Configuring Directory Service user groups | Fortinet v3.0 MR7

User groups

Users/peers and user groups

Members	The list of Local users, RADIUS servers, LDAP servers,
	TACACS+ servers, Directory Service users/user groups, or PKI
	users that belong to the user group. To remove a member, select
	the name and then select the Left Arrow.
FortiGuard Web	Available only if Type is Firewall or Directory Service.
Filtering Override	Select the Expand Arrow to configure Web Filtering override
	capabilities for this group.

3Select OK.

To create a firewall user group - CLI

config user group edit <group_name>

set group-type <grp_type>

set member <user1> <user2> ... <usern> set profile <profile_name>

end

For more specific user group CLI commands, see the Fortinet CLI Guide.

Configuring Directory Service user groups

On a network, you can configure the FortiGate unit to allow access to members of Directory Service server user groups who have been authenticated on the network. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers.

Note: You cannot use Directory Service user groups directly in FortiGate firewall policies. You must add Directory Service groups to FortiGate user groups. A Directory Service group should belong to only one FortiGate user group. If you assign it to multiple FortiGate user groups, the FortiGate unit recognizes only the last user group assignment.

A Directory Service user group provides access to a firewall policy that requires Directory Service type authentication and lists the user group as one of the allowed groups. The members of the user group are Directory Service users or groups that you select from a list that the FortiGate unit receives from the Directory Service servers that you have configured.

Note: A Directory Service user group cannot have SSL VPN access.

To create an Directory Service user group

1Go to User > User Group.

2Select Create New, enter the following information, and select OK.

	FortiOS v3.0 MR7 User Authentication User Guide
42	01-30007-0347-20080828

Image 42

Fortinet v3.0 MR7 Configuring Directory Service user groups, To create a firewall user group CLI, Members, FortiGuard Web

Contents

E R G U I D E FortiOS v3.0 MR7 User Authentication User Guide Trademarks Contents Index Configuring authenticated accessUsers/peers and user groups Creating local users Creating peer users About authentication Introduction User’s view of authentication Web-based user authenticationVPN client-based authentication FortiGate administrator’s view of authentication See Creating local users on See Creating peer users on Authentication servers See Configuring user groups on Users Public Key Infrastructure PKI authenticationPeers User groups Firewall policies Authentication timeoutAbout this document VPN tunnels Name field, type admin FortiGate documentationTypographic conventions FortiGate Administration Guide Related documentation FortiMail documentation FortiManager documentationFortiClient documentation FortiAnalyzer documentation Fortinet Knowledge Center Customer service and technical supportFortinet Tools and Documentation CD Comments on Fortinet technical documentation Authentication servers Radius servers Configuring the FortiGate unit to use a Radius server Radius attributes sent in Radius accounting message Primary Server Name/IP Primary Server Secret Edit icon Edit a Radius server configuration Group Ldap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Common Name PasswordServer Port Identifier Protocol To configure the FortiGate unit for Ldap authentication CLIEdit Certificate Using the Query icon Ldap server Distinguished Name Query tree TACACS+ servers Ascii Authentication Type Server Key Directory Service servers Groups Create NewDomain Fsae Collector IP Directory Service server configuration Name Fsae Collector IP/Name Port CLI Example Directory Service server list Directory Service servers Users/peers and user groups Users/peers User type Authentication Creating local usersTo create a local user web-based manager Go to User Local To view a list of all local users, go to User Local Delete icon Edit iconTo create a local user CLI To remove a user from the FortiGate unit configuration CLI Creating peer usersDelete icon Authenticating peer user To view a list of PKI peer users, go to User PKISubject To create a peer user for PKI authentication CLI Remove PKI peer user Directory Service user groups User groupsFirewall user groups SSL VPN user groups Protection profiles Configuring user groups Select Create New and enter the following informationFirewall Members Configuring Directory Service user groupsTo create a firewall user group CLI FortiGuard Web Configuring SSL VPN user groups Available Users/Groups or Available Members To create a peer group CLI Configuring Peer user groupsViewing a list of user groups Group Name Config user group delete groupname End User groups Enter the Idle Timeout value seconds Select Apply Authentication timeoutAuthentication protocols Telnet Firewall policy authentication Authentication Settings To configure authentication for a firewall policy Configuring authentication for a firewall policyAuthentication is an Advanced firewall option Go to Firewall Policy Firewall policy order Firewall Policy Move To Configuring authenticated access to the Internet Source InterfaceZone Select Enable SSL-VPN and enter information as follows VPN authenticationConfiguring authentication of SSL VPN users Go to VPN SSL Require Client Certificate Default RC4128Server Certificate Encryption Key Algorithm To configure authentication for an SSL VPN CLI Select Enable Pptp Configuring authentication of VPN peers and clientsConfiguring authentication of Pptp VPN users/user groups Select Require Client Certificate, and then select Apply To configure authentication for a Pptp VPN CLI Configuring authentication of L2TP VPN users/user groupsConfiguring authentication of remote IPSec VPN users To configure authentication for an L2TP VPN CLI To configure user group authentication for dialup IPSec CLI Only users with passwords on the FortiGate unitRemote Gateway Configuring XAuth authentication IPSec configuration for dialup users XAuth To configure authentication for a dialup IPSec VPN CLIRemote Gateway Authentication Method Server Type VPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA