Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jaures
New Contributor

Prompt LAN's Guest users to enter username/pwd for web access

Hello all,

I have a Fortigate 200D with user identity firewall policies. User groups are using remote groups in Active Directory for authentication.

I need to enable non domain users (guest) to be prompted for username/pwd when they try to access internet.

AAA server is configured on the Fortigate for remote authentication of guest accounts.

I created a firewall policy with "Guest_Users" as Source User. This policy is placed at the bottom of the rules from LAN ---> WAN1,with the appropriate UTM features.

However, non domain users are not getting any prompt when trying to browse. they are simply blocked ( by rule 0)

 

Am I missing anything?

 

Regards,

Jaures.

 

 

5 REPLIES 5
Dave_Hall
Honored Contributor

Can you post a screenshot (san any identifiable IPs) showing your firewall policy list, including the column headers? Something like the following:

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Jaures
New Contributor

Hello Dave,

please see attached.

Seq #2 is a temporary rule. The fortigate is already in a production environment, so i had to do that for all users to access internet for now. I do the testing for other policies after working hours.

Seq #10 is the Guest_Users policy.

Seq #11 is a general web access policy for all domain users to access specific web sites only.

 

Regards,

Jaures.

Jaures
New Contributor

Hello Dave,

Note also that, NAT is disabled on all policies because the Fortigate is behind an edge router that is performing

the NAT.

When testing my policies, i disable seq #2, and enable seq #10 and #11.

 

Regards,

Jaures.

 

Jaures
New Contributor

Hello Dave,

I figured out how to enable to prompt login page for non domain users. I made that policy the last on the list, from LAN to WAN1... Now non domain users are prompted for credentials before they can browse.

I want to use remote servers (AAA server) for users authentication. I created a RADIUS server on the fortigate and test is successful. When users use their Active Directory credentials, authentication fails. But when they use a local account i created on the Fortigate, authentication is successful.

Any idea on this, please?

Regards,

Jaures. 

Jaures
New Contributor

Hello All,

 

Remote authentication using AAA server worked now, when users are prompted for username/password before browsing. I had to change the conditions/constraints on the windows NPS server.

 

Thank you Dave, for your help.

 

Jaures.

Labels
Top Kudoed Authors