Introduction, About authentication | Fortinet v3.0 MR7 manual


Introduction	About authentication

Introduction

This section introduces you to the authentication process from the user and the administrators perspective, and provides supplementary information about Fortinet publications.

Note: This document does not describe certificate-based VPN authentication. For information about this type of authentication, see the FortiGate IPSec VPN Guide and the FortiGate Certificate Management User Guide.

The following topics are covered in this section:

•About authentication

•User’s view of authentication

•FortiGate administrator’s view of authentication

•About this document

•FortiGate documentation

•Related documentation

•Customer service and technical support

About authentication

Computer networks have, for the most part, improved worker efficiency and helped a company’s bottom line. Along with these benefits, the need has arisen for workers to be able to remotely access their corporate network, with appropriate security measures in place. In general terms, authentication is the process of attempting to verify the (digital) identity of the sender of a communication such as a log in request. The sender may be someone using a computer, the computer itself, or a computer program. A computer system should only be used by those who are authorized to do so, therefore there must be a measure in place to detect and exclude any unauthorized access.

On a FortiGate unit, you can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must:

•belong to one of the user groups that is allowed access

•correctly enter a user name and password to prove his or her identity, if asked to do so

This process is called authentication.

You can configure authentication for:

•any firewall policy with Action set to ACCEPT

•SSL VPNs

•PPTP and L2TP VPNs

•a dialup IPSec VPN set up as an XAUTH server (Phase 1)

•a dialup IPSec VPN that accepts user group authentication as a peer ID

FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828	5

Image 5

Fortinet v3.0 MR7 manual Introduction, About authentication

Contents

E R G U I D E Trademarks FortiOS v3.0 MR7 User Authentication User Guide Contents Users/peers and user groups Configuring authenticated accessIndex Creating local users Creating peer users Introduction About authentication VPN client-based authentication User’s view of authenticationWeb-based user authentication See Creating local users on See Creating peer users on FortiGate administrator’s view of authentication See Configuring user groups on Authentication servers Peers Public Key Infrastructure PKI authenticationUsers User groups About this document Authentication timeoutFirewall policies VPN tunnels Typographic conventions Name field, type adminFortiGate documentation Related documentation FortiGate Administration Guide FortiClient documentation FortiManager documentationFortiMail documentation FortiAnalyzer documentation Fortinet Tools and Documentation CD Customer service and technical supportFortinet Knowledge Center Comments on Fortinet technical documentation Radius servers Authentication servers Radius attributes sent in Radius accounting message Configuring the FortiGate unit to use a Radius server Primary Server Secret Primary Server Name/IP Group Edit icon Edit a Radius server configuration Ldap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Server Port PasswordCommon Name Identifier Edit To configure the FortiGate unit for Ldap authentication CLIProtocol Certificate Ldap server Distinguished Name Query tree Using the Query icon Ascii TACACS+ servers Server Key Authentication Type Directory Service servers Domain Create NewGroups Fsae Collector IP Fsae Collector IP/Name Port Directory Service server configuration Name CLI Example Directory Service server list Directory Service servers Users/peers Users/peers and user groups To create a local user web-based manager Go to User Local User type AuthenticationCreating local users To create a local user CLI To view a list of all local users, go to User LocalDelete icon Edit icon Delete icon To remove a user from the FortiGate unit configuration CLICreating peer users Subject Authenticating peer userTo view a list of PKI peer users, go to User PKI Remove PKI peer user To create a peer user for PKI authentication CLI Firewall user groups Directory Service user groupsUser groups Protection profiles SSL VPN user groups Firewall Configuring user groupsSelect Create New and enter the following information To create a firewall user group CLI Configuring Directory Service user groupsMembers FortiGuard Web Available Users/Groups or Available Members Configuring SSL VPN user groups Viewing a list of user groups Configuring Peer user groupsTo create a peer group CLI Group Name Config user group delete groupname End User groups Authentication protocols Authentication timeoutEnter the Idle Timeout value seconds Select Apply Telnet Authentication Settings Firewall policy authentication Authentication is an Advanced firewall option Configuring authentication for a firewall policyTo configure authentication for a firewall policy Go to Firewall Policy Firewall Policy Move To Firewall policy order Zone Configuring authenticated access to the InternetSource Interface Configuring authentication of SSL VPN users VPN authenticationSelect Enable SSL-VPN and enter information as follows Go to VPN SSL Server Certificate Default RC4128Require Client Certificate Encryption Key Algorithm To configure authentication for an SSL VPN CLI Configuring authentication of Pptp VPN users/user groups Configuring authentication of VPN peers and clientsSelect Enable Pptp Select Require Client Certificate, and then select Apply Configuring authentication of remote IPSec VPN users Configuring authentication of L2TP VPN users/user groupsTo configure authentication for a Pptp VPN CLI To configure authentication for an L2TP VPN CLI Remote Gateway To configure user group authentication for dialup IPSec CLIOnly users with passwords on the FortiGate unit IPSec configuration for dialup users Configuring XAuth authentication Remote Gateway Authentication Method To configure authentication for a dialup IPSec VPN CLIXAuth Server Type VPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA