Identifi: What is an easiest way to authenticate users in Active Directory using NAC?

  • 0
  • 2
  • Question
  • Updated 12 months ago
  • Answered
Hello, everybody,

at the moment I have 120 APs and about 12000 users. Employees's SSID has beautiful authorization webform on Fortigate firewall, users use their Active DIrectory credentials and everything works fine, except I can't see AD accounts of wifi users in Netsight. This makes me very sad(

But I have an installation of mighty NAC!

Is there any step-by-step guide how to configure NAC to authorize AD users using a webform?

Could you please share it!

Many thanks in advance, 

Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb

Posted 12 months ago

  • 0
  • 2
Photo of Diederik Kuijper

Diederik Kuijper

  • 334 Points 250 badge 2x thumb
Why not use RADIUS auth?
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hi,
what do you mean?

For sure, I could authorize users over Microsoft NPS. But this is enterprise customers, they need a beautiful web page, not just two input string for login/password.
Photo of Diederik Kuijper

Diederik Kuijper

  • 334 Points 250 badge 2x thumb
Why's that even a requirement? By utilizing Radius auth you can skip the auth webpage, users simply put in their AD credentials for connecting to the SSID. You then have the users available in Identifi/NetSight and if you enable FSSO polling on the Fortigate you automatically authenticate users for the firewall as well.

I did this to alleviate double sign-ins.

http://cookbook.fortinet.com/fsso-polling-mode/
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 50,004 Points 50k badge 2x thumb
You'd use the AD and ExtremeControl could query the user accounts via LDAP.

Could you post a screenshot of the current web login page that is used - I'd like to see how beautiful it is :-)
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
It's in Russian, Ron, are you sure?) I'll ask the customer for permission on Monday.

It would be great if someone post a link to a guide which will help me to configure web login page in NAC)
(Edited)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 50,004 Points 50k badge 2x thumb
Could you explain a bit more about the deployment.
What is the security on the WLAN service - is it open/none or WPA PSK or ECP?
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hi, Ronald, 

sure!

This is open SSID without authorization. When user connects to the SSID he tries to reach any of Internet resources and gets to Fortigate FG-600 where he asked for his AD credentials (on the beautiful HTTPS login web page).

That is it!
Photo of James A

James A, Embassador

  • 7,338 Points 5k badge 2x thumb
You'd want to set up an Authenticated Registration portal in NAC. I couldn't find a step-by-step guide but the manual has everything you need. Is the current SSID using PSK?
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hi, James,

it is open SSID. I'll try to play with NAC without a guide(

Thanks!
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,834 Points 5k badge 2x thumb
in the NAC portal choose Authenticated registration. you need to configure AAA to your AD (Radius or LDAP). It should be quite strait forward.

Good luck.

Z.
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, Pala,

Unfortunately, I can't find "Authenticated registrations" menu. I have Netsight 7.

Where could it be located?

Photo of Matthew Hum

Matthew Hum

  • 434 Points 250 badge 2x thumb
Authenticated Registration would be in the portal configurations, in choosing what kind of portal features you are looking for.