Created on 11-14-2019 06:56 AM Edited on 10-22-2024 01:47 AM By Anthony_E
Description
This article describes how on firmware 6.2, users can now define and force the authentication to always take place if necessary.
On FortiOS firmware v5.2 onwards, there is an added feature of implicit fall-through where if there is firewall policies at the bottom without authentication, the user will always match the bottom policies even if there are active authentication policies at the top.
Scope
FortiGate.
Solution
Note:
Setting auth-on-demand to 'always' will cause problems with passive authentication on FortiOS(RSSO, FSSO). In this scenario, the FortiGate will not allow authentication to fall through to different passive authentication policies.
To check whether or not auth-on-demand is responsible for FSSO authentication failing, the following diagnostics can be run on the CLI:
diag debug flow filter clear
diag debug flow filter addr <client-ip-address>
diag debug flow show ip enable
diag debug flow show function enable
diag debug console time enable
diag debug enable
diag debug flow
Test with any traffic flow that would match an FSSO policy from the <client-ip-address> device, and check if the following debug message is seen:
id=65308 trace_id=13286 func=__iprope_user_identity_check line=1894 msg="ret-stop"
If a line containing both 'func=__iprope_user_identity_check' and 'msg="ret-stop"' is visible, then auth-on-demand is preventing passive authentication from functioning as expected. To allow FSSO traffic to function as expected, set 'auth-on-demand' to 'implicitly'.
Related articles:
Technical Tip: Implicit fall-through feature for user authentication policies in 5.2
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.