Fortinet v3.0 MR7 manual Directory Service servers

Authentication Type The supported authentication method. TACACS+ authentication

To remove a TACACS+ server from the FortiGate unit configuration - CLI

config user tacacs+ delete <server_name>

end

Directory Service servers

Windows Active Directory (AD) and Novell edirectory provide central authentication services by storing information about network resources across a domain (a logical group of computers running versions of an operating system) in a central directory database. On networks that use Directory Service servers for authentication, FortiGate units can transparently authenticate users without asking them for their user name and password. Each person who uses computers within a domain receives his or her own unique account/user name. This account can be assigned access to resources within the domain. In a domain, the directory resides on computers that are configured as domain controllers. A domain controller is a server that manages all security-related features that affect the user/domain interactions, security centralization, and administrative functions.

FortiGate units use firewall policies to control access to resources based on user groups configured in the policies. Each FortiGate user group is associated with one or more Directory Service user groups. When a user logs in to the Windows or Novell domain, a Fortinet Server Authentication Extension (FSAE) sends the FortiGate unit the user’s IP address and the names of the Directory Service user groups to which the user belongs.

The FSAE has two components that you must install on your network:

•The domain controller (DC) agent must be installed on every domain controller to monitor user logons and send information about them to the collector agent.

•The collector agent must be installed on at least one domain controller to send the information received from the DC agents to the FortiGate unit.

The FortiGate unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the FortiGate unit does not perform authentication. It recognizes group members by their IP address.

You must install the Fortinet Server Authentication Extensions (FSAE) on the network domain controllers, and configure the FortiGate unit to retrieve information from the Directory Service server.