Fortinet black logo

CLI Reference

system replacemsg auth

system replacemsg auth

FortiOS uses the text of the authentication replacement messages for various user authentication HTML pages that are displayed when a user is required to authenticate because a firewall policy includes at least one firewall policy that requires firewall users to authenticate.

These pages are used for authentication using HTTP and HTTPS. Authentication replacement messages are HTML messages. You cannot customize the firewall authentication messages for FTP and Telnet.

The authentication login page and the authentication disclaimer include replacement tags and controls not found on other replacement messages.

Users see the authentication login page when they use a VPN or a firewall policy that requires authentication. You can customize this page in the same way as you modify other replacement messages,

Administrators see the authentication disclaimer page when logging into the FortiGate web-based manager or CLI. The disclaimer page makes a statement about usage policy to which the user must agree before the FortiGate unit permits access. You should change only the disclaimer text itself, not the HTML form code.

There are some unique requirements for these replacement messages:

  • The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST"
  • The form must contain the following hidden controls:
    • <INPUT TYPE="hidden" NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%">
    • <INPUT TYPE="hidden" NAME="%%STATEID%%" VALUE="%%STATEVAL%%">
    • <INPUT TYPE="hidden" NAME="%%REDIRID%%" VALUE="%%PROTURI%%">
  • The form must contain the following visible controls:
    • <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25>
    • <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25>

These are HTML messages with HTTP headers.

config system replacemsg auth
    edit {msg-type}
    # Replacement messages.
        set msg-type {string}   Message type. size[28]
        set buffer {string}   Message string. size[32768]
        set header {none | http | 8bit}   Header flag.
                none  No header type.
                http  HTTP
                8bit  8 bit.
        set format {none | text | html | wml}   Format flag.
                none  No format type.
                text  Text format.
                html  HTML format.
                wml   WML format
    next
end

Additional information

The following section is for those options that require additional explanation.

buffer <message>

Type a new replacement message to replace the current replacement message. Maximum length 32,768 characters.

auth message types

auth-challenge-page

This HTML page is displayed if firewall users are required to answer a question to complete authentication. The page displays the question and includes a field in which to type the answer. This feature is supported by RADIUS and uses the generic RADIUS challenge-access auth response. Usually, challenge-access responses contain a Reply-Message attribute that contains a message for the user (for example, “Please enter new PIN”). This message is displayed on the login challenge page. The user enters a response that is sent back to the RADIUS server to be verified.

The Login challenge page is most often used with RSA RADIUS server for RSA SecurID authentication. The login challenge appears when the server needs the user to enter a new PIN. You can customize the replacement message to ask the user for a SecurID PIN.

This page uses the %%QUESTION%% tag.

auth-disclaimer[1|2|3]

Prompts user to accept the displayed disclaimer when leaving protected network.

The web-based manager refers to this as User Authentication Disclaimer, and it is enabled with a firewall policy that also includes at least one identity-based policy. When a firewall user attempts to browse a network through the FortiGate unit using HTTP or HTTPS this disclaimer page is displayed.

The extra pages seamlessly expand the size of the page.

auth-keepalive-page

The HTML page displayed with firewall authentication keepalive is enabled using the following CLI command:

config system global

set auth-keepalive enable

end

Authentication keepalive keeps authenticated firewall sessions from ending when the authentication timeout ends. In the web-based manager, go to User > Options to set the Authentication Timeout.

This page includes %%TIMEOUT%%.

auth-login-failed-page

The HTML page displayed if firewall users enter an incorrect user name and password combination.

This page includes %%FAILED_MESSAGE%%, %%USERNAMEID%%, and %%PASSWORDID%% tags.

auth-login-page

The authentication HTML page displayed when firewall users who are required to authenticate connect through the FortiGate unit using HTTP or HTTPS.

Prompts the user for their username and password to login.

This page includes %%USERNAMEID%% and %%PASSWORDID%% tags.

auth-reject-page

The Disclaimer page replacement message does not re-direct the user to a redirect URL or the firewall policy does not include a redirect URL. When a firewall user selects the button on the disclaimer page to decline access through the FortiGate unit, the Declined disclaimer page is displayed.

auth-token-login-page

The authentication HTML page displayed when firewall users who are required to use two-factor authentication connect through the FortiGate unit using HTTP or HTTPS.

Prompts the user for their username, password and two-factor authentication credentials.

This page includes %%USERNAMEID%%, %%PASSWORDID%%, and %%TOKENCODE%% tags.

auth-token-login-failed-page

The HTML page displayed if firewall users performing two-factor authentication enter an incorrect credentials.

This page includes %%USERNAMEID%%, %%PASSWORDID%%, and %%TOKENCODE%% and %%EXTRAINFO%% tags.

Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.

%%AUTH_REDIR_URL%%

Link to open a new window. (optional).

%%AUTH_LOGOUT%%

Immediately close the connection policy.

%%EXTRAINFO%%

Provide extra help on two-factor authentication.

%%FAILED_MESSAGE%%

Message displayed on failed login page after user login fails.

%%KEEPALIVEURL%%

URL the keep alive page connects to that keeps the connectionpolicy alive. Connects every %%TIMEOUT%% seconds.

%%QUESTION%%

The default login and rejected login pages use this textimmediately preceding the username and password fields. Thedefault challenge page uses this as the challenge question.These are treated as two different variables by the server.If you want to use different text, replace %%QUESTION%% withthe text that you prefer.

%%TIMEOUT%%

Configured number of seconds between %%KEEPALIVEURL%%connections.

%%TOKENCODE%%

The FortiToken authentication code. Used for two-factorauthentication.

%%USERNAMEID%%

Username of the user logging in. This tag is used on the loginand failed login pages.

%%PASSWORDID%%

Password of the user logging in. This tag is used on the challenge, login and failed login pages.

Requirements for login page

The authentication login page is linked to FortiGate functionality and you must construct it according to the following guidelines to ensure that it will work.

  • The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST"
  • The form must contain the following hidden controls:
    • <INPUT TYPE="hidden" NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%">
    • <INPUT TYPE="hidden" NAME="%%STATEID%%" VALUE="%%STATEVAL%%">
    • <INPUT TYPE="hidden" NAME="%%REDIRID%%" VALUE="%%PROTURI%%">
  • The form must contain the following visible controls:
    • <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25>
    • <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25>

system replacemsg auth

FortiOS uses the text of the authentication replacement messages for various user authentication HTML pages that are displayed when a user is required to authenticate because a firewall policy includes at least one firewall policy that requires firewall users to authenticate.

These pages are used for authentication using HTTP and HTTPS. Authentication replacement messages are HTML messages. You cannot customize the firewall authentication messages for FTP and Telnet.

The authentication login page and the authentication disclaimer include replacement tags and controls not found on other replacement messages.

Users see the authentication login page when they use a VPN or a firewall policy that requires authentication. You can customize this page in the same way as you modify other replacement messages,

Administrators see the authentication disclaimer page when logging into the FortiGate web-based manager or CLI. The disclaimer page makes a statement about usage policy to which the user must agree before the FortiGate unit permits access. You should change only the disclaimer text itself, not the HTML form code.

There are some unique requirements for these replacement messages:

  • The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST"
  • The form must contain the following hidden controls:
    • <INPUT TYPE="hidden" NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%">
    • <INPUT TYPE="hidden" NAME="%%STATEID%%" VALUE="%%STATEVAL%%">
    • <INPUT TYPE="hidden" NAME="%%REDIRID%%" VALUE="%%PROTURI%%">
  • The form must contain the following visible controls:
    • <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25>
    • <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25>

These are HTML messages with HTTP headers.

config system replacemsg auth
    edit {msg-type}
    # Replacement messages.
        set msg-type {string}   Message type. size[28]
        set buffer {string}   Message string. size[32768]
        set header {none | http | 8bit}   Header flag.
                none  No header type.
                http  HTTP
                8bit  8 bit.
        set format {none | text | html | wml}   Format flag.
                none  No format type.
                text  Text format.
                html  HTML format.
                wml   WML format
    next
end

Additional information

The following section is for those options that require additional explanation.

buffer <message>

Type a new replacement message to replace the current replacement message. Maximum length 32,768 characters.

auth message types

auth-challenge-page

This HTML page is displayed if firewall users are required to answer a question to complete authentication. The page displays the question and includes a field in which to type the answer. This feature is supported by RADIUS and uses the generic RADIUS challenge-access auth response. Usually, challenge-access responses contain a Reply-Message attribute that contains a message for the user (for example, “Please enter new PIN”). This message is displayed on the login challenge page. The user enters a response that is sent back to the RADIUS server to be verified.

The Login challenge page is most often used with RSA RADIUS server for RSA SecurID authentication. The login challenge appears when the server needs the user to enter a new PIN. You can customize the replacement message to ask the user for a SecurID PIN.

This page uses the %%QUESTION%% tag.

auth-disclaimer[1|2|3]

Prompts user to accept the displayed disclaimer when leaving protected network.

The web-based manager refers to this as User Authentication Disclaimer, and it is enabled with a firewall policy that also includes at least one identity-based policy. When a firewall user attempts to browse a network through the FortiGate unit using HTTP or HTTPS this disclaimer page is displayed.

The extra pages seamlessly expand the size of the page.

auth-keepalive-page

The HTML page displayed with firewall authentication keepalive is enabled using the following CLI command:

config system global

set auth-keepalive enable

end

Authentication keepalive keeps authenticated firewall sessions from ending when the authentication timeout ends. In the web-based manager, go to User > Options to set the Authentication Timeout.

This page includes %%TIMEOUT%%.

auth-login-failed-page

The HTML page displayed if firewall users enter an incorrect user name and password combination.

This page includes %%FAILED_MESSAGE%%, %%USERNAMEID%%, and %%PASSWORDID%% tags.

auth-login-page

The authentication HTML page displayed when firewall users who are required to authenticate connect through the FortiGate unit using HTTP or HTTPS.

Prompts the user for their username and password to login.

This page includes %%USERNAMEID%% and %%PASSWORDID%% tags.

auth-reject-page

The Disclaimer page replacement message does not re-direct the user to a redirect URL or the firewall policy does not include a redirect URL. When a firewall user selects the button on the disclaimer page to decline access through the FortiGate unit, the Declined disclaimer page is displayed.

auth-token-login-page

The authentication HTML page displayed when firewall users who are required to use two-factor authentication connect through the FortiGate unit using HTTP or HTTPS.

Prompts the user for their username, password and two-factor authentication credentials.

This page includes %%USERNAMEID%%, %%PASSWORDID%%, and %%TOKENCODE%% tags.

auth-token-login-failed-page

The HTML page displayed if firewall users performing two-factor authentication enter an incorrect credentials.

This page includes %%USERNAMEID%%, %%PASSWORDID%%, and %%TOKENCODE%% and %%EXTRAINFO%% tags.

Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.

%%AUTH_REDIR_URL%%

Link to open a new window. (optional).

%%AUTH_LOGOUT%%

Immediately close the connection policy.

%%EXTRAINFO%%

Provide extra help on two-factor authentication.

%%FAILED_MESSAGE%%

Message displayed on failed login page after user login fails.

%%KEEPALIVEURL%%

URL the keep alive page connects to that keeps the connectionpolicy alive. Connects every %%TIMEOUT%% seconds.

%%QUESTION%%

The default login and rejected login pages use this textimmediately preceding the username and password fields. Thedefault challenge page uses this as the challenge question.These are treated as two different variables by the server.If you want to use different text, replace %%QUESTION%% withthe text that you prefer.

%%TIMEOUT%%

Configured number of seconds between %%KEEPALIVEURL%%connections.

%%TOKENCODE%%

The FortiToken authentication code. Used for two-factorauthentication.

%%USERNAMEID%%

Username of the user logging in. This tag is used on the loginand failed login pages.

%%PASSWORDID%%

Password of the user logging in. This tag is used on the challenge, login and failed login pages.

Requirements for login page

The authentication login page is linked to FortiGate functionality and you must construct it according to the following guidelines to ensure that it will work.

  • The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST"
  • The form must contain the following hidden controls:
    • <INPUT TYPE="hidden" NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%">
    • <INPUT TYPE="hidden" NAME="%%STATEID%%" VALUE="%%STATEVAL%%">
    • <INPUT TYPE="hidden" NAME="%%REDIRID%%" VALUE="%%PROTURI%%">
  • The form must contain the following visible controls:
    • <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25>
    • <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25>