Chapter 4 Authentication : Configuring authenticated access : Authentication in security policies : Authentication replacement messages
  
Authentication replacement messages
A replacement message is the body of a webpage containing a message about a blocked website message, a file too large message, a disclaimer, or even a login page for authenticating. The user is presented with this message instead of the blocked content.
Authentication replacement messages are the prompts a user sees during the security authentication process such as login page, disclaimer page, and login success or failure pages. These are different from most replacement messages because they are interactive requiring a user to enter information, instead of simply informing the user of some event as other replacement messages do.
Replacement messages have a system-wide default configuration, a per-VDOM configuration, and disclaimers can be customized for multiple security policies within a VDOM.
These replacement messages are used for authentication using HTTP and HTTPS. Authentication replacement messages are HTML messages. You cannot customize the security authentication messages for FTP and Telnet.
The authentication login page and the authentication disclaimer include replacement tags and controls not found on other replacement messages.
More information about replacement messages can be found in the config system replacemsg section of the FortiOS CLI Reference.
 
Table 18: List of authentication replacement messages
Replacement message name (CLI name)
Description
Login challenge page
(auth-challenge-page)
This HTML page is displayed if security users are required to answer a question to complete authentication. The page displays the question and includes a field in which to type the answer. This feature is supported by RADIUS and uses the generic RADIUS challenge-access auth response. Usually, challenge-access responses contain a Reply-Message attribute that contains a message for the user (for example, “Please enter new PIN”). This message is displayed on the login challenge page. The user enters a response that is sent back to the RADIUS server to be verified.
The Login challenge page is most often used with RSA RADIUS server for RSA SecurID authentication. The login challenge appears when the server needs the user to enter a new PIN. You can customize the replacement message to ask the user for a SecurID PIN.
This page uses the %%QUESTION%% tag.
Disclaimer page
(auth-disclaimer-page-1)
(auth-disclaimer-page-2)
(auth-disclaimer-page-3)
This page prompts user to accept the displayed disclaimer when leaving the captive portal to access Internet resources. It is displayed when the captive portal type is Authentication and Disclaimer or Disclaimer Only.
In the CLI, the auth-disclaimer-page-2 and auth-disclaimer-page-3 pages seamlessly extend the size of the disclaimer page from 8 192 characters to 16 384 and 24 576 characters respectively. In the web-based manager this is handled automatically.
See “Disclaimer”.
Email token page
(auth-email-token-page)
The page prompting a user to enter their email token. See “Email”.
FortiToken page
(auth-fortitoken-page)
The page prompting a user to enter their FortiToken code. See “FortiToken”.
Keepalive page
(auth-keepalive-page)
The HTML page displayed with security authentication keepalive is enabled using the following CLI command:
config system global
set auth-keepalive enable
end
Authentication keepalive keeps authenticated firewall sessions from ending when the authentication timeout ends. In the web-based manager, go to User & Device > Authentication > Settings to set the Authentication Timeout.
This page includes %%TIMEOUT%%.
Login failed page
(auth-login-failed-page)
The Disclaimer page replacement message does not re-direct the user to a redirect URL or the security policy does not include a redirect URL. When a user selects the button on the disclaimer page to decline access through the FortiGate unit, the Declined disclaimer page is displayed.
Login page
(auth-login-page)
The authentication HTML page displayed when users who are required to authenticate connect through the FortiGate unit using HTTP or HTTPS.
Prompts the user for their username and password to login.
This page includes %%USERNAMEID%% and %%PASSWORDID%% tags.
Declined disclaimer page
(auth-reject-page)
The page displayed if a user declines the disclaimer page. See “Disclaimer”.
SMS Token page
(auth-sms-token-page)
The page prompting a user to enter their SMS token. See “SMS”.
Success message
(auth-success-msg)
The page displayed when a user successfully authenticates. Prompts user to attempt their connection again (as the first was interrupted for authentication).