Chapter 3 Authentication for FortiOS 5.0 : Configuring authenticated access : Authentication in security policies : Authentication replacement messages
  
Authentication replacement messages
A replacement message is the body of a webpage containing a message about a blocked website message, a file too large message, a disclaimer, or even a login page for authenticating. The user is presented with this message instead of the blocked content.
Authentication replacement messages are the prompts a user sees during the security authentication process such as login page, disclaimer page, and login success or failure pages. These are different from most replacement messages because they are interactive requiring a user to enter information, instead of simply informing the user of some event as other replacement messages do.
Replacement messages have a system-wide default configuration, a per-VDOM configuration, and disclaimers can be customized for multiple security policies within a VDOM.
These replacement messages are used for authentication using HTTP and HTTPS. Authentication replacement messages are HTML messages. You cannot customize the security authentication messages for FTP and Telnet.
The authentication login page and the authentication disclaimer include replacement tags and controls not found on other replacement messages.
More information about replacement messages can be found in the config system replacemsg section of the FortiOS CLI Reference.
 
Table 21: List of authentication replacement messages
Replacement message name (CLI name)
Description
Login challenge page
(auth-challenge-page)
This HTML page is displayed if security users are required to answer a question to complete authentication. The page displays the question and includes a field in which to type the answer. This feature is supported by RADIUS and uses the generic RADIUS challenge-access auth response. Usually, challenge-access responses contain a Reply-Message attribute that contains a message for the user (for example, “Please enter new PIN”). This message is displayed on the login challenge page. The user enters a response that is sent back to the RADIUS server to be verified.
The Login challenge page is most often used with RSA RADIUS server for RSA SecurID authentication. The login challenge appears when the server needs the user to enter a new PIN. You can customize the replacement message to ask the user for a SecurID PIN.
This page uses the %%QUESTION%% tag.
Disclaimer page
(auth-disclaimer-page-1)
(auth-disclaimer-page-2)
(auth-disclaimer-page-3)
Prompts user to accept the displayed disclaimer when leaving protected network.
The web-based manager refers to this as User Authentication Disclaimer, and it is enabled with a security policy that also includes at least one identity-based policy. When a security user attempts to browse a network through the FortiGate unit using HTTP or HTTPS this disclaimer page is displayed.
The extra pages seamlessly extend the size of the page from 8 192 characters to 16 384 and 24 576 characters respectively. When configuring the disclaimer page in the web-based manager this is shown by its size being 24 576 characters.
See “Disclaimer”.
Email token page
(auth-email-token-page)
The page prompting a user to enter their email token. See “Email”.
FortiToken page
(auth-fortitoken-page)
The page prompting a user to enter their FortiToken code. See “FortiToken”.
Keepalive page
(auth-keepalive-page)
The HTML page displayed with security authentication keepalive is enabled using the following CLI command:
config system global
set auth-keepalive enable
end
Authentication keepalive keeps authenticated firewall sessions from ending when the authentication timeout ends. In the web-based manager, go to User & Device > Authentication > Settings to set the Authentication Timeout.
This page includes %%TIMEOUT%%.
Login failed page
(auth-login-failed-page)
The Disclaimer page replacement message does not re-direct the user to a redirect URL or the security policy does not include a redirect URL. When a user selects the button on the disclaimer page to decline access through the FortiGate unit, the Declined disclaimer page is displayed.
Login page
(auth-login-page)
The authentication HTML page displayed when users who are required to authenticate connect through the FortiGate unit using HTTP or HTTPS.
Prompts the user for their username and password to login.
This page includes %%USERNAMEID%% and %%PASSWORDID%% tags.
Declined disclaimer page
(auth-reject-page)
The page displayed if a user declines the disclaimer page. See “Disclaimer”.
SMS Token page
(auth-sms-token-page)
The page prompting a user to enter their SMS token. See “SMS”.
Success message
(auth-success-msg)
The page displayed when a user successfully authenticates. Prompts user to attempt their connection again (as the first was interrupted for authentication).