Fortinet v3.0 MR7 manual Configuring authentication of VPN peers and clients, Go to VPN Pptp

Page 55


Configuring authenticated access	VPN authentication

Note: The SSL protocol requires that the FortiGate unit identify itself whenever a web browser accesses the web portal login page through an HTTPS link. If you would like to configure the FortiGate unit to identify itself using a CA-issued server certificate instead of the factory-installed self-signed certificate, select the name of the signed server certificate from the Server Certificate list on the SSL-VPN Settings page when you enable strong authentication for SSL VPN users. The server certificate must be installed before you can select it from the list. For more information about server certificates, see the FortiGate

Certificate Management User Guide.

To enable strong authentication for an SSL VPN

1Go to VPN > SSL > Config.

2Select Require Client Certificate, and then select Apply.

3Go to Firewall > Policy.

4Select the Edit icon in the row that corresponds to the firewall policy for traffic generated by holders of the group certificate.

5Select SSL Client Certificate Restrictive.

6Select OK.

For information about how to create user accounts and user groups, see the FortiGate Administration Guide. For detailed information about configuring SSL VPNs, see the FortiGate SSL VPN User Guide.

Configuring authentication of VPN peers and clients

After the required server or group certificates and CA root certificates have been installed on the VPN peers and clients, the peers and clients identify themselves using those certificates when prompted by the FortiGate unit. The FortiGate unit provides its public key to the remote peer or client so that the remote peer or client can send encrypted messages to the FortiGate unit. Conversely, the remote peer or client provides its public key to the FortiGate unit, which uses the key to encrypt messages destined for the remote peer or client.

Configuring authentication of PPTP VPN users/user groups

To configure authentication for a PPTP VPN - web-based manager

1Configure the users who are permitted to use this VPN. Create a user group and add them to it.

For more information, see “Users/peers and user groups” on page 33.

2Go to VPN > PPTP.

Figure 27: PPTP VPN Range settings

3Select Enable PPTP.

FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828	55

Image 55

Contents E R G U I D E Trademarks FortiOS v3.0 MR7 User Authentication User GuideContents Creating local users Creating peer users Configuring authenticated accessUsers/peers and user groups IndexIntroduction About authenticationWeb-based user authentication User’s view of authenticationVPN client-based authentication See Creating local users on See Creating peer users on FortiGate administrator’s view of authenticationSee Configuring user groups on Authentication serversUser groups Public Key Infrastructure PKI authenticationPeers UsersVPN tunnels Authentication timeoutAbout this document Firewall policiesFortiGate documentation Name field, type adminTypographic conventions Related documentation FortiGate Administration GuideFortiAnalyzer documentation FortiManager documentationFortiClient documentation FortiMail documentationComments on Fortinet technical documentation Customer service and technical supportFortinet Tools and Documentation CD Fortinet Knowledge CenterRadius servers Authentication serversRadius attributes sent in Radius accounting message Configuring the FortiGate unit to use a Radius serverPrimary Server Secret Primary Server Name/IPGroup Edit icon Edit a Radius server configurationLdap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Identifier PasswordServer Port Common NameCertificate To configure the FortiGate unit for Ldap authentication CLIEdit ProtocolLdap server Distinguished Name Query tree Using the Query iconAscii TACACS+ serversServer Key Authentication TypeDirectory Service servers Fsae Collector IP Create NewDomain GroupsFsae Collector IP/Name Port Directory Service server configuration NameCLI Example Directory Service server list Directory Service servers Users/peers Users/peers and user groupsCreating local users User type AuthenticationTo create a local user web-based manager Go to User Local Delete icon Edit icon To view a list of all local users, go to User LocalTo create a local user CLI Creating peer users To remove a user from the FortiGate unit configuration CLIDelete icon To view a list of PKI peer users, go to User PKI Authenticating peer userSubject Remove PKI peer user To create a peer user for PKI authentication CLIUser groups Directory Service user groupsFirewall user groups Protection profiles SSL VPN user groupsSelect Create New and enter the following information Configuring user groupsFirewall FortiGuard Web Configuring Directory Service user groupsTo create a firewall user group CLI MembersAvailable Users/Groups or Available Members Configuring SSL VPN user groupsGroup Name Configuring Peer user groupsViewing a list of user groups To create a peer group CLIConfig user group delete groupname End User groups Telnet Authentication timeoutAuthentication protocols Enter the Idle Timeout value seconds Select ApplyAuthentication Settings Firewall policy authenticationGo to Firewall Policy Configuring authentication for a firewall policyAuthentication is an Advanced firewall option To configure authentication for a firewall policyFirewall Policy Move To Firewall policy orderSource Interface Configuring authenticated access to the InternetZone Go to VPN SSL VPN authenticationConfiguring authentication of SSL VPN users Select Enable SSL-VPN and enter information as followsEncryption Key Algorithm Default RC4128Server Certificate Require Client CertificateTo configure authentication for an SSL VPN CLI Select Require Client Certificate, and then select Apply Configuring authentication of VPN peers and clientsConfiguring authentication of Pptp VPN users/user groups Select Enable PptpTo configure authentication for an L2TP VPN CLI Configuring authentication of L2TP VPN users/user groupsConfiguring authentication of remote IPSec VPN users To configure authentication for a Pptp VPN CLIOnly users with passwords on the FortiGate unit To configure user group authentication for dialup IPSec CLIRemote Gateway IPSec configuration for dialup users Configuring XAuth authenticationServer Type To configure authentication for a dialup IPSec VPN CLIRemote Gateway Authentication Method XAuthVPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA