Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

PeterBailesh
New Contributor

Created on ‎08-20-2016 03:26 AM

Age-group based web/content filter – Guests

Age-group based web/content filter – Guests

 

I have an interesting client requirement where we have to capture the guest’s age along with username/password in captive portal and serve the webcontent based on their age.

I have got both Cisco ISE and ClearPass guest servers. I have got Cisco WLCs in the setup.

I have got both Fortigate(webfilter) and Cisco ASA. How to implement this solution to serve content based on guest’s age?

I can only category based filter in fortigate.

 

Thanks,

 

 

Labels:
728
0 Kudos
1 Solution
FredPoca
New Contributor
In response to PeterBailesh

Created on ‎06-09-2017 03:07 AM

If you can have your RADIUS server return the age in the Fortinet-Group-Name attribute, that would make things very simple.

 

Once that's done just create user groups on the Fortigate that match on your radius server + group name and apply those groups to policy.

 

I.e., User age is 19, RADIUS server returns Fortinet-Group-Name attribute "Age19".  On the Fortigate, create a group called "UserAge19", match remote users on RADIUS Server with group name "Age19".  Then create firewall policies that use the correct source IP range (or "any") and the "UserAge19" group.

 

There are ways to make user groups look at other RADIUS attributes in CI instead of just Fortinet-Group-Name (I think it's the "class" setting under "config user radius \ edit \ set class "blah"), but the default is Fortinet-Group-Name.

View solution in original post

726
0 Kudos
3 REPLIES 3
aterekhov_FTNT
Staff
Staff

Created on ‎08-21-2016 12:08 AM

Hi Rajesh,

 

this age information - is it stored somewhere on the webpages?

In other words, where should it come from?

726
0 Kudos
PeterBailesh
New Contributor
In response to aterekhov_FTNT

Created on ‎08-21-2016 12:49 AM

Age information is stored in the radius servers. I can return them as user catagory. 

726
0 Kudos
FredPoca
New Contributor
In response to PeterBailesh

Created on ‎06-09-2017 03:07 AM

If you can have your RADIUS server return the age in the Fortinet-Group-Name attribute, that would make things very simple.

 

Once that's done just create user groups on the Fortigate that match on your radius server + group name and apply those groups to policy.

 

I.e., User age is 19, RADIUS server returns Fortinet-Group-Name attribute "Age19".  On the Fortigate, create a group called "UserAge19", match remote users on RADIUS Server with group name "Age19".  Then create firewall policies that use the correct source IP range (or "any") and the "UserAge19" group.

 

There are ways to make user groups look at other RADIUS attributes in CI instead of just Fortinet-Group-Name (I think it's the "class" setting under "config user radius \ edit \ set class "blah"), but the default is Fortinet-Group-Name.

727
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.