Fortinet FortiGate User Manual
User authentication
Hide thumbs
Also See for FortiGate:
- Installation manual (77 pages) ,
- Quick start manual (28 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for Fortinet FortiGate
Summary of Contents for Fortinet FortiGate
- Page 1 U S E R G U I D E FortiGate User Authentication Version 1 www.fortinet.com...
- Page 2 Version 1 25 August 2005 01-28007-0233-20050825 © Copyright 2005 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
-
Page 3: Table Of Contents
Configuring the FortiGate unit to use an LDAP server ........ 12 Active Directory servers ................. 13 Understanding your Active Directory server..........13 Configuring the FortiGate unit to use an Active Directory server ....13 Users and user groups ..............15 Users......................... 15 Defining local users .................. - Page 4 Table of Contents FortiGate User Authentication Version 1 Guide 01-28007-0233-20050825...
-
Page 5: Introduction
The user’s view of authentication Introduction On a FortiGate unit, you can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must belong to one of the user groups that is allowed access. -
Page 6: Vpn Client-Based Authentication
• a user whose user name and password are stored on the FortiGate unit • a user whose name is stored on the Fortigate unit and whose password is stored on an external authentication server • an external authentication server with a database that contains the user name... -
Page 7: Authentication Servers
“Enabling XAuth authentication for dialup IPSec VPN clients” on page Authentication servers The FortiGate unit can store user names and passwords and use them to authenticate users. In an enterprise environment, it might be more convenient to use the same system that provides authentication for local area network access, email and other services. -
Page 8: Authentication Timeout
You select a protection profile for each User Group. Protection profiles determine the level of web filtering, antivirus protection and spam filtering applied to traffic controlled by the firewall policy to which members of this user group authenticate. For more information about protection profiles, see the FortiGate Administration Guide. Authentication timeout An authenticated connection expires when it has been idle for a length of time that you specify. -
Page 9: Authentication Servers
See the documentation provided with your RADIUS server for configuration details. Configuring the FortiGate unit to use a RADIUS server On the FortiGate unit, the default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645, you can either •... -
Page 10: Ldap Servers
LDAP Servers Authentication servers To configure the FortiGate unit, you need to know the server’s domain name or IP address and its shared secret key. To configure the FortiGate unit for RADIUS authentication - web-based manager Go to User > RADIUS. -
Page 11: Understanding Your Ldap Server
You need to determine the levels of the hierarchy from the top to the level that contains the identifier you want to use. This defines the DN that the FortiGate unit uses to search the LDAP database. Frequently used distinguished name elements include: •... -
Page 12: Configuring The Fortigate Unit To Use An Ldap Server
After you determine the common name and distinguished name identifiers and the domain name or IP address of the LDAP server, you can configure the server on the FortiGate unit. To configure the FortiGate unit for LDAP authentication - web-based manager Go to User > LDAP. -
Page 13: Active Directory Servers
Configuring the FortiGate unit to use an Active Directory server You can configure the FortiGate unit to access the Active Directory server using either distinguished name or UPN. To configure the FortiGate unit for Active Directory server authentication Go to User >... - Page 14 Go to User > LDAP. Select Delete beside the server name that you want to delete. Select OK. To remove an Active Directory server from the FortiGate unit configuration - config user ldap delete <name> FortiGate User Authentication Version 1 Guide...
-
Page 15: Users And User Groups
Users A user is a user account configured on the FortiGate unit and/or on an external authentication server. Users can access resources that require authentication only if they are members of an allowed user group. - Page 16 <user_name> set type password set passwd <user_password> config user local edit <user_name> set type ldap set ldap_server <server_name> config user local edit <user_name> set type radius set radius_server <server_name> FortiGate User Authentication Version 1 Guide 01-28007-0233-20050825...
-
Page 17: User Groups
But when a firewall policy requires authentication, its own protection profile is disabled and the user group protection profile applies. For more information about protection profiles, see “Protection profile” in the Firewall chapter of the FortiGate Administration Guide for your unit. - Page 18 User groups Users and user groups To define a group - CLI config user group edit <group_name> set member <user1> <user2> ... <usern> set profile <profile_name> FortiGate User Authentication Version 1 Guide 01-28007-0233-20050825...
-
Page 19: Configuring Authenticated Access
Enter the Auth Timeout value (minutes). Select Apply. Firewall policy authentication Firewall policies control traffic between FortiGate interfaces, both physical interfaces and VLAN subinterfaces. Without authentication, a firewall policy enables access from one network to another for all users on the source network. -
Page 20: Configuring Authentication For A Firewall Policy
Select Create New and create a new policy or select Edit on an existing policy. From the Action list, select ACCEPT. Configure the other firewall policy parameters as appropriate. For information about firewall policies, see the Firewall chapter of the FortiGate Administration Guide. Select Advanced. -
Page 21: Firewall Policy Order
IPSec VPN that uses XAUTH authentication (Phase 1) This document does not describe the use of certificates for VPN authentication. See the FortiGate VPN Guide for information on this type of authentication. FortiGate User Authentication Version 1 Guide... -
Page 22: Authenticating Pptp And L2Tp Vpn Users
Enter Starting IP and Ending IP addresses. This defines the range of addresses assigned to VPN clients. Select the user group that is to have access to this VPN. The FortiGate unit authenticates members of this user group. Select Apply. -
Page 23: Authenticating Remote Ipsec Vpn Users Using Dialup Groups
VPN authentication Authenticating remote IPSec VPN users using dialup groups An IPSec VPN on a FortiGate unit can authenticate remote users through a dialup group instead of using peer IDs. For information about authentication using peer IDs and peer groups, see “Enabling VPN peer identification“ in the FortiGate VPN Guide. -
Page 24: Enabling Xauth Authentication For Dialup Ipsec Vpn Clients
VPN authentication Configuring authenticated access Parameters specific to setting up the VPN itself are not shown here. For detailed information, see the “Configuring IPSec VPNs” chapter of the FortiGate VPN Guide. Enabling XAuth authentication for dialup IPSec VPN clients XAuth can be used in addition to or in place of IPSec phase 1 peer options to provide access security through an LDAP or RADIUS authentication server. - Page 25 Use CHAP whenever possible. Use PAP with all implementations of LDAP and with other authentication servers that do not support CHAP, including some implementations of Microsoft RADIUS. Use MIXED with the Fortinet Remote VPN Client and where the authentication server supports CHAP but the XAuth client does not.
- Page 26 VPN authentication Configuring authenticated access FortiGate User Authentication Version 1 Guide 01-28007-0233-20050825...