Hi,

I am wondering whether it would be possible to set up the following IP-based authentication mechanism on the FortiGate (v7.2):

1. I want users to visit a login website which is served on the external interface of the FortiGate.
2. After login, they should be authenticated based on IP address for some time and be allowed to access some systems behind the internal interface.

To this end, I configured the authentication settings under "User & Authentication" -> "Authentication Settings" as follows:

• Authentication scheme is set to a form-based authentication scheme using a local user database.
• Captive portal type is set to IP.
• Captive portal is enabled and set to 10.0.0.2.
• Protocol support for HTTP is enabled.

The external interface has 10.0.0.2 configured as its secondary IP address.

Now I would expect that http://10.0.0.2 serves a login page, but for some reason it does not. (I can see in the packet sniffer that the packets arrive at the FortiGate.)

Am I misunderstanding how form-based authentication is supposed to work? What would I need to do to achieve the desired workflow?

Thanks a lot in advance.