Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luky
New Contributor

Fortigate local user authentication

Hello,

I followed this KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-user-authentication/ta-p/190084

My goal was to authenticate "website-admin" users for our backend webservers so that they can do more then a normal guest visitor could do. The difference I wanted were 2 firewall policies one for guests and one for authenticated-users where for example IPS+WAF rules were more strict for guests then for authenticated users.

My problem is when enabling Captive Portal I could authenticate with my backend user and traffic hit the right policy but guests who MUST NOT authenticate did also had to authenticate which is not possible for them because they should not have any credentials.

 

How can I hide the auth page and only auth users which wanted to be authenticated? All other should be able to access all the webservers regularly.

4 REPLIES 4
mpeddalla
Staff
Staff

Hello  @luky ,

 

Thank you for contacting the Fortinet Forum portal.

You can create a rule below the suggested user group in the article and in the destination give web server address to which you want to allow access.

Additionally, in Step 2 there is the option to choose "Restricted to groups "and choose the group of users whom you want to access. forum.PNG

 

 

Best regards,

Manasa.

 

If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.

Manasa
luky
New Contributor

Okay but under Network -> Interfaces on WAN Interface I cannot choose Captive Portal because "Security Mode" Option is missing but somehow works in CLI. Could it be that if Interface is on DHCP that Captive Portal is invisible?

 

Also the problem is that guests should be able to go to my websites without authenticating on fortigate. How to accomplish this? Is there a solution without this "Captive Portal" Method? I just want that fortigate recognizes admin vs. visitors by logging in into fortigate so that traffic goes other direction otherwise if not logged in user shouldnt notice that such mechanism is there at all. There should be no prompt for visitors.

mpeddalla

Hello @luky ,

 

As confirmed by a colleague @salmas there are limitations for using a captive portal on interfaces please refer to below article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Captive-Portal-Authentication-Network-Inte...

 

Thanks,

Manasa.

 

Manasa
salmas
Staff
Staff

Hello @luky ,

 

You cant see security mode option for interface role "wan" and "dmz". Security mode option is only available under GUI for LAN and undefined interface roles.

 


Best Regards,

salmas

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors