Fortinet v3.0 MR7 manual User groups, Firewall user groups, Directory Service user groups

User groups

A user group is a list of user/peer identities. An identity can be:

•a local user account (user name/password) stored on the FortiGate unit

•a local user account with the password stored on a RADIUS, LDAP, or TACACS+ server

•a peer user account with digital client authentication certificate stored on the FortiGate unit

•a RADIUS, LDAP, or TACACS+ server (all identities on the server can authenticate)

•a user group defined on a Directory Service server.

Firewall policies and some types of VPN configurations allow access to user groups, not to individual users.

Each user group belongs to one of three types: Firewall, Directory Service or SSL VPN. For information about each type, see “Firewall user groups” on

page 39, “Directory Service user groups” on page 39, and “SSL VPN user groups” on page 40. For information on configuring each type of user group, see “Configuring user groups” on page 41.

In most cases, the FortiGate unit authenticates users by requesting their user name and password. The FortiGate unit checks local user accounts first. If a match is not found, the FortiGate unit checks the RADIUS, LDAP, or TACACS+ servers that belong to the user group. Authentication succeeds when a matching user name and password are found.

Firewall user groups

A firewall user group provides access to a firewall policy that requires authentication and lists the user group as one of the allowed groups. The FortiGate unit requests the group member’s user name and password when the user attempts to access the resource that the policy protects.

You can also authenticate a user by certificate if you have selected this method. For more information, see “Adding authentication to firewall policies” on page 286.

A firewall user group can also provide access to an IPSec VPN for dialup users. In this case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. The user’s VPN client is configured with the user name as peer ID and the password as pre-shared key. The user can connect successfully to the IPSec VPN only if the user name is a member of the allowed user group and the password matches the one stored on the FortiGate unit.

Note: A user group cannot be a dialup group if any member is authenticated using a

RADIUS or LDAP server.

Directory Service user groups

On a network, you can configure the FortiGate unit to allow access to members of Directory Service server user groups who have been authenticated on the network. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers.