Authentication Servers; Users; User Groups - Fortinet FortiGate User Manual

Introduction

Authentication servers

Users

User groups

FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825
See "Enabling XAuth authentication for dialup IPSec VPN clients" on page
The FortiGate unit can store user names and passwords and use them to
authenticate users. In an enterprise environment, it might be more convenient to
use the same system that provides authentication for local area network access,
email and other services. Users who access the corporate network from home or
while traveling could use the same user name and password that they use at the
office.
You can configure the FortiGate unit to work with external authentication servers
in two different ways:
• Add the authentication server to a user group.
Anyone in the server's database is a member of the user group. This is a
simple way to provide access to the corporate VPN for all employees, for
example. You do not need to configure individual users on the FortiGate unit.
or
• Specify the authentication server instead of a password when you configure
the individual user identity on the FortiGate unit.
The user name must exist on both the FortiGate unit and authentication server.
User names that exist only on the authentication server cannot authenticate on
the FortiGate unit. This method enables you to provide access only to selected
employees, for example.
You cannot combine these two uses of an authentication server in the same user
group. If you add the server to the user group, adding individual users with
authentication to that server is redundant.
If you want to use external authentication servers, you must configure them before
you configure users and user groups.
You define user identities in the User > Local page of the web-based manager.
Although it is simpler to define passwords locally, when there are many users the
administrative effort to maintain the database is considerable. Users cannot
change their own passwords on the FortiGate unit. When an external
authentication server is part of an enterprise network authentication system, users
can change their own passwords. Frequent changing of passwords is a good
security practice.
A user group can contain individual users and authentication servers. A user or
authentication server can belong to more than one group.
Authentication is group based. Firewall policies can allow multiple groups access,
but authentication for a VPN allows access to only one group. These
considerations affect how you define the groups for your organization. Usually you
need a user group for each VPN. For firewall policies, you can create user groups
that reflect how you manage network privileges in your organization. For example,
you might create a user group for each department or create user groups based
on functions such as customer support or account manager.
The FortiGate administrator's view of authentication
24.
7