Chapter 3 Authentication for FortiOS 5.0 : Configuring authenticated access : Authentication in security policies : Identity-based policy
  
Identity-based policy
An identity-based policy (IBP) performs user authentication in addition to the normal security policy duties. If the user does not authenticate, access to network resources is refused. This enforces Role Based Access Control (RBAC) to your organization’s network and resources.
Identity-based policies also support Single Sign-On operation. The user groups selected in the policy are of the Fortinet Single Sign-On (FSSO) type.
User authentication can occur through any of the following supported protocols, including: HTTP, HTTPS, FTP, and Telnet. The authentication style depends on which of these protocols is included in the selected security services group and which of those enabled protocols the network user applies to trigger the authentication challenge.
For username and password-based authentication (HTTP, FTP, and Telnet) the FortiGate unit prompts network users to enter their username, password, and token code if two-factor authentication is selected for that user account. See “Two-factor authentication”. For certificate-based authentication, including HTTPS or HTTP redirected to HTTPS only, see “Certificate authentication”.
 
FortiManager does not support pushing identity based policies down to FortiGate units.
Set these commands in the CLI to see the other identity-based commands that were hidden before. In the following procedure, this is policy number 7.
config firewall policy
edit 7
set action ACCEPT
set identity-based enable
next
end
With identity-based policies, once the FortiGate unit matches the source and destination addresses, it processes the identity sub-policies for the user groups and services. This means unique security policies must be placed before an identity-based policy to be effective.
When the identity-based policy has been configured, the option to customize authentication messages is available. This allows you to change the text, style, layout, and graphics of the replacement messages associated with this firewall policy. When enabled, customizing these messages follows the same method as changing the disclaimer. See “Disclaimer”.
Types of authentication also available in identity-based policies are
NTLM authentication
Certificate authentication