Fortinet v3.0 MR7 manual Users/peers and user groups

Page 33

 

 

Users/peers and user groups

Users/peers

Users/peers and user groups

FortiGate authentication controls system access by user group. First you configure users/peers, then you create user groups and add users/peers to them.

Configure local user accounts. For each user, you can choose whether the password is verified by the FortiGate unit, by a RADIUS server, by an LDAP server, or by a TACACS+ server. See “Creating local users” on page 34.

Configure your FortiGate unit to authenticate users by using your RADIUS, LDAP, or TACACS+ servers. See “Configuring the FortiGate unit to use a RADIUS server” on page 16, “Configuring the FortiGate unit to use an LDAP server” on page 21, and “Configuring the FortiGate unit to use a TACACS+ authentication server” on page 25.

Configure access to the FortiGate unit if you use a Directory Service server for authentication. See “Configuring the FortiGate unit to use a Directory Service server” on page 28.

Configure for certificate-based authentication for administrative access (HTTPS web-based manager), IPSec, SSL-VPN, and web-based firewall authentication.

For each network resource that requires authentication, you specify which user groups are permitted access to the network. There are three types of user groups: Firewall, Directory Service, and SSL VPN. See “Configuring user groups” on page 41 and “Configuring Directory Service user groups” on page 42.

This section describes:

Users/peers

User groups

Users/peers

A user is a user/peer account configured on the FortiGate unit and/or on a remote or external authentication server. Users can access resources that require authentication only if they are members of an allowed user group.

Table 2: How the FortiGate unit authenticates different types of users

User type

Authentication

Local user with password

The user name and password must match a user account

stored on the FortiGate unit

stored on the FortiGate unit.

Local user with password

The user name must match a user account stored on the

stored on an authentication

FortiGate unit and the user name and password must

server

match a user account stored on the authentication server

 

associated with that user.

FortiOS v3.0 MR7 User Authentication User Guide

01-30007-0347-20080828

33

Page 32 Page 34
Image 33
Page 32 Page 34
Contents E R G U I D E Trademarks FortiOS v3.0 MR7 User Authentication User GuideContents Users/peers and user groups Configuring authenticated accessIndex Creating local users Creating peer usersIntroduction About authenticationUser’s view of authentication Web-based user authenticationVPN client-based authentication See Creating local users on See Creating peer users on FortiGate administrator’s view of authenticationSee Configuring user groups on Authentication serversPeers Public Key Infrastructure PKI authenticationUsers User groupsAbout this document Authentication timeoutFirewall policies VPN tunnelsName field, type admin FortiGate documentationTypographic conventions Related documentation FortiGate Administration GuideFortiClient documentation FortiManager documentationFortiMail documentation FortiAnalyzer documentationFortinet Tools and Documentation CD Customer service and technical supportFortinet Knowledge Center Comments on Fortinet technical documentationRadius servers Authentication serversRadius attributes sent in Radius accounting message Configuring the FortiGate unit to use a Radius serverPrimary Server Secret Primary Server Name/IPGroup Edit icon Edit a Radius server configurationLdap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Server Port PasswordCommon Name IdentifierEdit To configure the FortiGate unit for Ldap authentication CLIProtocol CertificateLdap server Distinguished Name Query tree Using the Query iconAscii TACACS+ serversServer Key Authentication TypeDirectory Service servers Domain Create NewGroups Fsae Collector IPFsae Collector IP/Name Port Directory Service server configuration NameCLI Example Directory Service server list Directory Service servers Users/peers Users/peers and user groupsUser type Authentication Creating local usersTo create a local user web-based manager Go to User Local To view a list of all local users, go to User Local Delete icon Edit iconTo create a local user CLI To remove a user from the FortiGate unit configuration CLI Creating peer usersDelete icon Authenticating peer user To view a list of PKI peer users, go to User PKISubject Remove PKI peer user To create a peer user for PKI authentication CLIDirectory Service user groups User groupsFirewall user groups Protection profiles SSL VPN user groupsConfiguring user groups Select Create New and enter the following informationFirewall To create a firewall user group CLI Configuring Directory Service user groupsMembers FortiGuard WebAvailable Users/Groups or Available Members Configuring SSL VPN user groupsViewing a list of user groups Configuring Peer user groupsTo create a peer group CLI Group NameConfig user group delete groupname End User groups Authentication protocols Authentication timeoutEnter the Idle Timeout value seconds Select Apply TelnetAuthentication Settings Firewall policy authenticationAuthentication is an Advanced firewall option Configuring authentication for a firewall policyTo configure authentication for a firewall policy Go to Firewall PolicyFirewall Policy Move To Firewall policy orderConfiguring authenticated access to the Internet Source InterfaceZone Configuring authentication of SSL VPN users VPN authenticationSelect Enable SSL-VPN and enter information as follows Go to VPN SSLServer Certificate Default RC4128Require Client Certificate Encryption Key AlgorithmTo configure authentication for an SSL VPN CLI Configuring authentication of Pptp VPN users/user groups Configuring authentication of VPN peers and clientsSelect Enable Pptp Select Require Client Certificate, and then select ApplyConfiguring authentication of remote IPSec VPN users Configuring authentication of L2TP VPN users/user groupsTo configure authentication for a Pptp VPN CLI To configure authentication for an L2TP VPN CLITo configure user group authentication for dialup IPSec CLI Only users with passwords on the FortiGate unitRemote Gateway IPSec configuration for dialup users Configuring XAuth authenticationRemote Gateway Authentication Method To configure authentication for a dialup IPSec VPN CLIXAuth Server TypeVPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA
Top Page Image Contents