AD Authentication IP Based

hi,
i have multiple subnets some on LAN and some on DMZ, and i want to do authentication for people logging in from DMZ networks but not authenticate users logging in from LAN networks.
so in other words i want authentication based on ip networks. is it possible?

thanks,

Comments

  • Sure.
    Have 2 sets of policies, those from the trusted subnet(s) and those from the DMZ
    which would need to be From: an AD authentication group name for DMZ users.

    1 option is to use SSO, which will do automated authentication of users, including those on the DMZ, to your AD. (you could add the trusted subnet(s) to the SSO exclusion list if you really don't want the trusted users to be auto-authenticated using SSO).
    Otherwise your DMZ users would need to manually authenticate to the firewall.
    Then you have 2 choices:

  • thanks bruce, it worked perfectly...
    i have a minor follow up issue, one of my DMZ networks is a WIFI network, and authentication is working , but i have no idea why Huawei phones are not getting redirected to the Auth page (all other phones are working perfectly).
    did anybody face this previously?

  • To force a user on a wifi device to authenticate -

    See this section:
    Automatically Redirect Users to the Authentication Portal
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/global_auth_settings_c.html

    and - add a 3rd HTTP & HTTPS policy, with:
    From: wifi-subnet To: Any, set to Denied
    Make sure that these are just below the current 2 HTTP & HTTPS policies.

    Then test the Huawei phones

Sign In to comment.