Checking user authentication policies
In FortiWeb, users and organized into groups. Groups are part of authentication policies. If several users have authentication problems, it is possible someone changed authentication policy or user group memberships. If a user is legitimately having an authentication policy, you need to find out where the problem lies.
To troubleshoot user access
1. In the web UI, go to User > User Group > User Group and examine each group to locate the name of the problem user.
2. Note the user group to which the affected users belong, especially if multiple affected users are part of one group. If the user is not a group member, there is no access.
3. Go to Application Delivery > Authentication Policy > Authentication Rule and determine which rule contains the problem user group. If the user group is not part of a rule, there is no access.
4. Go to Application Delivery > Authentication Policy > Authentication Policy and locate the policy that contains the rule governing the problem user group. If the rule is not part of a policy, there is no access.
5. Go to Policy > Web Protection Profile > Inline Protection Profile and determine which profile contains the related authentication policy. If the policy is not part of a profile, there is no access.
6. Make sure that inline protection profile is included in the server policy that applies to the server the user is trying to access. If the profile is not part of the server policy, there is no access.
Authentication involves user groups, authentication rules and policy, inline protection policy, and finally, server policy. If a user is not in a user group used in the policy for a specific server, the user will have no access.