Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
Contributor

Use local users for less restrictions

Hello team!!!

 

I have a local group "UsersLevel1" in the FGT with many members

I have 2 different web filter and application control, for level 1 (less restrictions) and level 2 (More restrictions) 

 

What I am trying to accomplish is the following:

- When a user try to access Internet, FGT ask him username and password

- If user enters valid credentials in the "UsersLevel1" Group, he can navigate with level 1 security profiles

- If user does not enter any credential, he can navigate with level 2 security profiles

 

If this is not possible, we would like to do the following:

- When a user try to access Internet, FGT ask him username and password

- If user enters credentials in the "UsersLevel1" Group, he can navigate with level 1 security profiles

- If user enters credentials in the "UsersLevel2" Group, he can navigate with level 2 security profiles

 

Is this possible?

When I enable "Security mode: Cautive Portal" on the LAN interface, if I create a rule with local users on it, it seems that you cant just does not enter any credential, FGT will stop looking for matching rules after this rule with local users

 

Later I will configure FGT to synchronize with AD, but we wanted to do this for devices which can not join AD

 

Thanks in advance.

Regards,

Damián

 

3 REPLIES 3
gfleming
Staff
Staff

Put your level 1 policies at the top of your policy table. These rules will take precedence. Then, put level 2 policies below with user group UsersLevel2 attached to it. Now, if anyone tries to access anything that requires level 2 they will be authenticated for UserLevel2 credentials.

Cheers,
Graham
damianhlozano
Contributor

Ok, thanks.

Just tested and worked

So, the first option I wrote is not possible, but the second one is possible and worked for me.

 

Regards,

Damián

gfleming

Just thinking now, Option 1 could be possible using Explicit Proxy. You could configure two different proxy policies, one for LEVEL1 and one for LEVEL2. When using the proxy, if both proxy policies have a user group defined in the source then authentication can occur for the respective access.

Unauthenticated users can access the internet using non-proxy config.

 

https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/300428/explicit-web-proxy

Cheers,
Graham
Labels
Top Kudoed Authors