Skip to main content
papapuff
papapuff
New Member
July 27, 2017
Question

ask - Set authentication user for connect LAN/internet

  • July 27, 2017
  • 1 reply
  • 8716 views

hi there,

 

need advice here.

I have FG 60D,

can I set:

1. user authentication. whenever device want to connect our Network, it will require user authentication.

2. restrict some devices by hardware ID, either mac address, or else.

 

if those can, kindly please give reference where I can find "how to".

 

if I'm correct, I can set authentication based on IP.

 

thanks.

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    August 1, 2017

    Hi papapuff,

     

    ad 1. yes, how about captive portal or 802.1x ? So whenever some other device connect through FGT, user will be prompted to authenticate.

     

    ad 2. yes, how about to have DHCP servere assigning IP addresses statically to known MAC (MAC-IP pair). So you will always has known MAC and device behind the IP. Be aware that MAC can be forged. Form this point of view it would need a bit more. Think about device base identity, but in FGT it is passive fingerprint only so might be inaccurate. Then you can harden the access even more via SSOMA, client app, standalone or part of FortiClient, reporting its presence to FAC and then being reported to FGT as well known client via FSSO.

     

    For more info have a look to [link]http://KB.fortinet.com[/link] , [link]http://Docs.fortinet.com[/link] or http://cookbook.fortinet.com/

    Best regards,

    Tomas

    papapuff
    papapuffAuthor
    New Member
    September 27, 2017

    hi there,

     

    sorry to blow up this post again.

     

    1. I searched for create access list based on mac address, but couldn't found.

    any help?

    I want to restricted unknown list, so they can't connect to our LAN.

     

    2. also, if I use managed switch, and users connect LAN via that switch, can fortigate detect user's mac address?

     

    3. can I create log for every device connected to fortigate (mac, device name, when, traffic data)?

    if can, where I can find the log?

     

    Thanks.

    Sudarsan_Babu
    Sudarsan_Babu
    New Member
    September 27, 2017

    1. I searched for create access list based on mac address, but couldn't found. any help? I want to restricted unknown list, so they can't connect to our LAN.

     

    Firmware version: 5.2 

     

    http://cookbook.fortinet.com/user-device-authentication/

     

    Firmware version: 5.4 

     

    http://cookbook.fortinet.com/user-device-authentication-54-video/

     

    2. also, if I use managed switch, and users connect LAN via that switch, can fortigate detect user's mac address?

     

    a.)yes, If you using DHCP server  in fortigate you can see mac address & device identification( CPU Usage may  high).

    b.)If you using dhcp from windows server then you check logs from firewall. ( forticloud or syslog ).

     

    3. can I create log for every device connected to fortigate (mac, device name, when, traffic data)? if can, where I can find the log?

     

    Yes. you check in forticloud or fortianalyzer .

    Device Name: can check device list under user & device option. You can also see mac address in device list. 

    MAC: from dhcp server ---> depends on firmware version 5.2 (under network option), 5.4 ( Under Monitor). 

     

     

     

     

     

     

     

     

     

     

    Terms & ConditionsAccessibility statement