Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wurstsalat
New Contributor III

Authentication Ruleset, where is the decision which will be used?

Hi there,

for example i have this (after upgrading 5.4 to 5.6)

    edit "auth-rule4pol7"
        set srcaddr "Inside-Network-Clients" "Inside-Network-Server" "VPNs"
        set ip-based disable
        set active-auth-method "auth-sch4pol7"
    next
    edit "auth-rule4pol3"
        set srcaddr "Inside-Network-Clients" "Inside-Network-Server" "VPNs"
        set ip-based disable
        set active-auth-method "auth-sch4pol3"

So basically both has the same criteria...so both may fit. Now i have watched at my previous explicit Proxy rules, there is not mentioned which authentication rule will be used. So how do i prioritise the authentication rule over another one? Or how do i say this Proxy policy should use this rule like it was in 5.4?

 

Hope someone can help

1 Solution
Fishbone_FTNT

Hi Wurstsalat, rules are evaluated top-down. So first will match it all. Second is just the leftover from upgrade process.

 

EDIT: You are basically selecting which authentication to use based on source IP address in the rule. Once rule is matched, authentication scheme specified in it will be used.

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

View solution in original post

11 REPLIES 11
Wurstsalat
New Contributor III

nope, you are talking about forms based authentication...if you use ntlm/kerberos authentication there is no need for the user to enter any credentials after domain logon at the Computer, this works with the most Browsers such as firefox (configuration required), Chrome based, Internet Explorer and Edge. This works for explicit Proxy as follows

- Client sends unauthenticated request

- Explicit Proxy replies with http 407

- Client sends automaticaly authentication information

- Depending on the Proxy rules, Client gets access

 

Anyway this was never the question ;)

MarioRuisi
New Contributor

Hi Guys,

 

is there a way to build a rule with no authentication?

 

I have build up explicit Proxy in 5.6.7 with FSSO authentication. Anyway there are some systems which are not member of our domain which needs to access to the internet.

 

For some reasons I do not have the possibility to set up a authentication scheme/rule for no authentication.

 

Can someone help me?

 

Best regards

Mario

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors