Fortinet v3.0 MR7 manual Primary Server Name/IP, Primary Server Secret

Page 17


Authentication servers	RADIUS servers

•Change the FortiGate unit default RADIUS port to 1645 using the CLI:

config system global set radius_port 1645

end

To configure the FortiGate unit for RADIUS authentication - web-based manager

1Go to User > Remote > RADIUS and select Create New.

2Enter the following information, and select OK.

Figure 1: Configure FortiGate unit for RADIUS authentication

Name	Enter the name that is used to identify the RADIUS server
	on the FortiGate unit.
Primary Server Name/IP	Enter the domain name or IP address of the primary
	RADIUS server.
Primary Server Secret	Enter the RADIUS server secret key for the primary
	RADIUS server.

Secondary Server Name/IP Enter the domain name or IP address of the secondary RADIUS server, if you have one.

Secondary Server Secret Enter the RADIUS server secret key for the secondary RADIUS server.

Authentication Scheme Select Use Default Authentication Scheme to authenticate with the default method. The default authentication scheme uses PAP, MS-CHAP-V2, and CHAP, in that order.

Select Specify Authentication Protocol to override the default authentication method, and choose the protocol from the list: MS-CHAP-V2, MS-CHAP, CHAP, or PAP, depending on what your RADIUS server needs.

NAS IP/Called Station ID Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see

RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiGate interface uses to communicate with the RADIUS server will be applied.

Include in every User Group Select to have the RADIUS server automatically included in all user groups.

FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828	17

Image 17

Contents E R G U I D E Trademarks FortiOS v3.0 MR7 User Authentication User GuideContents Users/peers and user groups Configuring authenticated accessIndex Creating local users Creating peer usersIntroduction About authenticationVPN client-based authentication User’s view of authenticationWeb-based user authentication See Creating local users on See Creating peer users on FortiGate administrator’s view of authenticationSee Configuring user groups on Authentication serversPeers Public Key Infrastructure PKI authenticationUsers User groupsAbout this document Authentication timeoutFirewall policies VPN tunnelsTypographic conventions Name field, type adminFortiGate documentation Related documentation FortiGate Administration GuideFortiClient documentation FortiManager documentationFortiMail documentation FortiAnalyzer documentation Fortinet Tools and Documentation CD Customer service and technical support Fortinet Knowledge Center Comments on Fortinet technical documentationRadius servers Authentication serversRadius attributes sent in Radius accounting message Configuring the FortiGate unit to use a Radius serverPrimary Server Secret Primary Server Name/IPGroup Edit icon Edit a Radius server configurationLdap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Server Port PasswordCommon Name IdentifierEdit To configure the FortiGate unit for Ldap authentication CLIProtocol CertificateLdap server Distinguished Name Query tree Using the Query iconAscii TACACS+ serversServer Key Authentication TypeDirectory Service servers Domain Create NewGroups Fsae Collector IPFsae Collector IP/Name Port Directory Service server configuration NameCLI Example Directory Service server list Directory Service servers Users/peers Users/peers and user groupsTo create a local user web-based manager Go to User Local User type AuthenticationCreating local users To create a local user CLI To view a list of all local users, go to User LocalDelete icon Edit icon Delete icon To remove a user from the FortiGate unit configuration CLICreating peer users Subject Authenticating peer userTo view a list of PKI peer users, go to User PKI Remove PKI peer user To create a peer user for PKI authentication CLIFirewall user groups Directory Service user groupsUser groups Protection profiles SSL VPN user groupsFirewall Configuring user groupsSelect Create New and enter the following information To create a firewall user group CLI Configuring Directory Service user groupsMembers FortiGuard WebAvailable Users/Groups or Available Members Configuring SSL VPN user groupsViewing a list of user groups Configuring Peer user groupsTo create a peer group CLI Group NameConfig user group delete groupname End User groups Authentication protocols Authentication timeoutEnter the Idle Timeout value seconds Select Apply TelnetAuthentication Settings Firewall policy authenticationAuthentication is an Advanced firewall option Configuring authentication for a firewall policyTo configure authentication for a firewall policy Go to Firewall PolicyFirewall Policy Move To Firewall policy orderZone Configuring authenticated access to the InternetSource Interface Configuring authentication of SSL VPN users VPN authenticationSelect Enable SSL-VPN and enter information as follows Go to VPN SSLServer Certificate Default RC4128Require Client Certificate Encryption Key AlgorithmTo configure authentication for an SSL VPN CLI Configuring authentication of Pptp VPN users/user groups Configuring authentication of VPN peers and clientsSelect Enable Pptp Select Require Client Certificate, and then select ApplyConfiguring authentication of remote IPSec VPN users Configuring authentication of L2TP VPN users/user groupsTo configure authentication for a Pptp VPN CLI To configure authentication for an L2TP VPN CLIRemote Gateway To configure user group authentication for dialup IPSec CLIOnly users with passwords on the FortiGate unit IPSec configuration for dialup users Configuring XAuth authenticationRemote Gateway Authentication Method To configure authentication for a dialup IPSec VPN CLIXAuth Server TypeVPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA