authenticated and non authenticated users in one subnet

Question

am i correct in assuming that if i have mix of authenticated and non authenticated users in the same subnet and if want to to provide part of the authenticated users and all non authenticated users access i can't?

i would create one policy for the subnet with one of the authenticated user groups and one policy for the non authenticated users. then due to the fall through mechanism of user based authenticated to group i didn't want to have access falls to the generic policy and is allowed by that.

xsilver_FTNT · Answer

Hello.pay attention that policy check design has changed between FortiOS 5.0 (more like 4.3) and 5.2/5.4 style.In 5.2/5.4 there is implicit fall through and if you have same IP headers, then this non-identity policy will be chosen regardless of it's position and there might be no authentication at all.See FortiOS 5.2.0 (init release) Release Notes , page 13, "Firewall policy changes after upgrading to FortiOS v5.2.0 build 0589" However, there is many scenarios how you can achieve authenticated and non authenticated users inside same subnet.It all depends on chosen authentication and how many users are in both groups. If you have just few of users unable to perform authentication, all has static or DHCP static IP, then you can just make explicit policy for the list of those IP to skip authentication. There could be MAC address based lock on assigned IP to enhance security and prevent IP hijack etc. Or authentication can be SSO based (automatic) for those normaly authenticated, with NTLM fallback so those non-MS-domain user will be prompted to authenticate. Fallback could be to any other auth type like RADIUS or LDAP.I'd suggest to visit docs.fortinet.com and check User Authentication admin guide on FortiOS section. Kind regards,Tomas

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded