Description
This article explains the difference of behavior between active and passive authentication.
FortiGate has two types of authentication which are dedicated to different protocols:
Active: LDAP, Radius, TACACS+
Passive: FSSO, RSSO
They have different behaviors depending on policies.
Scope
This article explains the differences of behavior between active and passive authentication, when policies can match the traffic. It is not going to explain each method.
Solution
For active authentication, all policies must have: enable authentication for the policy that could match the traffic or enable a captive portal on the ingress interface for the traffic. If this not happen, the traffic is matching the policy without authentication
For Passive authentication, if it can be successfully obtain user details, the traffic will do match with the first policy that find because the user is already authenticated.
Examples:
1) Active authentication
This article explains the difference of behavior between active and passive authentication.
FortiGate has two types of authentication which are dedicated to different protocols:
Active: LDAP, Radius, TACACS+
Passive: FSSO, RSSO
They have different behaviors depending on policies.
Scope
This article explains the differences of behavior between active and passive authentication, when policies can match the traffic. It is not going to explain each method.
Solution
For active authentication, all policies must have: enable authentication for the policy that could match the traffic or enable a captive portal on the ingress interface for the traffic. If this not happen, the traffic is matching the policy without authentication
For Passive authentication, if it can be successfully obtain user details, the traffic will do match with the first policy that find because the user is already authenticated.
Examples:
1) Active authentication
Because the guest group is still not authenticated, it will not match with the policy with the ID=15, the traffic will go out for the policy with the ID=16 (because it is not necessary to authenticate). The user is not going to be asked for authentication.
If passive authentication is used, the traffic with the users that belongs to the Guest-group will match the policy with the ID=15 even if the policy with ID=16 does not have authentication enabled because the user is already authenticated.
Related Articles
Wireless client load balancing
Technical Note: How FortiGate can block Duolingo in different ways. Blocks web application.
