Fortinet black logo

Administration Guide

Authentication policies

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:387512
Download PDF

Authentication policies

An authentication policy consists of one user/host profile and one authentication configuration. The user/host profile is used to determine the users and hosts to which this policy might apply. The authentication configuration assigns the treatment those users and hosts receive when they connect to the network.

The authentication configuration specifies the time in production before authentication, time offline before deauthentication, reauthentication frequency, and authentication method policy that apply to a host that requires network access.

When authentication method is enabled, the selected authentication is used instead of the default authentication method. This authentication method will override the authentication methods selected for the portal login, guest/contractor template, and the Persistent Agent credential configuration. For example, if the portal configuration for the user's portal had a standard user login type of LDAP, but the user matched an authentication policy with the authentication configuration set to local, local will be used instead. If the authentication method is not enabled, the default authentication method is used.

Policies are assigned based on matching data when a host requires network access. The host/user and the connection location are compared to each authentication policy starting with the first policy in the list. When a policy is found where the host and user data and the connection location match the selected user/host profile, that policy is assigned. Policy assignments are not permanent. Hosts are re-evaluated frequently, such as when a switch is polled or the Persistent Agent contacts the server. When host and user data are re-evaluated a different authentication policy may be selected.

Note

There may be more than one authentication policy that is a match for this host/user, however, the first match found is the one that is used.

If you create a user/host profile with fields Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank and When set to always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.

Authentication policies

An authentication policy consists of one user/host profile and one authentication configuration. The user/host profile is used to determine the users and hosts to which this policy might apply. The authentication configuration assigns the treatment those users and hosts receive when they connect to the network.

The authentication configuration specifies the time in production before authentication, time offline before deauthentication, reauthentication frequency, and authentication method policy that apply to a host that requires network access.

When authentication method is enabled, the selected authentication is used instead of the default authentication method. This authentication method will override the authentication methods selected for the portal login, guest/contractor template, and the Persistent Agent credential configuration. For example, if the portal configuration for the user's portal had a standard user login type of LDAP, but the user matched an authentication policy with the authentication configuration set to local, local will be used instead. If the authentication method is not enabled, the default authentication method is used.

Policies are assigned based on matching data when a host requires network access. The host/user and the connection location are compared to each authentication policy starting with the first policy in the list. When a policy is found where the host and user data and the connection location match the selected user/host profile, that policy is assigned. Policy assignments are not permanent. Hosts are re-evaluated frequently, such as when a switch is polled or the Persistent Agent contacts the server. When host and user data are re-evaluated a different authentication policy may be selected.

Note

There may be more than one authentication policy that is a match for this host/user, however, the first match found is the one that is used.

If you create a user/host profile with fields Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank and When set to always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.