User and device authentication

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, user authentication and device authentication provide different access for staff members based on whether they are full-time or part-time employees, while denying all traffic from mobile phones.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Defining two users and two user groups

Go to User & Device > User > User Definitions.

Create two new users (in the example, dprince and rmontoya).

 

Both user definitions now appear in the user list.

 

Go to User & Device > User > User Groups.

Create the user group full-time and add user dprince.

 

Create a second user group, part-time, and add user rmontoya.

 

2. Creating a schedule for part-time staff

Go to Policy & Objects > Objects > Schedules and create a new recurring schedule.

Set an appropriate schedule. In order to get results later, do not select the current day of the week.

 

3. Defining a device group for mobile phones

Go to User & Device > Device > Device Groups and create a new group.

Add the various types of mobile phones as Members.

 

4. Creating a policy for full-time staff

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the local network interface, Source User(s) to the full-time group, Outgoing Interface to your Internet-facing interface, and ensure that Schedule is set to always.

Turn on NAT.

 

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

 

5. Creating a policy for part-time staff that enforces the schedule

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the local network interface, Source User(s) to the part-time group, Outgoing Interface to your Internet-facing interface, and set Schedule to use the part-time schedule.

Turn on NAT.

 

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

 

View the policy list. Click on the title row and select ID from the dropdown menu, then select Apply. Take note of the ID number that has been given to the part-time policy.

 

Go to System > Dashboard > Status and enter the following command into the CLI Console, using the ID number of the part-time policy.

This will ensure that part-time users will have their access revoked during days they are not scheduled, even if their current session began when access was allowed.

config firewall policy
  edit 2
    set schedule-timeout enable
  end
end

6. Creating a policy that denies mobile traffic

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the local network interface, Source Device to Mobile Devices (a default device group that includes tablets and mobile phones), Outgoing Interface to your Internet-facing interface, and set Action to DENY.

Leave Log Violation Traffic turned on.

 

In order for this policy to be used, it must be located at the top of the policy list. Select any area in the far-left column of the policy and drag it to the top of the list.

 

7. Results

Browse the Internet using a computer. You will be prompted to enter authentication credentials.

Log in using the dprince account. You will be able to access the Internet at any time.

 

Go to User & Device > Monitor > Firewall. Highlight dprince and select De-authenticate.

Attempt to browse the Internet again. This time, log in using the rmontoya account. After authentication occurs, you will not be able to access the Internet.

 

Attempts to connect to the Internet using any mobile phone will also be denied.

 

You can view more information about the blocked and allowed sessions by going to System > FortiView > All Sessions.

 

For further reading, check out Users and user groups in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
In this example, a wireless network has already been configured that is in the same subnet as the wired LAN. For information about this configuration, see Setting up a WiFi bridge with a FortAP.
Using a device group will automatically enable device identification on the local network interface.
Sessions that were blocked when you attempted to sign in using the rmontoya account will not have a user account shown in the User
column.