Fortinet v3.0 MR7 manual Directory Service servers

Page 27

 

 

Authentication servers

Directory Service servers

Authentication Type The supported authentication method. TACACS+ authentication

 

methods include: Auto, ASCII, PAP, CHAP, and MSCHAP.

Delete icon

Delete this TACACS+ server.

Edit icon

Edit this TACACS+ server.

To remove a TACACS+ server from the FortiGate unit configuration - CLI

config user tacacs+ delete <server_name>

end

Directory Service servers

Windows Active Directory (AD) and Novell edirectory provide central authentication services by storing information about network resources across a domain (a logical group of computers running versions of an operating system) in a central directory database. On networks that use Directory Service servers for authentication, FortiGate units can transparently authenticate users without asking them for their user name and password. Each person who uses computers within a domain receives his or her own unique account/user name. This account can be assigned access to resources within the domain. In a domain, the directory resides on computers that are configured as domain controllers. A domain controller is a server that manages all security-related features that affect the user/domain interactions, security centralization, and administrative functions.

FortiGate units use firewall policies to control access to resources based on user groups configured in the policies. Each FortiGate user group is associated with one or more Directory Service user groups. When a user logs in to the Windows or Novell domain, a Fortinet Server Authentication Extension (FSAE) sends the FortiGate unit the user’s IP address and the names of the Directory Service user groups to which the user belongs.

The FSAE has two components that you must install on your network:

The domain controller (DC) agent must be installed on every domain controller to monitor user logons and send information about them to the collector agent.

The collector agent must be installed on at least one domain controller to send the information received from the DC agents to the FortiGate unit.

The FortiGate unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the FortiGate unit does not perform authentication. It recognizes group members by their IP address.

You must install the Fortinet Server Authentication Extensions (FSAE) on the network domain controllers, and configure the FortiGate unit to retrieve information from the Directory Service server.

FortiOS v3.0 MR7 User Authentication User Guide

 

01-30007-0347-20080828

27

Image 27
Contents E R G U I D E Trademarks FortiOS v3.0 MR7 User Authentication User GuideContents Creating local users Creating peer users Configuring authenticated accessUsers/peers and user groups IndexIntroduction About authenticationUser’s view of authentication Web-based user authenticationVPN client-based authentication See Creating local users on See Creating peer users on FortiGate administrator’s view of authenticationSee Configuring user groups on Authentication serversUser groups Public Key Infrastructure PKI authenticationPeers UsersVPN tunnels Authentication timeoutAbout this document Firewall policiesName field, type admin FortiGate documentationTypographic conventions Related documentation FortiGate Administration GuideFortiAnalyzer documentation FortiManager documentationFortiClient documentation FortiMail documentationComments on Fortinet technical documentation Customer service and technical supportFortinet Tools and Documentation CD Fortinet Knowledge CenterRadius servers Authentication serversRadius attributes sent in Radius accounting message Configuring the FortiGate unit to use a Radius serverPrimary Server Secret Primary Server Name/IPGroup Edit icon Edit a Radius server configurationLdap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Identifier PasswordServer Port Common NameCertificate To configure the FortiGate unit for Ldap authentication CLIEdit ProtocolLdap server Distinguished Name Query tree Using the Query iconAscii TACACS+ serversServer Key Authentication TypeDirectory Service servers Fsae Collector IP Create NewDomain GroupsFsae Collector IP/Name Port Directory Service server configuration NameCLI Example Directory Service server list Directory Service servers Users/peers Users/peers and user groupsUser type Authentication Creating local usersTo create a local user web-based manager Go to User Local To view a list of all local users, go to User Local Delete icon Edit iconTo create a local user CLI To remove a user from the FortiGate unit configuration CLI Creating peer usersDelete icon Authenticating peer user To view a list of PKI peer users, go to User PKISubject Remove PKI peer user To create a peer user for PKI authentication CLIDirectory Service user groups User groupsFirewall user groups Protection profiles SSL VPN user groupsConfiguring user groups Select Create New and enter the following informationFirewall FortiGuard Web Configuring Directory Service user groupsTo create a firewall user group CLI MembersAvailable Users/Groups or Available Members Configuring SSL VPN user groupsGroup Name Configuring Peer user groupsViewing a list of user groups To create a peer group CLIConfig user group delete groupname End User groups Telnet Authentication timeoutAuthentication protocols Enter the Idle Timeout value seconds Select ApplyAuthentication Settings Firewall policy authenticationGo to Firewall Policy Configuring authentication for a firewall policyAuthentication is an Advanced firewall option To configure authentication for a firewall policyFirewall Policy Move To Firewall policy orderConfiguring authenticated access to the Internet Source InterfaceZone Go to VPN SSL VPN authenticationConfiguring authentication of SSL VPN users Select Enable SSL-VPN and enter information as followsEncryption Key Algorithm Default RC4128Server Certificate Require Client CertificateTo configure authentication for an SSL VPN CLI Select Require Client Certificate, and then select Apply Configuring authentication of VPN peers and clientsConfiguring authentication of Pptp VPN users/user groups Select Enable PptpTo configure authentication for an L2TP VPN CLI Configuring authentication of L2TP VPN users/user groupsConfiguring authentication of remote IPSec VPN users To configure authentication for a Pptp VPN CLITo configure user group authentication for dialup IPSec CLI Only users with passwords on the FortiGate unitRemote Gateway IPSec configuration for dialup users Configuring XAuth authenticationServer Type To configure authentication for a dialup IPSec VPN CLIRemote Gateway Authentication Method XAuthVPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA