Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 29 subscribers
  • Views 15143 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD integration with xg firewall

nisar ahmed

Dear all,

I have installed stas and integrated AD with xg310.

Then i did import all the users from AD into Xg-310.

And created a firewall rule to access internet from lan to wan and enabled "match known users" & "Captive portal to unknown users".

However whenever my AD users login to domain account and browse for internet, its is redirected to captive portal.

And asks to enter username and password then only he can browse the internet.

 

I would like to ask if my configuration is correct. Because i thought once the users are authenticated using AD(SSO) he should be able to browse internet directly.

However this is not true in above configuration. I am missing something in the configuration.

 

Thanking you all in advance.



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to mario Andrick

    Aside from STAS, if it is just for web browsing you could use NTLM authentication, which will fall back to captive portal if it fails.

    STAS authenticates your computer regardless of traffic.

    NTLM is a web traffic authentication method, though after authentication the user is applied to all traffic types from that IP.

     

    Under Authentication, Services, make sure that the Firewall Authentication Methods includes your server.

    Under Administration, Device Access, turn on NTLM for the zones you want to enable.

Children
  • 0 in reply to Michael Dunn

    This brings me to a Question I just had in my Lab. If I configure AD SSO using NTLM,  my Users on my XG Firewall (Which are Synchronized from ActiveDirectory) are looking like the following: benutzername.

    Users coming from NTLM are looking like benutzername@mydomain.local. XG Firewall does not recognize that benutzername and benutzername@mydomain.local are the same User.

    Is there any workarround known for this? In UTM's world we had to join Firewall to the Active Directory, so it knows that this user belongs to it's domain. In XG we do not have the possibility to join the Firewall with AD if I'm right?

  • 0 in reply to HuberChristian

    Hello, 

     

    do you have add the AD Server to ... Configure -> Authentication -> Services ? 

     

    Here you can add the priority of the login Server. 

  • 0 in reply to mario Andrick

    Thanks for this input. Yes I did already set the Precedence of Active Directory under "Firewall Authentication Methods" to the top. It didn't change anything to my behavior.

  • 0 in reply to HuberChristian

    HuberChristian said:

    Users coming from NTLM are looking like benutzername@mydomain.local. XG Firewall does not recognize that benutzername and benutzername@mydomain.local are the same User.

    Is this just a logging/reporting problem, or are you not getting the correct firewall rule or web policy applied?

    AFAIK, the rules should be applied correctly regardless of how the naming looks like.

     

    Under Authentication \ Users do you have one user or two?

  • 0 in reply to Michael Dunn

    Michael Dunn said:
    Under Authentication \ Users do you have one user or two?

    I have two users. The one from the AD, and the one created by NTLM.