Configuring authenticated access

Authentication in Captive Portals

Network interfaces, including WiFi interfaces, can perform authentication at the interface level using a captive portal — an HTML form that requests the user’s name and password. A captive portal is useful where all users connecting to the network interface must authenticate. Optionally, on a WiFi interface, the captive portal can be combined with a terms of service disclaimer to which the user must agree before gaining access. For more information, see Captive portals on page 514.

Once successfully authenticated, the user’s session passes to the firewall.

 

Authentication in security policies

Security policies control traffic between FortiGate interfaces, both physical interfaces and VLAN subinterfaces. The firewall tries to match the session’s user or group identity, device type, destination, etcetera to a security policy. When a match is found, the user connects to the requested destination. If no security policy matches, the user is denied access.

A user who has not already been authenticated by a captive portal, FSSO, or RSSO can match only policies where no user or user group is specified. If no such policy exists, the firewall requests authentication. If the user can authenticate and the session can be matched to a policy, the user connects to the requested destination, otherwise, the user is denied access.

This section includes:

  • Enabling authentication protocols
  • Authentication replacement messages
  • Access to the Internet
  • Configuring authentication security policies
  • Identity-based policy
  • NTLM authentication
  • Certificate authentication
  • Restricting number of concurrent user logons

 

Enabling authentication protocols

Users can authenticate using FTP, HTTP, HTTPS, and Telnet. However, these protocols must be enabled first. Another authentication option is to redirect any attempts to authenticate using HTTP to a more secure channel that uses HTTPS. This forces users to a more secure connection before entering their user credentials.

 

To enable support for authentication protocols – web-based manager:

1. Go to User & Device > Authentication > Settings.

2. Select one or more of HTTP, HTTPS, FTP, Telnet, or Redirect HTTP Challenge to a Secure Channel (HTTPS).

Only selected protocols will be available for use in authentication.

3. Select the Certificate to use, for example Fortinet_Factory.

4. Select Apply.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.