Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

FortiNAC local captive portal authentication

Hello Guys, 

I wan to enforce web user authentication against Fortinac local database.

I have added a Fortiswitch working in standalone mode.

I did set both registration and authentication to enforce.

created a local user and set role to "test-role"

added the switch port to the forced registration and forced authentication and role based access group.

manually registered my laptop to the "test-role"

created an authentication policy matching on a user-host profile matching on :

where: any

who what by group : any

who what by attribute : host [role:test-role]

 

Then a network access policy matching on the following profile:

where: any

who what by group : any

who what by attribute : host [role:test-role]  user [role:test-role]

 

Results:

I am successfully switched to the authentication vlan got the correct ip address, redirected to the authentication portal but when I enter my local credentials: I get the following on the portal:

 

authentication failed, please try again.

 

5 REPLIES 5
ebilcari
Staff
Staff

You can check on Portal> Portal Configuration> Global [Settings] for the option "Standard User Login Type" that will handle the registration part. For guest solution only the self registration is commonly used, no authentication is needed.

 

If you still need the Authentication step you have to add a configuration for the policy where this user hits and choose Local as authentication method:

auth local.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Akmostafa
New Contributor III

Hi Ebilcari,

I have already done the authentication policy part. Actually I am only transited to the authentication VLAN after I did this step.

Verified the standard user login to be local in the poral configuration and also in the authentication configuration applied to the auth policy.

 

Akmostafa
New Contributor III

auth-config.pnghost policy-auth.pnghost policy-network access.pnghost profile.pngmodel config.pngnetwork access-config.pngnetwork access-host prof.png

ebilcari

more information can be checked using the CLI while enabling this debug:

> nacdebug -name DirectoryAuthentication true
> logs
> tf output.master

if the output is overwhelming you can add the grep command [| grep username]

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
ndumaj
Staff
Staff

Hi Akmostafa,
Dont forget to disable debug using following command:

>nacdebug -name DirectoryAuthentication false

 BR

- Happy to help, hit like and accept the solution -
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors