Technical Tip: User based policy not working
Description
This article describes that authentication prompt is not showing when policy is having user configured.
Scope
FortiGate
Solution
Policy is configured with the user however authentication prompt is not received to the user
This can happen due to two reasons:
- Traffic does not match the configured policy.
- There is a policy configured to allow the traffic without any authentication.
If there is a policy without authentication, the firewall will first select the policy without authentication configured to allow the traffic, though the policy with authentication is on top.
In the above picture policy 12 is configured with the user however traffic will always flow from the policy 11 as there is no user is configured in it.
To force authentication to happen even if there is a fall-through policy (policy 11) configured, you can configure the "auth-on-demand" setting to "always" under "config user setting". The default setting is "implicitly" and that allows the fall-through to the policy with no authentication.
config user setting
set auth-on-demand <always | implicitly>
always <----- Always trigger firewall authentication on demand.
implicitly <----- Implicitly trigger firewall authentication on demand.
always <----- Always trigger firewall authentication on demand.
implicitly <----- Implicitly trigger firewall authentication on demand.
With this set to always, any authentication policies above open (no authentication) policies will take precedence and force users to authenticate.