Options - Fortinet FortiGate Series Administration Manual

User

Options

FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
To dynamically assign IP addresses for PPTP VPN users
For PPTP VPN you can use a RADIUS server to assign IP addresses for PPTP users by
adding the RADIUS server that can assign IP addresses to a firewall user group. Then
configure PPTP VPN to use this user group.
1 Go to User > User Group and create a new user group or edit a firewall user group.
2 Set Type to Firewall.
3 Add the RADIUS server that assigns IP addresses to the Members list and save the
Firewall user group.
4 Connect to the FortiGate CLI and enter the following command to enable PPTP,
configure assigning IP addresses with a user group, and add the user group containing
the RADIUS server to the PPTP VPN configuration.
config vpn pptp
set status enable
set ip-mode usrgrp
set usrgrp <user_group>
set sip <address>
set eip <address>
end
You can define setting options for user authentication, including authentication timeout,
supported protocols, and authentication certificates.
Authentication timeout controls how long an authenticated firewall connection can be idle
before the user must authenticate again.
When user authentication is enabled on a firewall policy, the authentication challenge is
normally issued for any of the four protocols (depending on the connection protocol):
• HTTP (can also be set to redirect to HTTPS)
• HTTPS
• FTP
• Telnet.
The selections made in the Protocol Support list of the Authentication Settings screen
control which protocols support the authentication challenge. Users must connect with a
supported protocol first so they can subsequently connect with other protocols. If HTTPS
is selected as a method of protocol support, it allows the user to authenticate with a
customized Local certificate.
When you enable user authentication on a firewall policy, the firewall policy user will be
challenged to authenticate. For user ID and password authentication, users must provide
their user names and passwords. For certificate authentication (HTTPS or HTTP
redirected to HTTPS only), you can install customized certificates on the FortiGate unit
and the users can also have customized certificates installed on their browsers.
Otherwise, users will see a warning message and have to accept a default FortiGate
certificate.
Note: When you use certificate authentication, if you do not specify any certificate when
you create the firewall policy, the global settings will be used. If you specify a certificate, the
per-policy setting will overwrite the global setting. For information about how to use
certificate authentication, see FortiGate Certificate Management User
Options
Guide.
675