Fortinet black logo

Cookbook

1. Creating two users groups and adding users

Copy Link
Copy Doc ID 598118ae-ea1f-11e9-8977-00505692583a:940587
Download PDF

User and device authentication

In this recipe, you will provide different network access for staff members based on full-time or part-time status. Wireless access will be allowed for users with laptops but denied for tablets and mobile phones.

In this recipe, a WiFi network has already been configured that is in the same subnet as the wired LAN. For more information, see Setting up a WiFi Bridge with a FortiAP.

1. Creating two users groups and adding users

Go to User & Device > User Groups.

Create the user group full-time.

Create a second user group, part-time.

Go to User & Device > User Definition.

Create two new users with the Users/Group Creation Wizard (mlennox and ccraven, for example). Add one user to the full-time group and the other to the part-time group.

Both user names now appear in the user list.

2. Creating a schedule for part-time staff

Go to Policy & Objects > Schedules and create a new recurring schedule.

Set an appropriate schedule. In order to get results later, do not select the current day of the week.

The default always schedule will be used for full-time staff.

3. Creating a policy for full-time staff

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and User to the full-time group. Set Outgoing Interface to your Internet-facing interface, and make sure Schedule is set to always.

Turn on NAT.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

4. Creating a policy for part-time staff that enforces the schedule

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and User to the part-time group. Set Outgoing Interface to your Internet-facing interface, and set Schedule to use the part-time schedule.

Turn on NAT.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

View the policy list. Click on the part-time policy row and right-click anywhere in the row. Select > Edit in CLI from the dropdown menu.

Note that the policy ID column is not shown by default. You must add that column if you wish to see it but it is not necessary in order to complete this recipe.

Enter the command set schedule-timeout enable, as shown into the CLI Console. The other commands appear as a result of the previous step.

Close the console when done.

This ensures that access for part-time users (under policy ID 3) is revoked on days not on schedule, even if their current session began when access was allowed.

5. Creating a policy that denies mobile traffic

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and Device to Mobile Devices (a default custom device group that includes tablets and mobile phones; using a device group will automatically enable device identification on the local network interface), Outgoing Interface to your Internet-facing interface, and set Action to DENY.

Leave Log Violation Traffic turned on.

Go to Policy & Objects > IPv4 Policy and view policies By Sequence.

The deny mobile traffic policy must be above the other Internet access policies. To move a policy, select any area in the far-left column of the policy and drag it to where you want it.

6. Results

Browse the Internet using a computer. You will be prompted to enter authentication credentials. If the site you try to access uses HTTP Strict Transport Security (HSTS), you won’t get the prompt for authentication credentials. Be sure to go to a site that does not use HSTS. Once you authenticate, you can then go to any website that is not blocked by any filters your network has in place.

Log in using the mlennox account. You will be able to access the Internet at any time.

Go to Monitor > Firewall User Monitor. Highlight mlennox and select De-authenticate. Your connection will be dropped.

Attempt to browse the Internet again. This time, log in using the ccraven account. After entering login credentials, you will not be able to access the Internet because you are attempting access on a day that is not on ccraven‘s schedule.

Attempts to connect to the Internet with any mobile device accessing the WiFi configured for this recipe will also be denied.

Go to Fortiview > Sources and select the 5 minutes view. You can see mobile and part-time user traffic is blocked and that the full-time user traffic is allowed.

For further reading, check out Users and user groups in the FortiOS 5.4 Handbook.

Related Videos

sidebar video

User & Device Authentication

  • 90,818 views
  • 6 years ago

User and device authentication

In this recipe, you will provide different network access for staff members based on full-time or part-time status. Wireless access will be allowed for users with laptops but denied for tablets and mobile phones.

In this recipe, a WiFi network has already been configured that is in the same subnet as the wired LAN. For more information, see Setting up a WiFi Bridge with a FortiAP.

1. Creating two users groups and adding users

Go to User & Device > User Groups.

Create the user group full-time.

Create a second user group, part-time.

Go to User & Device > User Definition.

Create two new users with the Users/Group Creation Wizard (mlennox and ccraven, for example). Add one user to the full-time group and the other to the part-time group.

Both user names now appear in the user list.

2. Creating a schedule for part-time staff

Go to Policy & Objects > Schedules and create a new recurring schedule.

Set an appropriate schedule. In order to get results later, do not select the current day of the week.

The default always schedule will be used for full-time staff.

3. Creating a policy for full-time staff

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and User to the full-time group. Set Outgoing Interface to your Internet-facing interface, and make sure Schedule is set to always.

Turn on NAT.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

4. Creating a policy for part-time staff that enforces the schedule

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and User to the part-time group. Set Outgoing Interface to your Internet-facing interface, and set Schedule to use the part-time schedule.

Turn on NAT.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

View the policy list. Click on the part-time policy row and right-click anywhere in the row. Select > Edit in CLI from the dropdown menu.

Note that the policy ID column is not shown by default. You must add that column if you wish to see it but it is not necessary in order to complete this recipe.

Enter the command set schedule-timeout enable, as shown into the CLI Console. The other commands appear as a result of the previous step.

Close the console when done.

This ensures that access for part-time users (under policy ID 3) is revoked on days not on schedule, even if their current session began when access was allowed.

5. Creating a policy that denies mobile traffic

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and Device to Mobile Devices (a default custom device group that includes tablets and mobile phones; using a device group will automatically enable device identification on the local network interface), Outgoing Interface to your Internet-facing interface, and set Action to DENY.

Leave Log Violation Traffic turned on.

Go to Policy & Objects > IPv4 Policy and view policies By Sequence.

The deny mobile traffic policy must be above the other Internet access policies. To move a policy, select any area in the far-left column of the policy and drag it to where you want it.

6. Results

Browse the Internet using a computer. You will be prompted to enter authentication credentials. If the site you try to access uses HTTP Strict Transport Security (HSTS), you won’t get the prompt for authentication credentials. Be sure to go to a site that does not use HSTS. Once you authenticate, you can then go to any website that is not blocked by any filters your network has in place.

Log in using the mlennox account. You will be able to access the Internet at any time.

Go to Monitor > Firewall User Monitor. Highlight mlennox and select De-authenticate. Your connection will be dropped.

Attempt to browse the Internet again. This time, log in using the ccraven account. After entering login credentials, you will not be able to access the Internet because you are attempting access on a day that is not on ccraven‘s schedule.

Attempts to connect to the Internet with any mobile device accessing the WiFi configured for this recipe will also be denied.

Go to Fortiview > Sources and select the 5 minutes view. You can see mobile and part-time user traffic is blocked and that the full-time user traffic is allowed.

For further reading, check out Users and user groups in the FortiOS 5.4 Handbook.