Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
phaupt authored Feb 22, 2023
1 parent 24ecdfa commit 80f7a44
Showing 1 changed file with 40 additions and 45 deletions.
85 changes: 40 additions & 45 deletions samples/production-v1.2-noRedis.env.sample
Original file line number Diff line number Diff line change
Expand Up @@ -269,48 +269,43 @@ CustomerConfigs__0__FortigateBehaviour__FailAuthIfGroupUnknown=false
# CustomerConfigs__2__*
# etc.

********************************************************************************************
OPTIONAL: FortigateBehaviour
********************************************************************************************

...
"FortigateBehaviour": {
"VendorSpecificAttributeTriggerValue": "root",
"UserGroupSearchFilter": "(&(objectClass=groupOfNames)({0}))",
"FortinetLdapUserGroupMap": [
{
"ForitnetGroupName": "gu-rad_msrl_sslvpn1",
"LdapGroupDn": "ldap-group-dn-admin"
},
{
"ForitnetGroupName": "gu-rad_msrl_sslvpn2",
"LdapGroupDn": "ldap-group-dn-user"
}
],
"FortinetAccessProfile": "none",
"DefaultFortinetGroupName": "no-group-found",
"FailAuthIfGroupUnknown": false
}
...

The FortigateBehaviour's JSON section in the above example is OPTIONAL.
- Enabling/disabling the feature: The described behaviour is implicitly activated if the attribute "Fortinet-Vdom-Name = root" (via Vendor-Specific Attributes) is set in the Access-Request Packet
- Procedure with activated Fortigate behaviour:
- After reading out the user from LDAP, additionally read out all user groups by means of "UserGroupSearchFilter" (Config)
- Match the user groups against "FortinetLdapUserGroupMap" (Config) and read out the mapped Fortigate group. The FIRST matching group is taken!
- The following cases are then distinguished in the radius response:
- Fortigate group found: Enrich Access-Accept with the following (Vendor-Specific) attributes:
=> Fortinet-Vdom-Name = "root" (taken from Access-Request)
=> Fortinet-Group-Name = {{ matching Fortigate group }}
=> Fortinet-Access-Profile = {{ "FortinetAccessProfile" (Config) }}
- Fortigate group not found:
-> If "FailAuthIfGroupUnknown = true": Access-Reject with corresponding error
-> If "FailAuthIfGroupUnknown = false": Enrich Access-Accept with the following attributes:
=> Fortinet-Vdom-Name = "root" (taken from Access-Request)
=> Fortinet-Group-Name = {{ "DefaultFortinetGroupName" (Config) }}"
=> Fortinet Access Profile = {{ "FortinetAccessProfile" (Config) }}"

Additional Infos:
- https://www.rfc-editor.org/rfc/rfc2865#section-5.26
- Possible query to get all user groups: (&(objectCategory=group){0})
- https://www.fortinetguru.com/2016/06/authentication-servers/4/
############################################################################################
# OPTIONAL: FortigateBehaviour
############################################################################################
#
# ...
# "FortigateBehaviour": {
# "VendorSpecificAttributeTriggerValue": "root",
# "UserGroupSearchFilter": "(&(objectClass=groupOfNames)({0}))",
# "FortinetLdapUserGroupMap": [
# {
# "ForitnetGroupName": "gu-rad_msrl_sslvpn1",
# "LdapGroupDn": "ldap-group-dn-admin"
# },
# {
# "ForitnetGroupName": "gu-rad_msrl_sslvpn2",
# "LdapGroupDn": "ldap-group-dn-user"
# }
# ],
# "FortinetAccessProfile": "none",
# "DefaultFortinetGroupName": "no-group-found",
# "FailAuthIfGroupUnknown": false
# }
# ...

# The FortigateBehaviour's JSON section in the above example is OPTIONAL.
# - Enabling/disabling the feature: The described behaviour is implicitly activated if the attribute "Fortinet-Vdom-Name = root" (via Vendor-Specific Attributes) is set in the Access-Request Packet
# - Procedure with activated Fortigate behaviour:
# - After reading out the user from LDAP, additionally read out all user groups by means of "UserGroupSearchFilter" (Config)
# - Match the user groups against "FortinetLdapUserGroupMap" (Config) and read out the mapped Fortigate group. The FIRST matching group is taken!
# - The following cases are then distinguished in the radius response:
# - Fortigate group found: Enrich Access-Accept with the following (Vendor-Specific) attributes:
# => Fortinet-Vdom-Name = "root" (taken from Access-Request)
# => Fortinet-Group-Name = {{ matching Fortigate group }}
# => Fortinet-Access-Profile = {{ "FortinetAccessProfile" (Config) }}
# - Fortigate group not found:
# -> If "FailAuthIfGroupUnknown = true": Access-Reject with corresponding error
# -> If "FailAuthIfGroupUnknown = false": Enrich Access-Accept with the following attributes:
# => Fortinet-Vdom-Name = "root" (taken from Access-Request)
# => Fortinet-Group-Name = {{ "DefaultFortinetGroupName" (Config) }}"
# => Fortinet Access Profile = {{ "FortinetAccessProfile" (Config) }}"

0 comments on commit 80f7a44

Please sign in to comment.