Remote Gateway Authentication Method, XAuth | Fortinet v3.0 MR7


Configuring authenticated access	VPN authentication

Name	Name for group of dialup users using the VPN for authentication
	through RADIUS or LDAP servers.

Remote Gateway

Authentication

Method

List of the types of remote gateways for VPN. Select Dialup User.

List of authentication methods available for users. Select Preshared Key.

3Select Advanced to reveal additional parameters and enter the following information.

XAuth	Select Enable as Server.
Server Type	Select PAP, CHAP, or AUTO. Use CHAP whenever possible. Use
	PAP with all implementations of LDAP and with other
	authentication servers that do not support CHAP, including some
	implementations of Microsoft RADIUS. Use AUTO with the
	Fortinet Remote VPN Client and where the authentication server
	supports CHAP but the XAuth client does not.
User Group	List of available user groups. Select the user group that is to have
	access to the VPN. The list of user groups does not include any
	group that has members whose password is stored on the
	FortiGate unit.

4Configure other VPN gateway parameters as needed.

5Select OK.

For more information about XAUTH configuration, see the

FortiGate IPSec VPN User Guide.

To configure authentication for a dialup IPSec VPN - CLI

config vpn ipsec phase1 edit <gateway_name>

set peertype dialup set xauthtype pap

set authusrgrp <user_group_name> end

Parameters specific to setting up the VPN itself are not shown here. For detailed information about configuring an IPSec VPN, see the

FortiGate IPSec VPN User Guide.

FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828	59

Image 59

Fortinet v3.0 MR7 To configure authentication for a dialup IPSec VPN CLI, Remote Gateway Authentication Method, XAuth

Contents

E R G U I D E Trademarks FortiOS v3.0 MR7 User Authentication User Guide Contents Creating local users Creating peer users Configuring authenticated accessUsers/peers and user groups Index Introduction About authentication VPN client-based authentication User’s view of authenticationWeb-based user authentication See Creating local users on See Creating peer users on FortiGate administrator’s view of authentication See Configuring user groups on Authentication servers User groups Public Key Infrastructure PKI authenticationPeers Users VPN tunnels Authentication timeoutAbout this document Firewall policies Typographic conventions Name field, type adminFortiGate documentation Related documentation FortiGate Administration Guide FortiAnalyzer documentation FortiManager documentationFortiClient documentation FortiMail documentation Comments on Fortinet technical documentation Customer service and technical supportFortinet Tools and Documentation CD Fortinet Knowledge Center Radius servers Authentication servers Radius attributes sent in Radius accounting message Configuring the FortiGate unit to use a Radius server Primary Server Secret Primary Server Name/IP Group Edit icon Edit a Radius server configuration Ldap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Identifier PasswordServer Port Common Name Certificate To configure the FortiGate unit for Ldap authentication CLIEdit Protocol Ldap server Distinguished Name Query tree Using the Query icon Ascii TACACS+ servers Server Key Authentication Type Directory Service servers Fsae Collector IP Create NewDomain Groups Fsae Collector IP/Name Port Directory Service server configuration Name CLI Example Directory Service server list Directory Service servers Users/peers Users/peers and user groups To create a local user web-based manager Go to User Local User type AuthenticationCreating local users To create a local user CLI To view a list of all local users, go to User LocalDelete icon Edit icon Delete icon To remove a user from the FortiGate unit configuration CLICreating peer users Subject Authenticating peer userTo view a list of PKI peer users, go to User PKI Remove PKI peer user To create a peer user for PKI authentication CLI Firewall user groups Directory Service user groupsUser groups Protection profiles SSL VPN user groups Firewall Configuring user groupsSelect Create New and enter the following information FortiGuard Web Configuring Directory Service user groupsTo create a firewall user group CLI Members Available Users/Groups or Available Members Configuring SSL VPN user groups Group Name Configuring Peer user groupsViewing a list of user groups To create a peer group CLI Config user group delete groupname End User groups Telnet Authentication timeoutAuthentication protocols Enter the Idle Timeout value seconds Select Apply Authentication Settings Firewall policy authentication Go to Firewall Policy Configuring authentication for a firewall policyAuthentication is an Advanced firewall option To configure authentication for a firewall policy Firewall Policy Move To Firewall policy order Zone Configuring authenticated access to the InternetSource Interface Go to VPN SSL VPN authenticationConfiguring authentication of SSL VPN users Select Enable SSL-VPN and enter information as follows Encryption Key Algorithm Default RC4128Server Certificate Require Client Certificate To configure authentication for an SSL VPN CLI Select Require Client Certificate, and then select Apply Configuring authentication of VPN peers and clientsConfiguring authentication of Pptp VPN users/user groups Select Enable Pptp To configure authentication for an L2TP VPN CLI Configuring authentication of L2TP VPN users/user groupsConfiguring authentication of remote IPSec VPN users To configure authentication for a Pptp VPN CLI Remote Gateway To configure user group authentication for dialup IPSec CLIOnly users with passwords on the FortiGate unit IPSec configuration for dialup users Configuring XAuth authentication Server Type To configure authentication for a dialup IPSec VPN CLIRemote Gateway Authentication Method XAuth VPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA