FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
evejar
Staff
Staff
Article Id 192967

Description


This article explains the difference of behavior between active and passive authentication. FortiGate has two types of authentication which are dedicated to different protocols:

  • Active: LDAP, Radius, TACACS+ and SAML.
  • Passive: FSSO, RSSO.


They have different behaviors depending on policies.


Scope

 

FortiGate.


Solution


For active authentication, all policies must have: enabled authentication for the policy that could match the traffic or enable a captive portal on the ingress interface for the traffic. If this does not happen, the traffic matches the policy without authentication

For Passive authentication, if it can successfully obtain user details, the traffic will do match with the first policy that is found because the user is already authenticated.

Examples:

 

Active authentication:

1221_policy.png 

 

 

 

Because the guest group is still not authenticated, it will not match the policy with the ID=15, the traffic will go out for the policy with the ID=16 (because it is not necessary to authenticate). The user is not going to be asked for authentication.

 

1221_policy.png

 

 

If passive authentication is used, the traffic with the users that belong to the guest group will match the policy with ID=15 even if the policy with ID=16 does not have authentication enabled because the user is already authenticated. 

 

Related articles:

Wireless client load balancing

Technical Note: How FortiGate can block Duolingo in different ways. Blocks web application.

Identity-based-route