Skip to main content
luky
luky
New Member
August 3, 2024
Question

Fortigate local user authentication

  • August 3, 2024
  • 2 replies
  • 1724 views

Hello,

I followed this KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-user-authentication/ta-p/190084

My goal was to authenticate "website-admin" users for our backend webservers so that they can do more then a normal guest visitor could do. The difference I wanted were 2 firewall policies one for guests and one for authenticated-users where for example IPS+WAF rules were more strict for guests then for authenticated users.

My problem is when enabling Captive Portal I could authenticate with my backend user and traffic hit the right policy but guests who MUST NOT authenticate did also had to authenticate which is not possible for them because they should not have any credentials.

 

How can I hide the auth page and only auth users which wanted to be authenticated? All other should be able to access all the webservers regularly.

2 replies

mpeddalla
Staff
mpeddalla
Staff
August 3, 2024

Hello  @luky ,

 

Thank you for contacting the Fortinet Forum portal.

You can create a rule below the suggested user group in the article and in the destination give web server address to which you want to allow access.

Additionally, in Step 2 there is the option to choose "Restricted to groups "and choose the group of users whom you want to access. forum.PNG

 

 

Best regards,

Manasa.

 

If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.

luky
lukyAuthor
New Member
August 3, 2024

Okay but under Network -> Interfaces on WAN Interface I cannot choose Captive Portal because "Security Mode" Option is missing but somehow works in CLI. Could it be that if Interface is on DHCP that Captive Portal is invisible?

 

Also the problem is that guests should be able to go to my websites without authenticating on fortigate. How to accomplish this? Is there a solution without this "Captive Portal" Method? I just want that fortigate recognizes admin vs. visitors by logging in into fortigate so that traffic goes other direction otherwise if not logged in user shouldnt notice that such mechanism is there at all. There should be no prompt for visitors.

mpeddalla
Staff
mpeddalla
Staff
August 3, 2024

Hello @luky ,

 

As confirmed by a colleague @salmas there are limitations for using a captive portal on interfaces please refer to below article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Captive-Portal-Authentication-Network-Interface/ta-p/211018

 

Thanks,

Manasa.

 

salmas
Staff
salmas
Staff
August 3, 2024

Hello @luky ,

 

You cant see security mode option for interface role "wan" and "dmz". Security mode option is only available under GUI for LAN and undefined interface roles.

 


Best Regards,

salmas

Terms & ConditionsCookie settingsAccessibility statement