5.2 to 5.4/5.6 is quite different due to the creation of policies changing from within the firewall policy, to their own section. Either way, they all work great.
I did notice at least in 5.4 that the option to change how a policy is used do not seem to be in the GUI. Previously there were two options – “Per Policy”, and “all policies using this shaper”. Selecting “all policies using this shaper” would have all policies using that shaper object to share the guaranteed or Max bandwidth settings between all policies using that shaper. Selecting “Per Policy” allows you to dedicate those same settings to each policy referencing the shaper object.
Which gets to my point, in 5.2 you had the options below. Notice the options about how to apply the shaper.
In 5.4.5 at least notice that they are gone. Of course, if you upgraded from 5.2 the options are there.
So as with everything that does not show up in the GUI – you know it is in CLI. So I dropped down to CLI to check if the settings are still there. By editing the shaper, and using the “get” command I could see all settings and their values the policy had to offer. As I thought the option “Per-Policy” is there with the default settings of disabled. So by default, all Shaper policies have settings shared between different traffic policies referencing that shaper.
So in this case, I want to give the same percentage of bandwidth to each of the traffic shaper policies referencing my shaper object. So I will modify that option.
Now, in the GUI lets check that policy again –
Awesome, now we have the actual options to change.
I had the need today to setup DHCP on a Brocade 7450 Switch. I had never done this before, but very straight forward. Thought I would document how to/options if anyone ever needs it.
DHCP pool to create – TX-POOL, scope 192.168.6.0/24
config t
ip dhcp-server pool TX-POOL dhcp-default-router 192.168.6.1 dns-server 192.168.1.183 excluded-address 192.168.6.1 192.168.6.10 lease 1 0 0 network 192.168.6.0 255.255.255.0 deploy
Notice the “Deploy” option – this puts everything into motion. Lots more options available like Domain-name, Options, lease times, etc.
To make sure everything is working you have some great show commands:
There we go! once I change my password to something that meets the complexity requirements of my organization it will allow me directly into the VPN – and change my password.
Recent Comments