VPN authentication, Go to VPN SSL | Fortinet v3.0 MR7 specification

VPN authentication

Configuring authenticated access

VPN authentication

All VPN configurations require users to authenticate. Authentication based on user groups applies to:

•SSL VPNs

•PPTP and L2TP VPNs

•an IPSec VPN that authenticates users using dialup groups

•a dialup IPSec VPN that uses XAUTH authentication (Phase 1)

This document does not describe the use of certificates for VPN authentication. See the FortiGate IPSec VPN User Guide and the FortiGate Certificate Management User Guide for information on this type of authentication.

You must create user accounts and user groups before performing the procedures in this section. If you create a user group for dialup IPSec clients or peers that have unique peer IDs, their user accounts must be stored locally on the FortiGate unit. You cannot authenticate these types of users using a RADIUS or LDAP server.

Configuring authentication of SSL VPN users

To configure authentication for an SSL VPN - web-based manager

1Configure the users who are permitted to use this VPN. Create a user group and add them to it.

For more information, see “Users/peers and user groups” on page 33.

2Go to VPN > SSL.

3Select Enable SSL-VPN and enter information as follows:

Figure 26: SSL VPN Settings

Enable SSL VPN	Select to enable SSL VPN connections.
Tunnel IP Range	Specify the range of IP addresses reserved for tunnel-
	mode SSL VPN clients. Type the starting and ending
	address that defines the range of reserved IP
	addresses.

FortiOS v3.0 MR7 User Authentication User Guide

52	01-30007-0347-20080828

Image 52

Fortinet v3.0 MR7 manual VPN authentication, Configuring authentication of SSL VPN users, Go to VPN SSL, Tunnel IP Range

Contents

E R G U I D E FortiOS v3.0 MR7 User Authentication User Guide Trademarks Contents Configuring authenticated access Users/peers and user groupsIndex Creating local users Creating peer users About authentication Introduction Web-based user authentication User’s view of authenticationVPN client-based authentication FortiGate administrator’s view of authentication See Creating local users on See Creating peer users on Authentication servers See Configuring user groups on Public Key Infrastructure PKI authentication PeersUsers User groups Authentication timeout About this documentFirewall policies VPN tunnels FortiGate documentation Name field, type adminTypographic conventions FortiGate Administration Guide Related documentation FortiManager documentation FortiClient documentationFortiMail documentation FortiAnalyzer documentation Customer service and technical support Fortinet Tools and Documentation CDFortinet Knowledge Center Comments on Fortinet technical documentation Authentication servers Radius servers Configuring the FortiGate unit to use a Radius server Radius attributes sent in Radius accounting message Primary Server Name/IP Primary Server Secret Edit icon Edit a Radius server configuration Group Ldap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Password Server PortCommon Name Identifier To configure the FortiGate unit for Ldap authentication CLI EditProtocol Certificate Using the Query icon Ldap server Distinguished Name Query tree TACACS+ servers Ascii Authentication Type Server Key Directory Service servers Create New DomainGroups Fsae Collector IP Directory Service server configuration Name Fsae Collector IP/Name Port CLI Example Directory Service server list Directory Service servers Users/peers and user groups Users/peers Creating local users User type AuthenticationTo create a local user web-based manager Go to User Local Delete icon Edit icon To view a list of all local users, go to User LocalTo create a local user CLI Creating peer users To remove a user from the FortiGate unit configuration CLIDelete icon To view a list of PKI peer users, go to User PKI Authenticating peer userSubject To create a peer user for PKI authentication CLI Remove PKI peer user User groups Directory Service user groupsFirewall user groups SSL VPN user groups Protection profiles Select Create New and enter the following information Configuring user groupsFirewall Configuring Directory Service user groups To create a firewall user group CLIMembers FortiGuard Web Configuring SSL VPN user groups Available Users/Groups or Available Members Configuring Peer user groups Viewing a list of user groupsTo create a peer group CLI Group Name Config user group delete groupname End User groups Authentication timeout Authentication protocolsEnter the Idle Timeout value seconds Select Apply Telnet Firewall policy authentication Authentication Settings Configuring authentication for a firewall policy Authentication is an Advanced firewall optionTo configure authentication for a firewall policy Go to Firewall Policy Firewall policy order Firewall Policy Move To Source Interface Configuring authenticated access to the InternetZone VPN authentication Configuring authentication of SSL VPN usersSelect Enable SSL-VPN and enter information as follows Go to VPN SSL Default RC4128 Server CertificateRequire Client Certificate Encryption Key Algorithm To configure authentication for an SSL VPN CLI Configuring authentication of VPN peers and clients Configuring authentication of Pptp VPN users/user groupsSelect Enable Pptp Select Require Client Certificate, and then select Apply Configuring authentication of L2TP VPN users/user groups Configuring authentication of remote IPSec VPN usersTo configure authentication for a Pptp VPN CLI To configure authentication for an L2TP VPN CLI Only users with passwords on the FortiGate unit To configure user group authentication for dialup IPSec CLIRemote Gateway Configuring XAuth authentication IPSec configuration for dialup users To configure authentication for a dialup IPSec VPN CLI Remote Gateway Authentication MethodXAuth Server Type VPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA