In this recipe, you will provide different network access for staff members based on full-time or part-time status. Wireless access will be allowed for users with laptops but denied for tablets and mobile phones.
In this recipe, a WiFi network has already been configured that is in the same subnet as the wired LAN. For more information, see Setting up a WiFi bridge with a FortiAP.
Find this recipe for other FortiOS versions
5.2 | 5.4
1. Creating two users groups and adding users |
|
|
Go to User & Device > User Groups. Create the user group full-time. |
 |
|
Create a second user group, part-time. |
 |
|
Go to User & Device > User Definition. Create two new users with the Users/Group Creation Wizard (mlennox and ccraven, for example). Add one user to the full-time group and the other to the part-time group. |
 |
 |
|
 |
|
 |
|
|
Both user names now appear in the user list. |
 |
2. Creating a schedule for part-time staff |
|
|
Go to Policy & Objects > Schedules and create a new recurring schedule. Set an appropriate schedule. In order to get results later, do not select the current day of the week. |
 |
|
There default always schedule will be used for full-time staff. |
|
3. Creating a policy for full-time staff |
|
|
Go to Policy & Objects > IPv4 Policy and create a new policy. Set Incoming Interface to the local network interface. Select Source and set Address to all and User to the full-time group. Set Outgoing Interface to your Internet-facing interface, and make sure Schedule is set to always. Turn on NAT. |
 |
|
Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions. |
 |
4. Creating a policy for part-time staff that enforces the schedule |
|
|
Go to Policy & Objects > IPv4 Policy and create a new policy. Set Incoming Interface to the local network interface. Select Source and set Address to all and User to the part-time group. Set Outgoing Interface to your Internet-facing interface, and set Schedule to use the part-time schedule. Turn on NAT. |
 |
|
Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions. |
|
|
View the policy list. Click on the part-time policy row and right-click anywhere in the row. Select > Edit in CLI from the dropdown menu. |
 |
|
Enter the commands shown into the CLI Console. Close the console when done. This ensures that access for part-time users is revoked on days not on schedule, even if their current session began when access was allowed. |
|
5. Creating a policy that denies mobile traffic |
|
|
Go to Policy & Objects > IPv4 and create a new policy. Set Incoming Interface to the local network interface. Select Source and set Address to all and Device to Mobile Devices (a default custom device group that includes tablets and mobile phones), Outgoing Interface to your Internet-facing interface, and set Action to DENY. Leave Log Violation Traffic turned on. |
 |
|
Go to Policy & Objects > IPv4 Policy and view policies By Sequence. The deny mobile traffic policy must be above the other Internet access policies. To move a policy, select any area in the far-left column of the policy and drag it to where you want it. |
 |
6. Results |
|
|
Browse the Internet using a computer. You will be prompted to enter authentication credentials. Log in using the mlennox account. You will be able to access the Internet at any time. |
 |
|
Go to Monitor > Firewall User Monitor. Highlight mlennox and select De-authenticate. Your connection will be dropped. |
 |
|
Attempt to browse the Internet again. This time, log in using the ccraven account. After entering login credentials, you will not be able to access the Internet because you are attempting access on a day that is not on ccraven‘s schedule. Attempts to connect to the Internet with any mobile device accessing the WiFi configured for this recipe will also be denied. |
|
|
Go to Fortiview > Sources and select the 5 minutes view. You can see mobile and part-time user traffic is blocked and that the full-time user traffic is allowed. |
 |
For further reading, check out Users and user groups in the FortiOS 5.4 Handbook.
If the site you try to access uses HTTP Strict Transport Security (HSTS), you won’t get the prompt for authentication credentials. Be sure to go to a site that does not use HSTS.
Once you authenticate, you can then go to any website that is not blocked by any filters your network has in place.
The post User and device authentication appeared first on Fortinet Cookbook.