User and device authentication

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, user authentication and device authentication provide different access for staff members based on whether they are full-time or part-time employees, while denying all traffic from mobile phones.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Defining two users and two user groups

Go to User & Device > User > User Definitions.

Create two new users (in the example, dprince and rmontoya).

 

Both user definitions now appear in the user list.

 

Go to User & Device > User > User Groups.

Create the user group full-time and add user dprince.

 

Create a second user group, part-time, and add user rmontoya.

 

2. Creating a schedule for part-time staff

Go to Policy & Objects > Objects > Schedules and create a new recurring schedule.

Set an appropriate schedule. In order to get results later, do not select the current day of the week.

 

3. Defining a device group for mobile phones

Go to User & Device > Device > Device Groups and create a new group.

Add the various types of mobile phones as Members.

 

4. Creating a policy for full-time staff

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the local network interface, Source User(s) to the full-time group, Outgoing Interface to your Internet-facing interface, and ensure that Schedule is set to always.

Turn on NAT.

 

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

 

5. Creating a policy for part-time staff that enforces the schedule

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the local network interface, Source User(s) to the part-time group, Outgoing Interface to your Internet-facing interface, and set Schedule to use the part-time schedule.

Turn on NAT.

 

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

 

View the policy list. Click on the title row and select ID from the dropdown menu, then select Apply. Take note of the ID number that has been given to the part-time policy.

 

Go to System > Dashboard > Status and enter the following command into the CLI Console, using the ID number of the part-time policy.

This will ensure that part-time users will have their access revoked during days they are not scheduled, even if their current session began when access was allowed.

config firewall policy
  edit 2
    set schedule-timeout enable
  end
end

6. Creating a policy that denies mobile traffic

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the local network interface, Source Device to Mobile Devices (a default device group that includes tablets and mobile phones), Outgoing Interface to your Internet-facing interface, and set Action to DENY.

Leave Log Violation Traffic turned on.

 

In order for this policy to be used, it must be located at the top of the policy list. Select any area in the far-left column of the policy and drag it to the top of the list.

 

7. Results

Browse the Internet using a computer. You will be prompted to enter authentication credentials.

Log in using the dprince account. You will be able to access the Internet at any time.

 

Go to User & Device > Monitor > Firewall. Highlight dprince and select De-authenticate.

Attempt to browse the Internet again. This time, log in using the rmontoya account. After authentication occurs, you will not be able to access the Internet.

 

Attempts to connect to the Internet using any mobile phone will also be denied.

 

You can view more information about the blocked and allowed sessions by going to System > FortiView > All Sessions.

 

For further reading, check out Users and user groups in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
In this example, a wireless network has already been configured that is in the same subnet as the wired LAN. For information about this configuration, see Setting up a WiFi bridge with a FortAP.
Using a device group will automatically enable device identification on the local network interface.
Sessions that were blocked when you attempted to sign in using the rmontoya account will not have a user account shown in the User
column.
  • Coordenador – AB Telecomunicac

    I am having a problema with the authentication. I have a DELL Laptop and the wired connection works just fine.
    My wireless connection does not load anything when in device authentication and when in user authentication, no user authenticates. I receive a message saying that the password is wrong. Even after rewrighting the password and creating new users.

  • Luis A.

    Hi, I am sorry.. I followed the procedure.. However the configurations does not work. I created two user .. first one is a LDAP user, second user is a local user … I created the policy with schedule, it works well but when the user opens his browser ..it does not prompted to enter authentication credentials. I can not see relation between user definition, user groups and the policy .. could you help me please.. thanks.

    • Luis A.

      Hi Victoria, help me please.
      I need to improve access security for my users,

      Greetings

  • Mohammed

    how can I export only users & device
    instead of going to backup the all settings

  • O P Sharma

    Dear Sir,
    I want that some particular user must enter into network without user id & password authentication. May please tell the process so that I can allow a device to connect automatically without need to enter Id/Password

  • Paul1006

    Hey, thanks for this tips.

    I’m trying to do something like that, limit traffic between two interfaces but I can’t use group with LDAP users.
    When users are used in the policy everything goes well otherwise access is denied.
    My working policy/configuration:
    FFW (local) # sh
    edit “ADuser1”
    set type ldap
    set ldap-server “ADLDAP”
    next
    edit “ADuser2”
    set type ldap
    set ldap-server “ADLDAP”
    next
    edit “ADuser3”
    set type ldap
    set ldap-server “ADLDAP”

    FFW (policy) # sh
    edit 23
    set uuid ———-
    set srcintf “Trust_Desktop”
    set dstintf “port6”
    set srcaddr “All”
    set dstaddr “All”
    set action accept
    set schedule “always”
    set service “HTTP” “HTTPS” “HTTPS_FW_GUI” “SSH” “RDP” “ALL_ICMP”
    set fsso enable
    set users “ADuser1” “ADuser1” “ADuser3”
    set nat enable

    My not working policy / configuration (ADusers are the same, untouched):
    FFW (group) # sh
    edit “Administrative_task”
    set member “ADuser1” “ADuser1” “ADuser3”

    FFW (policy) # sh
    edit 23
    set uuid ———-
    set srcintf “Trust_Desktop”
    set dstintf “port6”
    set srcaddr “All”
    set dstaddr “All”
    set action accept
    set schedule “always”
    set service “HTTP” “HTTPS” “HTTPS_FW_GUI” “SSH” “RDP” “ALL_ICMP”
    set fsso enable
    set groups “Administrative_task”
    set nat enable

    Thanks in advance,
    Paul

  • Ethan

    Can I know if I want to apply the user & password login policy to include mobile, can I skip creating mobile policy rule? Thanks you.

    • Judith Haney

      Yes. You can skip creating the mobile policy. Be sure that you include all devices in the policy that allows traffic.

      • Ethan

        Thanks you.

  • DerRotMax

    Great article Victoria. One question, can the same be done for individual VPN users? In my case, I have an L2TP VPN set up with several users, and there is one user I wish to schedule for just work-day hours access, but not set the VPN itself to a schedule (leaving it always available to the other users). I haven’t been able to find any hints towards doing this, nor has anything I’ve tried worked.

    • Victoria Martin

      Hello,

      I’ve looked into this and unfortunately do not believe it is possible using an L2TP VPN. Since users are applied at the VPN stage, rather than in the policy, they work different than they do for the local users in this recipe. The only way to have different schedules would be to have different VPNs, but you can only have one L2TP VPN on a FortiGate.

      If you need to set up a VPN that has a schedule for only some users, you’ll need to switch to using IPsec or SSL.

      I hope that helps!

      • DerRotMax

        Thanks so much for the reply! Yeah, I figured it was something along those lines as nothing I did policy wise had any success. I ended up just deciding to set up the Forticlient VPN in the firewall and migrate that user over to it so that they could be scheduled separately. Thanks for the confirmation though.

        • Victoria Martin

          You’re welcome. I’m glad you managed to get things set up in a way that works for you!

  • Admin

    Can i know the web sites that devices have visited. Or can fortigate record this history.
    Thanks.

    • Victoria Martin

      Yes, you can use the FortiView Web Sites dashboard to see what sites have been visited. If you drill down from the main page, you can also see which device was used to access the site.

  • Alex Yamil

    Victoria, me again.

    For some reason, I can’t see Authenticated firewall users on the monitor

    I use a 100D VDOM provided by my ISP.
    Ver. 5.2.3

    • Victoria Martin

      Hi again Alex,

      That is rather strange and I can’t think of any reason why authenticated users wouldn’t be showing up. If it’s a problem, I’d recommend getting in touch with Fortinet Support, so they can look into your particular set-up and see what’s happening. You can find the contact information for your area at https://support.fortinet.com.