Directory Service - Fortinet FortiGate Series Administration Manual

Directory Service

Directory Service
662
• MS-CHAP (Microsoft challenge-handshake authentication protocol v1)
Microsoft-specific version of CHAP.
The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.
To add a new TACACS+ server, go to User > Remote > TACACS+, select Create New,
and enter or select the following:
Figure 410: TACACS+ server configuration
Name Enter the name of the TACACS+ server.
Server Name/IP Enter the server domain name or IP address of the TACACS+ server.
Server Key Enter the key to access the TACACS+ server. The server key should be a
maximum of 16 characters in length.
Authentication Type Select the authentication type to use for the TACACS+ server. Selection
includes: Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates using
PAP, MSCHAP, and CHAP (in that order).
Windows Active Directory (AD) and Novell eDirectory provide central authentication
services by storing information about network resources across a domain (a logical group
of computers running versions of an operating system) in a central directory database.
Each person who uses computers within a domain receives his or her own unique
account/user name. This account can be assigned access to resources within the domain.
In a domain, the directory resides on computers that are configured as domain controllers.
A domain controller is a server that manages all security-related features that affect the
user/domain interactions, security centralization, and administrative functions.
FortiGate units use firewall policies to control access to resources based on user groups
configured in the policies. Each FortiGate user group is associated with one or more
Directory Service user groups. When a user logs in to the Windows or Novell domain, a
Fortinet Server Authentication Extension (FSAE) sends the FortiGate unit the user's IP
address and the names of the Directory Service user groups to which the user belongs.
The FSAE has two components that you must install on your network:
• The domain controller (DC) agent must be installed on every domain controller to
monitor user logins and send information about them to the collector agent.
• The collector agent must be installed on at least one domain controller to send the
information received from the DC agents to the FortiGate unit.
The FortiGate unit uses this information to maintain a copy of the domain controller user
group database. Because the domain controller authenticates users, the FortiGate unit
does not perform authentication. It recognizes group members by their IP address.
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/
User
• Feedback