Skip to main content
evejar
Staff
evejar
Staff
January 31, 2017

Technical Tip: Active and passive authentication behavior

  • January 31, 2017
  • 0 replies
  • 14979 views

Description


This article describes the difference in behavior between active and passive authentication. FortiGate has two types of authentication, which are dedicated to different protocols:

  • Active: LDAP, Radius, TACACS+, and SAML.
  • Passive: FSSO, RSSO.


They have different behaviors depending on policies.


Scope

 

FortiGate.


Solution


For active authentication, all policies must have: enabled authentication for the policy that could match the traffic, or enable a captive portal on the ingress interface for the traffic. If this does not happen, the traffic matches the policy without authentication.

For Passive authentication, if it can successfully obtain user details, the traffic will match with the first policy that is found because the user is already authenticated.

Examples:

Active authentication:

 

1221_policy.png 

 

Because the guest group is still not authenticated, it will not match the policy with the ID=15; the traffic will go out for the policy with the ID=16 (because it is not necessary to authenticate). The user is not going to be asked for authentication.

 

To change this behavior with active authentication, use the following commands:

 

config user setting
    set auth-on-demand <always|implicitly>
end
 

Implicitly (default) - Implicitly trigger firewall authentication on demand.
This is the default setting and the original behavior per versions 7.0.x, 7.2.x, 7.4.x, and 7.6.

 

With auth-on-demand set to always, it will always match policy ID 15 and prompt for authentication.

This feature can be set on a per-VDOM basis.

 

1221_policy.png

 

If passive authentication is used, the traffic with the users that belong to the guest group will match the policy with ID=15, even if the policy with ID=16 does not have authentication enabled, because the user is already authenticated. 

 

In environments where both Active and Passive authentication are configured (eg, FSSO policy on top and LDAP policy at the bottom). Passive authentication will be preferred if the user is already authenticated through FSSO, as it is placed at the top of the policy list.
Active authentication is intended to be used as backup when passive authentication fails. It is recommended that the FSSO policy comes first before the LDAP policy, so if login cannot be determined passively, then FortiGate uses active authentication.

 

Related articles:

    Terms & ConditionsAccessibility statement