User and device authentication

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will provide different network access for staff members based on full-time or part-time status. Wireless access will be allowed for users with laptops but denied for tablets and mobile phones.

In this recipe, a WiFi network has already been configured that is in the same subnet as the wired LAN. For more information, see Setting up a WiFi bridge with a FortiAP.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Creating two users groups and adding users

Go to User & Device > User Groups.

Create the user group full-time.

 

Create a second user group, part-time.

 

Go to User & Device > User Definition.

Create two new users with the Users/Group Creation Wizard (mlennox and ccraven, for example). Add one user to the full-time group and the other to the part-time group.

 
   
   
   

Both user names now appear in the user list.


 

2. Creating a schedule for part-time staff

Go to Policy & Objects > Schedules and create a new recurring schedule.

Set an appropriate schedule. In order to get results later, do not select the current day of the week.

Creat part-time schedule

The default always schedule will be used for full-time staff.

3. Creating a policy for full-time staff

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and User to the full-time group. Set Outgoing Interface to your Internet-facing interface, and make sure Schedule is set to always.

Turn on NAT.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

Enable logging

4. Creating a policy for part-time staff that enforces the schedule

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and User to the part-time group. Set Outgoing Interface to your Internet-facing interface, and set Schedule to use the part-time schedule.

Turn on NAT.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

Enable logging

View the policy list. Click on the part-time policy row and right-click anywhere in the row. Select > Edit in CLI from the dropdown menu.

Note that the policy ID column is not shown by default. You must add that column if you wish to see it but it is not necessary in order to complete this recipe.

 

Enter the command set schedule-timeout enable, as shown into the CLI Console. The other commands appear as a result of the previous step.

Close the console when done.

This ensures that access for part-time users (under policy ID 3) is revoked on days not on schedule, even if their current session began when access was allowed.

5. Creating a policy that denies mobile traffic

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and Device to Mobile Devices (a default custom device group that includes tablets and mobile phones), Outgoing Interface to your Internet-facing interface, and set Action to DENY.

Leave Log Violation Traffic turned on.

Policy to deny mobile device access 

Go to Policy & Objects > IPv4 Policy and view policies By Sequence.

The deny mobile traffic policy must be above the other Internet access policies. To move a policy, select any area in the far-left column of the policy and drag it to where you want it.

 

6. Results

Browse the Internet using a computer. You will be prompted to enter authentication credentials.

Log in using the mlennox account. You will be able to access the Internet at any time.

Go to Monitor > Firewall User Monitor. Highlight mlennox and select De-authenticate. Your connection will be dropped.

Attempt to browse the Internet again. This time, log in using the ccraven account. After entering login credentials, you will not be able to access the Internet because you are attempting access on a day that is not on  ccraven‘s schedule.

Attempts to connect to the Internet with any mobile device accessing the WiFi configured for this recipe will also be denied.

Go to Fortiview > Sources and select the 5 minutes view. You can see mobile and part-time user traffic is blocked and that the full-time user traffic is allowed.

For further reading, check out Users and user groups in the FortiOS 5.4 Handbook.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney

Latest posts by Judith Haney (see all)

  • Was this helpful?
  • Yes   No
Using a device group will automatically enable device identification on the local network interface.

If the site you try to access uses HTTP Strict Transport Security (HSTS), you won’t get the prompt for authentication credentials. Be sure to go to a site that does not use HSTS.

Once you authenticate, you can then go to any website that is not blocked by any filters your network has in place.

  • Peter

    Great article. I have implemented something similar to this for a client. All users on a network must login via the Fortigate to access the internet.
    The problem that I am facing is that unless someone has logged in to access the internet on a workstation, Windows Updates do not work. Is there a way to allow certain URL’s to bypass the requirement for authentication.
    Adding a bunch of FQDN addresses does not work since Windows updates use wildcard URL’s based on the following MS tech article:

    https://technet.microsoft.com/en-us/library/bb693717.aspx

    I have tried to add a policy below my identity-based policy that has a web filter that allows the Microsoft URLs and blocks all others. Unfortunately as soon as I enable this policy the identity policy does not prompt users for authentication for the non MS URLs.