Search This Blog

Thursday, May 21, 2015

Fortigate Captive Portal with exempt



Configure Fortigate captive portal:

Go to User & Device -> User Definition

Click Create New

Configure user account

Go to User & Device -> User Groups

Click Create New

Configure captive-portal group (for example CP_GROUP)



Go to System -> Network -> Interfaces

Create new interface (according to your topology)

Fill in the required information (addressing mode, IP address, DHCP etc.)

Select Captive Portal under Security Mode

Select the User Groups (CP_GROUP)

Click OK



Now go to Policy & Objects -> Policy -> IPv4 

Click Create New

Create the firewall policy according to your needs

Click OK

 
Now you have a network with captive portal authentication.

Now let’s say we want all iphones to be free from using captive portal, in order to use this network, for that we will have to use the CLI to add exempt command:

FWG # config firewall policy
FWG (policy) # edit 12
FWG (12) # set captive-portal-exempt enable
FWG (12) # end

The policy ID is equal to the IPv4 policy that we made for this network.

Now return to the web GUI and go to System -> Network -> Interfaces -> LAB (my CP network) and click edit

Click the ‘+’ sign near to the Exempt List and choose iPhone (or any other type of device/user/group) which you like to free from the captive portal authentication.

Click OK



This exemption can be used for many different requirements such as time-management clocks, printers, digital signage etc. which can't authenticate using CP.





Posted by at No comments:
Labels: , , ,

Wednesday, May 20, 2015

Capture VLAN tags on Wireshark



Only with certain NIC you can capture VLAN ID and 802.1q information, in the following post I will show the necessary steps, on Microsoft Windows, to allow capture this information using Intel NIC.

The tagging frames get stripped out by the driver, however making a registry change can be done in order to see the tags. 

The registry key value depends on the NIC driver:

Adapter Driver
Registry Value
e1g, e1e, e1y
MonitorModeEnabled
e1c, e1d, e1k, e1q, e1r, ixe, ixn, ixt
MonitorMode

My NIC model is: 82567LM Gigabit card, in order to find the adapter driver go to:

Start->Control Panel->Network and Sharing Center

Click on Change adapter settings on the left

Right click on the relevant NIC and choose properties

Click Configure

Choose the Driver tab

Click on Driver Details


In the following window you can see that my NIC type is e1y, so for this NIC I will have to use MonitorModeEnabled registry key.

Now open the registry editor (Start->Run->regedit) and go to:

HKEY_LOCAL_MACHINE

SYSTEM

ControlSet001

Control

Class

{4D36E972-E325-11CE-BFC1-08002BR10318}

Find you NIC folder by looking on the DriverDesc:


Here in my case it was 007, right click on this folder and choose New->DWORD (32-bit) value:



Value name: MonitorModeEnabled
Value data: 1 (Hexadecimal)


The value can be either:

0 - Disabled (Do not store bad packets, Do not store CRCs, Strip 802.1Q vlan tags) 

1 - Enabled (Store bad packets. Store CRCs. Do not strip 802.1Q vlan tags)

Now reboot your machine in order the changes to take effect, start Wireshark and start capture tags!

Resources:
http://www.intel.com/support/network/sb/CS-005897.htm
http://dot1x.blogspot.co.il/2010/03/sniffing-dot1q-tags-with-wireshark.html
 
Posted by at 1 comment:
Labels: , , ,

Tuesday, May 19, 2015

Fortigate password recovery/reset

 Notes:
  • Works for all models
  • Only after hard power cycle
  • Only during first 15-30 seconds
  • Only via hardware console port

Steps:
  1. Connect to device using console
  2. Reboot the device
  3. Login with username: maintainer
  4. Password: bcpb+<DEVICE_SERIAL> for example: bcpbFG140P2G14500013
  5. Take note that after the reboot you have only 15 seconds to login

Output sample:

FortiGate-140D-POE (18:47-05.30.2013)
Ver:04000028
Serial number:FG140P2G14500013
RAM activation
CPU(00:000106ca bfebfbff): MP initialization
CPU(01:000106ca bfebfbff): MP initialization
CPU(02:000106ca bfebfbff): MP initialization
CPU(03:000106ca bfebfbff): MP initialization
Total RAM: 4096MB
Enabling cache...Done.
Scanning PCI bus...Done.
Allocating PCI resources...Done.
Enabling PCI resources...Done.
Zeroing IRQ settings...Done.
Verifying PIRQ tables...Done.
Boot up, boot device capacity: 1910MB.
Press any key to display configuration menu...
......

Reading boot image 1481398 bytes.
Initializing firewall...
System is starting...


FGT login: maintainer
Password: ********************
Welcome !

FGT#
FGT# execute factoryreset
This operation will reset the system to factory default!
Do you want to continue? (y/n)y

System is resetting to factory default...


The system is going down NOW !!

For security reasons maintainer can be disabled in the following manner:
config sys global
set admin-maintainer disable
end
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)