Fortinet v3.0 MR7 manual TACACS+ servers, Ascii

Page 25

 

 

Authentication servers

TACACS+ servers

TACACS+ servers

In recent years, remote network access has shifted from terminal access to LAN access. Users are now connecting to their corporate network (using notebooks or home PCs) with computers that utilize complete network connections. Remote node technology allows users the same level of access to the corporate network resources as they would have if they were physically in the office. When users connect to their corporate network remotely, they do so through a remote access server. As remote access technology has evolved, the need for network access security has become increasingly important.

Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS+ allows a client to accept a username and password and send a query to a TACACS+ authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS+ server is 49. You can only change the default port of the TACACS+ server using the CLI.

There are several different authentication protocols that TACACS+ can use during the authentication process:

ASCII

Machine-independent technique that uses representations of English characters. Requires user to type a user name and password that are sent in clear text (unencrypted) and matched with an entry in the user database stored in ASCII format.

PAP (password authentication protocol)

Used to authenticate PPP connections. Transmits passwords and other user information in clear text.

CHAP (challenge-handshake authentication protocol)

Provides the same functionality as PAP, but is more secure as it does not send the password and other user information over the network to the security server.

MS-CHAP (Microsoft challenge-handshake authentication protocol v1) Microsoft-specific version of CHAP.

The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.

Configuring the FortiGate unit to use a TACACS+ authentication server

The maximum number of remote TACACS+ servers that can be configured for authentication is 10.

To configure the FortiGate unit for TACACS+ authentication - web-based manager

1Go to User > Remote > TACACS+ and select Create New.

2Enter the following information, and select OK.

FortiOS v3.0 MR7 User Authentication User Guide

 

01-30007-0347-20080828

25

Page 24 Page 26
Image 25
Page 24 Page 26
Contents E R G U I D E Trademarks FortiOS v3.0 MR7 User Authentication User GuideContents Users/peers and user groups Configuring authenticated accessIndex Creating local users Creating peer usersIntroduction About authenticationWeb-based user authentication User’s view of authenticationVPN client-based authentication See Creating local users on See Creating peer users on FortiGate administrator’s view of authenticationSee Configuring user groups on Authentication serversPeers Public Key Infrastructure PKI authenticationUsers User groupsAbout this document Authentication timeoutFirewall policies VPN tunnelsFortiGate documentation Name field, type adminTypographic conventions Related documentation FortiGate Administration GuideFortiClient documentation FortiManager documentationFortiMail documentation FortiAnalyzer documentationFortinet Tools and Documentation CD Customer service and technical supportFortinet Knowledge Center Comments on Fortinet technical documentationRadius servers Authentication serversRadius attributes sent in Radius accounting message Configuring the FortiGate unit to use a Radius serverPrimary Server Secret Primary Server Name/IPGroup Edit icon Edit a Radius server configurationLdap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Server Port PasswordCommon Name IdentifierEdit To configure the FortiGate unit for Ldap authentication CLIProtocol CertificateLdap server Distinguished Name Query tree Using the Query iconAscii TACACS+ serversServer Key Authentication TypeDirectory Service servers Domain Create NewGroups Fsae Collector IPFsae Collector IP/Name Port Directory Service server configuration NameCLI Example Directory Service server list Directory Service servers Users/peers Users/peers and user groupsCreating local users User type AuthenticationTo create a local user web-based manager Go to User Local Delete icon Edit icon To view a list of all local users, go to User LocalTo create a local user CLI Creating peer users To remove a user from the FortiGate unit configuration CLIDelete icon To view a list of PKI peer users, go to User PKI Authenticating peer userSubject Remove PKI peer user To create a peer user for PKI authentication CLIUser groups Directory Service user groupsFirewall user groups Protection profiles SSL VPN user groupsSelect Create New and enter the following information Configuring user groupsFirewall To create a firewall user group CLI Configuring Directory Service user groupsMembers FortiGuard WebAvailable Users/Groups or Available Members Configuring SSL VPN user groupsViewing a list of user groups Configuring Peer user groupsTo create a peer group CLI Group NameConfig user group delete groupname End User groups Authentication protocols Authentication timeoutEnter the Idle Timeout value seconds Select Apply TelnetAuthentication Settings Firewall policy authenticationAuthentication is an Advanced firewall option Configuring authentication for a firewall policyTo configure authentication for a firewall policy Go to Firewall PolicyFirewall Policy Move To Firewall policy orderSource Interface Configuring authenticated access to the InternetZone Configuring authentication of SSL VPN users VPN authenticationSelect Enable SSL-VPN and enter information as follows Go to VPN SSLServer Certificate Default RC4128Require Client Certificate Encryption Key AlgorithmTo configure authentication for an SSL VPN CLI Configuring authentication of Pptp VPN users/user groups Configuring authentication of VPN peers and clientsSelect Enable Pptp Select Require Client Certificate, and then select ApplyConfiguring authentication of remote IPSec VPN users Configuring authentication of L2TP VPN users/user groupsTo configure authentication for a Pptp VPN CLI To configure authentication for an L2TP VPN CLIOnly users with passwords on the FortiGate unit To configure user group authentication for dialup IPSec CLIRemote Gateway IPSec configuration for dialup users Configuring XAuth authenticationRemote Gateway Authentication Method To configure authentication for a dialup IPSec VPN CLIXAuth Server TypeVPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA
Top Page Image Contents