Technical Tip: Configuring user-based policy for LAN users

Stephen_G · ‎12-19-2022

Description

This article explains how to configure user-based policies for LAN users within FortiGate.

Scope

FortiGate.

Solution

This article assumes an example configuration, where the WAN IP is 41.1.12.112/32 and the Internal IP is 172.16.3.0/24.

Create Users.

First, create the necessary users to assign bandwidth caps to. Local, LDAP and RADIUS users can also be used.

Create Firewall Policy.

Create a policy with users and groups in the source with 'all' selected for the address.
Provide internet or internal server traffic as the destination, as required.
Configure the policy to be proxy-based.
Apply security profiles.

By default, traffic will pass through the FortiGate with an IP based policy. This feature can only be configured through the CLI:

config user setting

set auth-on-demand always

end

After running this command, traffic will use the authentication policy and each user will receive an authentication prompt.

The always parameter will always trigger firewall authentication on demand. The implicitly parameter (the default option) will implicitly trigger firewall authentication on demand.

If configured correctly, network users trying to connect to the Wi-Fi or LAN will be prompted for authentication:

Related article:

Technical Tip: How to configure FortiGate Captive Portal via FortiAuthenticator

Technical Tip: Configuring user-based policy for LAN users

You are leaving our website