Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

Created on ‎04-30-2023 03:10 AM

FortiNAC local captive portal authentication

Hello Guys, 

I wan to enforce web user authentication against Fortinac local database.

I have added a Fortiswitch working in standalone mode.

I did set both registration and authentication to enforce.

created a local user and set role to "test-role"

added the switch port to the forced registration and forced authentication and role based access group.

manually registered my laptop to the "test-role"

created an authentication policy matching on a user-host profile matching on :

where: any

who what by group : any

who what by attribute : host [role:test-role]

 

Then a network access policy matching on the following profile:

where: any

who what by group : any

who what by attribute : host [role:test-role]  user [role:test-role]

 

Results:

I am successfully switched to the authentication vlan got the correct ip address, redirected to the authentication portal but when I enter my local credentials: I get the following on the portal:

 

authentication failed, please try again.

 

Labels:
906
0 Kudos
5 REPLIES 5
ebilcari
Staff
Staff

Created on ‎05-01-2023 01:32 AM

You can check on Portal> Portal Configuration> Global [Settings] for the option "Standard User Login Type" that will handle the registration part. For guest solution only the self registration is commonly used, no authentication is needed.

 

If you still need the Authentication step you have to add a configuration for the policy where this user hits and choose Local as authentication method:

auth local.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
888
0 Kudos
Akmostafa
New Contributor III

Created on ‎05-01-2023 12:22 PM

Hi Ebilcari,

I have already done the authentication policy part. Actually I am only transited to the authentication VLAN after I did this step.

Verified the standard user login to be local in the poral configuration and also in the authentication configuration applied to the auth policy.

 

868
0 Kudos
Akmostafa
New Contributor III

Created on ‎05-02-2023 04:52 AM

auth-config.pnghost policy-auth.pnghost policy-network access.pnghost profile.pngmodel config.pngnetwork access-config.pngnetwork access-host prof.png

846
0 Kudos
ebilcari
Staff
Staff
In response to Akmostafa

Created on ‎05-02-2023 05:36 AM

more information can be checked using the CLI while enabling this debug:

> nacdebug -name DirectoryAuthentication true
> logs
> tf output.master

if the output is overwhelming you can add the grep command [| grep username]

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
842
0 Kudos
ndumaj
Staff
Staff

Created on ‎05-02-2023 09:01 AM

Hi Akmostafa,
Dont forget to disable debug using following command:

>nacdebug -name DirectoryAuthentication false

 BR

- Happy to help, hit like and accept the solution -
834
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.