Fortinet v3.0 MR7 To configure the FortiGate unit for Ldap authentication CLI, Edit, Protocol

Page 23


Authentication servers	LDAP servers

Protocol	Select a secure LDAP protocol to use for authentication.
	Depending on your selection, the value in Server Port will
	change to the default port for the selected protocol. Available
	only if Secure Connection is selected.
	LDAPS: port 636
	STARTTLS: port 389
Certificate	Select a certificate to use for authentication from the list. The
	certificate list comes from CA certificates at System >
	Certificates > CA Certificates.

To configure the FortiGate unit for LDAP authentication - CLI

config user ldap edit <server_name>

set cnid <common_name_identifier> set dn <distinguished_name>

set port <port_number> set server <domain> set type <auth_type>

set username <ldap_username> set password <ldap_passwd> set group <group>

set filter <group_filter> set secure <auth_port> set ca-cert <cert_name>

end

To remove an LDAP server from the FortiGate unit configuration - web-based manager

Note: You cannot remove a LDAP server that belongs to a user group. Remove it from the user group first.

1Go to User > LDAP.

2Select the Delete icon beside the name of the LDAP server that you want to remove.

3Select OK.

Figure 4: Delete LDAP server


	Delete

			Edit
Create New	Add a new LDAP server. The maximum number is 10.
Name	The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP	The domain name or IP address of the LDAP server.
Port	The TCP port used to communicate with the LDAP server.

FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828	23

Image 23

Contents E R G U I D E Trademarks FortiOS v3.0 MR7 User Authentication User GuideContents Creating local users Creating peer users Configuring authenticated accessUsers/peers and user groups IndexIntroduction About authenticationVPN client-based authentication User’s view of authenticationWeb-based user authentication See Creating local users on See Creating peer users on FortiGate administrator’s view of authenticationSee Configuring user groups on Authentication serversUser groups Public Key Infrastructure PKI authenticationPeers UsersVPN tunnels Authentication timeoutAbout this document Firewall policiesTypographic conventions Name field, type adminFortiGate documentation Related documentation FortiGate Administration GuideFortiAnalyzer documentation FortiManager documentationFortiClient documentation FortiMail documentationComments on Fortinet technical documentation Customer service and technical supportFortinet Tools and Documentation CD Fortinet Knowledge CenterRadius servers Authentication serversRadius attributes sent in Radius accounting message Configuring the FortiGate unit to use a Radius serverPrimary Server Secret Primary Server Name/IPGroup Edit icon Edit a Radius server configurationLdap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Identifier PasswordServer Port Common NameCertificate To configure the FortiGate unit for Ldap authentication CLIEdit ProtocolLdap server Distinguished Name Query tree Using the Query iconAscii TACACS+ serversServer Key Authentication TypeDirectory Service servers Fsae Collector IP Create NewDomain GroupsFsae Collector IP/Name Port Directory Service server configuration NameCLI Example Directory Service server list Directory Service servers Users/peers Users/peers and user groupsTo create a local user web-based manager Go to User Local User type AuthenticationCreating local users To create a local user CLI To view a list of all local users, go to User LocalDelete icon Edit icon Delete icon To remove a user from the FortiGate unit configuration CLICreating peer users Subject Authenticating peer userTo view a list of PKI peer users, go to User PKI Remove PKI peer user To create a peer user for PKI authentication CLIFirewall user groups Directory Service user groupsUser groups Protection profiles SSL VPN user groupsFirewall Configuring user groupsSelect Create New and enter the following information FortiGuard Web Configuring Directory Service user groupsTo create a firewall user group CLI MembersAvailable Users/Groups or Available Members Configuring SSL VPN user groupsGroup Name Configuring Peer user groupsViewing a list of user groups To create a peer group CLIConfig user group delete groupname End User groups Telnet Authentication timeoutAuthentication protocols Enter the Idle Timeout value seconds Select ApplyAuthentication Settings Firewall policy authenticationGo to Firewall Policy Configuring authentication for a firewall policyAuthentication is an Advanced firewall option To configure authentication for a firewall policyFirewall Policy Move To Firewall policy orderZone Configuring authenticated access to the InternetSource Interface Go to VPN SSL VPN authenticationConfiguring authentication of SSL VPN users Select Enable SSL-VPN and enter information as followsEncryption Key Algorithm Default RC4128Server Certificate Require Client CertificateTo configure authentication for an SSL VPN CLI Select Require Client Certificate, and then select Apply Configuring authentication of VPN peers and clientsConfiguring authentication of Pptp VPN users/user groups Select Enable PptpTo configure authentication for an L2TP VPN CLI Configuring authentication of L2TP VPN users/user groupsConfiguring authentication of remote IPSec VPN users To configure authentication for a Pptp VPN CLIRemote Gateway To configure user group authentication for dialup IPSec CLIOnly users with passwords on the FortiGate unit IPSec configuration for dialup users Configuring XAuth authenticationServer Type To configure authentication for a dialup IPSec VPN CLIRemote Gateway Authentication Method XAuthVPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA