Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tshaw
New Contributor

Authenticate Through Browser to Use Internet

Newbie here (sorry)!

I have searched through this site and could not find what I'm looking for, and hope you can help.

 

Background:

I have a FortiGate 1000D running firmware v5.2.11,build754 (GA) in a K-12 school district with 5,000 students with one-to-one devices.  I also have a VM with FortiAuthenticator.

 

Issue:

I would like to configure my FortiGate to the following.

When a user logs into their device and opens up a web browser they are presented a login screen.  Once they login and authenticate to my Active Directory, they are then allowed or denied access for a set time frame.

 

Thank you in advance for all your help!

 

Troy

5 REPLIES 5
gsarica
Contributor

Haven't used them yet myself but in theory a captive portal should work. You can configure the LAN interface to use a captive portal based on authentication off a group you create that's tied to your AD server. More info here:

 

http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-authentication-52/CaptivePortals....

 

As for the time schedule, you'd have to configure that in your actual policy.

tshaw
New Contributor

gsarica,

 

Thank you for the quick response, I will look into this.

rwpatterson
Valued Contributor III

Welcome to the forums.

 

The FSSO/FSAE software will authenticate the users behind the scenes without their manual intervention. If you enable NTLM authentication, the the browser window can pop up and allow the user to enter their credentials (I believe). IE automatically used NTLM (last time I checked many years back) and may not present the window either.

 

My two cents

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
Esteemed Contributor III

The tricky part here is probably not the captive portal or FSSO but the time quota. Look at, for instance, Application Control with a quota (detect any application to trigger quota). Haven't had to solve this myself yet.

 

FSSO works like this: the FSSO software client will be installed on the DC and will supply the login status to the FGT. So there is no need to re-authenticate in a browser window, regardless of the browser used. Same for any other application, especially one which doesn't offer interactive input (e.g., ssh).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
a_acampa

ede_pfau wrote:

The tricky part here is probably not the captive portal or FSSO but the time quota. Look at, for instance, Application Control with a quota (detect any application to trigger quota). Haven't had to solve this myself yet.

 

FSSO works like this: the FSSO software client will be installed on the DC and will supply the login status to the FGT. So there is no need to re-authenticate in a browser window, regardless of the browser used. Same for any other application, especially one which doesn't offer interactive input (e.g., ssh).

I'm agree with you.

Time quota feature is needed to achieve this objective.

 

He speak about Students (thousands) and Active directory authentication, from my experience in this case students doesn't have a pc in domain, in this way the FSSO doesn't work because the first authentication of user are not logged to AD.

 

I think that correct match is, Captive portal on LAN interface and TimeQuota.

For captive protal he need to use LDAP server (the AD) like authentication source, and in the action column of security profile he have to use "Monitor" instead of "allow" so he can log info about sessions, duration and ecc.

 

Regards

Adrea

 

Labels
Top Kudoed Authors