I have accomplished this in the past by creating an authentication policy that references a LDAP group and put it under my FSSO policy.
I have that, if i set source users to the FSSO group, on my outbound wan1 policy, it will let authenticated users (by FSSO) out. Those who aren't on a machine that authenticates to AD it doesn't let out. It just stops them with an untrusted certificate warning. Firefox and Chrome will not let them add an exception as it would normally do. It just says the site is untrusted.
So maybe I am missing a step to get the authentication working.
Hmm can you try accessing a non-HTTPS to force authentication and see what happens?
FortiOS 5 definitely has some issues with showing block or authentication pages over HTTPS. They claim to have addressed this in 5.2.
What OS are you running?
5.2.4, see screen shot.
For a Non-HTTPS just spins until there is a connection time out. No Login page from the 100D.
So just so we're clear:
IPv4 Policy with an FSSO group listed as source user. SSL Cerficate inspection enabled. FSSO is working as I can look at the monitor and see all of the users from AD being listed as authenticated. I can also enable the source user to be only the initial group (all the employees minus myself) and they can still access the internet, however I cannot. So i would assume i would get the login box to put in my domain\username and password to authenticate.
On one instance I was able to get a pop-up window, i entered a username and password and then it tried to take me to forgigate authentication page again. The username and password were not accepted.
Since then and playing, if i create a user from an AD user and then specify that user on a policy, i can get a fortigate authentication page. However the username & password are never accepted. Anyone know why?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.