Fortinet v3.0 MR7 manual Authentication servers, See Configuring user groups on

Page 8

FortiGate administrator’s view of authentication

Introduction

3Create user groups.

Add local/peer user members to each user group as appropriate. You can also add an authentication server to a user group. In this case, all users in the server’s database can authenticate. You can only configure peer user groups through the CLI.

• See “Configuring user groups” on page 41.

4Configure firewall policies and VPN tunnels that require authenticated access. See “Configuring authentication for a firewall policy” on page 49.

See “Configuring authentication of PPTP VPN users/user groups” on page 55. See “Configuring authentication of remote IPSec VPN users” on page 56. See “Configuring XAuth authentication” on page 58.

Authentication servers

The FortiGate unit can store user names and passwords and use them to authenticate users. In an enterprise environment, it might be more convenient to use the same system that provides authentication for local area network access, email and other services. Users who access the corporate network from home or while traveling could use the same user name and password that they use at the office.

You can configure the FortiGate unit to work with remote or external authentication servers in two different ways:

Add the authentication server to a user group.

Anyone in the server’s database is a member of the user group. This is a simple way to provide access to the corporate VPN for all employees, for example. You do not need to configure individual users on the FortiGate unit.

or

Specify the authentication server instead of a password when you configure the individual user identity on the FortiGate unit.

The user name must exist on both the FortiGate unit and authentication server. User names that exist only on the authentication server cannot authenticate on the FortiGate unit. This method enables you to provide access only to selected employees, for example.

Note: You cannot combine these two uses of an authentication server in the same user group. If you add the server to the user group, adding individual users with authentication to that server is redundant.

If you want to use remote or external authentication servers, you must configure them before you configure users and user groups. See “RADIUS servers” on page 15, “LDAP servers” on page 19, “TACACS+ servers” on page 25, and “Directory Service servers” on page 27.

 

FortiOS v3.0 MR7 User Authentication User Guide

8

01-30007-0347-20080828

Image 8
Contents E R G U I D E FortiOS v3.0 MR7 User Authentication User Guide TrademarksContents Configuring authenticated access Users/peers and user groupsIndex Creating local users Creating peer usersAbout authentication IntroductionVPN client-based authentication User’s view of authenticationWeb-based user authentication FortiGate administrator’s view of authentication See Creating local users on See Creating peer users onAuthentication servers See Configuring user groups onPublic Key Infrastructure PKI authentication PeersUsers User groupsAuthentication timeout About this documentFirewall policies VPN tunnelsTypographic conventions Name field, type adminFortiGate documentation FortiGate Administration Guide Related documentationFortiManager documentation FortiClient documentationFortiMail documentation FortiAnalyzer documentationCustomer service and technical support Fortinet Tools and Documentation CDFortinet Knowledge Center Comments on Fortinet technical documentationAuthentication servers Radius serversConfiguring the FortiGate unit to use a Radius server Radius attributes sent in Radius accounting messagePrimary Server Name/IP Primary Server SecretEdit icon Edit a Radius server configuration GroupLdap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Password Server PortCommon Name IdentifierTo configure the FortiGate unit for Ldap authentication CLI EditProtocol CertificateUsing the Query icon Ldap server Distinguished Name Query treeTACACS+ servers AsciiAuthentication Type Server KeyDirectory Service servers Create New DomainGroups Fsae Collector IPDirectory Service server configuration Name Fsae Collector IP/Name PortCLI Example Directory Service server list Directory Service servers Users/peers and user groups Users/peersTo create a local user web-based manager Go to User Local User type AuthenticationCreating local users To create a local user CLI To view a list of all local users, go to User LocalDelete icon Edit icon Delete icon To remove a user from the FortiGate unit configuration CLICreating peer users Subject Authenticating peer userTo view a list of PKI peer users, go to User PKI To create a peer user for PKI authentication CLI Remove PKI peer userFirewall user groups Directory Service user groupsUser groups SSL VPN user groups Protection profilesFirewall Configuring user groupsSelect Create New and enter the following information Configuring Directory Service user groups To create a firewall user group CLIMembers FortiGuard WebConfiguring SSL VPN user groups Available Users/Groups or Available MembersConfiguring Peer user groups Viewing a list of user groupsTo create a peer group CLI Group NameConfig user group delete groupname End User groups Authentication timeout Authentication protocolsEnter the Idle Timeout value seconds Select Apply TelnetFirewall policy authentication Authentication SettingsConfiguring authentication for a firewall policy Authentication is an Advanced firewall optionTo configure authentication for a firewall policy Go to Firewall PolicyFirewall policy order Firewall Policy Move ToZone Configuring authenticated access to the InternetSource Interface VPN authentication Configuring authentication of SSL VPN usersSelect Enable SSL-VPN and enter information as follows Go to VPN SSLDefault RC4128 Server CertificateRequire Client Certificate Encryption Key AlgorithmTo configure authentication for an SSL VPN CLI Configuring authentication of VPN peers and clients Configuring authentication of Pptp VPN users/user groupsSelect Enable Pptp Select Require Client Certificate, and then select ApplyConfiguring authentication of L2TP VPN users/user groups Configuring authentication of remote IPSec VPN usersTo configure authentication for a Pptp VPN CLI To configure authentication for an L2TP VPN CLIRemote Gateway To configure user group authentication for dialup IPSec CLIOnly users with passwords on the FortiGate unit Configuring XAuth authentication IPSec configuration for dialup usersTo configure authentication for a dialup IPSec VPN CLI Remote Gateway Authentication MethodXAuth Server TypeVPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA