Fortinet Managing FortiGate SSL VPN auth-timeout and idle timeout for optimized user authentication
Page 54

VPN authentication

Configuring authenticated access

To configure authentication for an SSL VPN - CLI

config vpn ssl settings set algorithm

set auth-timeout set dns-server1 set dns-server2 set idle-timeout set portal-heading set reqclientcert

set route-source-interface set servercert

set sslv2 set sslv3

set sslvpn-enable set tunnel-endip set tunnel-startip set url-obscuration set wins-server1 set wins-server2 end

The tunnel-endipand tunnel-startipkeywords are required for tunnel- mode access only. All other keywords are optional.

When you configure the timeout settings, if you set the authentication timeout (auth-timeout) to 0, then the remote client does not have to re-authenticate again unless they log out of the system. In order to fully take advantage of this setting, the value for idle-timeouthas to be set to 0 also, so the client does not timeout if the maximum idle time is reached. If the idle-timeoutis not set to the infinite value, the system will log out if it reaches the limit set, regardless of the auth-timeoutsetting.

Strong authentication is a form of computer security in which the identities of networked users, clients, and servers are verified without transmitting passwords over the internet. To verify a user’s identity, strong authentication combines something the user knows (a user name and password) with something the user has (a client-side certificate). Strong authentication can be configured for SSL VPN user groups using X.509 (version 1 or 3) digital certificates.

Configuring strong authentication of SSL VPN users/user groups

You can use strong authentication to verify the identities of SSL VPN user group members. The accounts for individual users and user groups containing those users have to be created prior to configuring strong authentication, and a firewall encryption policy has to be created to permit access by that user group.To enable strong authentication for an SSL VPN user group:

Obtain a signed group certificate from a CA and load the signed group certificate into the web browser used by each user. Follow the browser documentation to load the certificates.

Install the root certificate and the CRL from the issuing CA on the FortiGate unit.

Configure strong authentication for the group of users having a copy of the group certificate.

 

FortiOS v3.0 MR7 User Authentication User Guide

54

01-30007-0347-20080828

Page 53 Page 55
Image 54
Page 53 Page 55
Contents E R G U I D E FortiOS v3.0 MR7 User Authentication User Guide TrademarksContents Index Configuring authenticated accessUsers/peers and user groups Creating local users Creating peer usersAbout authentication IntroductionUser’s view of authentication Web-based user authenticationVPN client-based authentication FortiGate administrator’s view of authentication See Creating local users on See Creating peer users onAuthentication servers See Configuring user groups onUsers Public Key Infrastructure PKI authenticationPeers User groupsFirewall policies Authentication timeoutAbout this document VPN tunnelsName field, type admin FortiGate documentationTypographic conventions FortiGate Administration Guide Related documentationFortiMail documentation FortiManager documentationFortiClient documentation FortiAnalyzer documentationFortinet Knowledge Center Customer service and technical supportFortinet Tools and Documentation CD Comments on Fortinet technical documentationAuthentication servers Radius serversConfiguring the FortiGate unit to use a Radius server Radius attributes sent in Radius accounting messagePrimary Server Name/IP Primary Server SecretEdit icon Edit a Radius server configuration GroupLdap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Common Name PasswordServer Port IdentifierProtocol To configure the FortiGate unit for Ldap authentication CLIEdit CertificateUsing the Query icon Ldap server Distinguished Name Query treeTACACS+ servers AsciiAuthentication Type Server KeyDirectory Service servers Groups Create NewDomain Fsae Collector IPDirectory Service server configuration Name Fsae Collector IP/Name PortCLI Example Directory Service server list Directory Service servers Users/peers and user groups Users/peersUser type Authentication Creating local usersTo create a local user web-based manager Go to User Local To view a list of all local users, go to User Local Delete icon Edit iconTo create a local user CLI To remove a user from the FortiGate unit configuration CLI Creating peer usersDelete icon Authenticating peer user To view a list of PKI peer users, go to User PKISubject To create a peer user for PKI authentication CLI Remove PKI peer userDirectory Service user groups User groupsFirewall user groups SSL VPN user groups Protection profilesConfiguring user groups Select Create New and enter the following informationFirewall Members Configuring Directory Service user groupsTo create a firewall user group CLI FortiGuard WebConfiguring SSL VPN user groups Available Users/Groups or Available MembersTo create a peer group CLI Configuring Peer user groupsViewing a list of user groups Group NameConfig user group delete groupname End User groups Enter the Idle Timeout value seconds Select Apply Authentication timeoutAuthentication protocols TelnetFirewall policy authentication Authentication SettingsTo configure authentication for a firewall policy Configuring authentication for a firewall policyAuthentication is an Advanced firewall option Go to Firewall PolicyFirewall policy order Firewall Policy Move ToConfiguring authenticated access to the Internet Source InterfaceZone Select Enable SSL-VPN and enter information as follows VPN authenticationConfiguring authentication of SSL VPN users Go to VPN SSLRequire Client Certificate Default RC4128Server Certificate Encryption Key AlgorithmTo configure authentication for an SSL VPN CLI Select Enable Pptp Configuring authentication of VPN peers and clientsConfiguring authentication of Pptp VPN users/user groups Select Require Client Certificate, and then select ApplyTo configure authentication for a Pptp VPN CLI Configuring authentication of L2TP VPN users/user groupsConfiguring authentication of remote IPSec VPN users To configure authentication for an L2TP VPN CLITo configure user group authentication for dialup IPSec CLI Only users with passwords on the FortiGate unitRemote Gateway Configuring XAuth authentication IPSec configuration for dialup usersXAuth To configure authentication for a dialup IPSec VPN CLIRemote Gateway Authentication Method Server TypeVPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA
Top Page Image Contents