Fortinet FortiGate v3.0 MR7 User Manual
  1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Gateway
  5. FortiGate v3.0 MR7
  6. User manual
Fortinet FortiGate v3.0 MR7 User Manual

Fortinet FortiGate v3.0 MR7 User Manual

User authentication
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
U S E R G U I D E
FortiOS v3.0 MR7
User Authentication User Guide
www.fortinet.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FortiGate v3.0 MR7 and is the answer not in the manual?

Questions and answers

Related Manuals for Fortinet FortiGate v3.0 MR7

Summary of Contents for Fortinet FortiGate v3.0 MR7

  • Page 1 U S E R G U I D E FortiOS v3.0 MR7 User Authentication User Guide www.fortinet.com...
  • Page 2 FortiOS v3.0 MR7 User Authentication User Guide 28 Aug 2008 01-30007-0347-20080828 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

  • Page 3: Table Of Contents

    FortiManager documentation ... 13 FortiClient documentation ... 13 FortiMail documentation ... 13 FortiAnalyzer documentation ... 13 Fortinet Tools and Documentation CD ... 14 Fortinet Knowledge Center ... 14 Comments on Fortinet technical documentation ... 14 Customer service and technical support ... 14 FortiGate authentication servers...
  • Page 4 Users/peers and user groups ... 31 Configuring authenticated access ... 43 Index... 57 Users/peers ... 31 Creating local users ... 32 Creating peer users ... 34 User groups ... 37 Firewall user groups... 37 Directory Service user groups... 37 SSL VPN user groups... 38 Protection profiles ...

  • Page 5: Introduction

    This section introduces you to the authentication process from the user and the administrators perspective, and provides supplementary information about Fortinet publications. Note: This document does not describe certificate-based VPN authentication. For information about this type of authentication, see the...

  • Page 6: User's View Of Authentication

    User’s view of authentication User’s view of authentication Web-based user authentication VPN client-based authentication The user sees a request for authentication when they try to access a protected resource. The way in which the request is presented to the user depends on the method of access to that resource.

  • Page 7: Fortigate Administrator's View Of Authentication

    Introduction FortiClient can store the user name and password for a VPN as part of the configuration for the VPN connection and pass them to the FortiGate unit as needed. Or, FortiClient can request the user name and password from the user when the FortiGate unit requests them.

  • Page 8: Authentication Servers

    FortiGate administrator’s view of authentication Authentication servers Create user groups. Add local/peer user members to each user group as appropriate. You can also add an authentication server to a user group. In this case, all users in the server’s database can authenticate. You can only configure peer user groups through the CLI.

  • Page 9: Public Key Infrastructure (Pki) Authentication

    Introduction Public Key Infrastructure (PKI) authentication A Public Key Infrastructure (PKI) is a comprehensive system of policies, processes, and technologies working together to enable users of the Internet to exchange information in a secure and confidential manner. PKIs are based on the use of cryptography - the scrambling of information by a mathematical formula and a virtual key so that it can only be decoded by an authorized party using a related key.

  • Page 10: Authentication Timeout

    About this document Authentication timeout Firewall policies VPN tunnels About this document Document conventions An authenticated connection expires when it has been idle for a length of time that you specify. The authentication timeout value set in User > Authentication > Authentication applies to every user of the system.

  • Page 11: Typographic Conventions

    File content Menu commands Program output Variables FortiGate documentation The most up-to-date publications and previous releases of Fortinet product documentation are available from the The following • FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit.

  • Page 12: Related Documentation

    • FortiGate VLANs and VDOMs User Guide Describes how to configure VLANs and VDOMS in both NAT/Route and Transparent mode. Includes detailed examples. Additional information about Fortinet products is available from the following related documentation. Introduction Center, the FortiGate Log FortiOS v3.0 MR7 User Authentication User Guide...

  • Page 13: Fortimanager Documentation

    Introduction FortiManager documentation • FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings. • FortiManager System Administration Guide Describes how to use the FortiManager System to manage FortiGate devices. • FortiManager System online help Provides a searchable version of the Administration Guide in HTML format.

  • Page 14: Fortinet Tools And Documentation Cd

    Customer service and technical support All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation see the Technical Documentation web site.

  • Page 15: Fortigate Authentication Servers

    1. Acct-Session-ID 2. User Name 3. NAS-Identifier (FGT hostname) 4. Framed-IP-Address (IP address assigned to the client) 5. Fortinet-VSA (IP address client is connecting from) 6. Acct-Input-Octets 7. Acct-Output-Octets Table 1 that are sent in the RADIUS accounting message.

  • Page 16: Configuring The Fortigate Unit To Use A Radius Server

    PPTP/L2TP (in PPP) SSL-VPN In order to support vendor-specific attributes (VSA), the RADIUS server requires a dictionary to define what the VSAs are. Fortinet’s dictionary is configured this way: Fortinet’s VSA’s VENDOR fortinet 12356 BEGIN-VENDOR fortinet ATTRIBUTE Fortinet-Group-Name 1 string...
  • Page 17 Authentication servers • Change the FortiGate unit default RADIUS port to 1645 using the CLI: config system global To configure the FortiGate unit for RADIUS authentication - web-based manager Go to User > Remote > RADIUS and select Create New. Enter the following information, and select OK.
  • Page 18 RADIUS servers To configure the FortiGate unit for RADIUS authentication - CLI config user radius edit <server_name> set all-usergroup {enable | disable } set auth-type <authentication_protocol> set nas-ip <nas_ip_called_id> set radius-port <radius_port_id> set secondary-server <secondary_ip_address> set secondary-secret <secondary_password> set server <primary_ip_address> set secret <primary_password>...

  • Page 19: Ldap Servers

    Authentication servers To remove a RADIUS server from the FortiGate unit configuration - CLI config user radius LDAP servers Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers.
  • Page 20 LDAP servers FortiGate LDAP does not support proprietary functionality, such as notification of password expiration, which is available from some LDAP servers. FortiGate LDAP does not supply information to the user about why authentication failed. To configure your FortiGate unit to work with an LDAP server, you need to understand the organization of the information on the server.

  • Page 21: Configuring The Fortigate Unit To Use An Ldap Server

    Authentication servers The output is lengthy, but the information you need is in the first few lines: version: 2 # filter: (objectclass=*) # requesting: ALL dn: dc=example,dc=com dc: example objectClass: top objectClass: domain dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: uid=auser,ou=People,dc=example,dc=com uid: auser cn: Alex User...
  • Page 22 LDAP servers Figure 3: Configure FortiGate unit for LDAP authentication Name Enter the name that identifies the LDAP server on the FortiGate unit. Server Name/IP Enter the domain name or IP address of the LDAP server. Server Port Enter the TCP port used to communicate with the LDAP server. By default, LDAP uses port 389.
  • Page 23 Authentication servers Protocol Certificate To configure the FortiGate unit for LDAP authentication - CLI config user ldap To remove an LDAP server from the FortiGate unit configuration - web-based manager Note: You cannot remove a LDAP server that belongs to a user group. Remove it from the user group first.

  • Page 24: Using The Query Icon

    LDAP servers Common Name The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers Identifier such as uid. Distinguished The distinguished name used to look up entries on the LDAP servers use.

  • Page 25: Tacacs+ Servers

    Authentication servers TACACS+ servers In recent years, remote network access has shifted from terminal access to LAN access. Users are now connecting to their corporate network (using notebooks or home PCs) with computers that utilize complete network connections. Remote node technology allows users the same level of access to the corporate network resources as they would have if they were physically in the office.
  • Page 26 TACACS+ servers Figure 6: TACACS+ server configuration Name Enter the name of the TACACS+ server. Server Name/IP Enter the server domain name or IP address of the TACACS+ server. Server Key Enter the key to access the TACACS+ server. Authentication Type Select the authentication type to use for the TACACS+ server.

  • Page 27: Directory Service Servers

    Directory Service user groups. When a user logs in to the Windows or Novell domain, a Fortinet Server Authentication Extension (FSAE) sends the FortiGate unit the user’s IP address and the names of the Directory Service user groups to which the user belongs.

  • Page 28: Configuring The Fortigate Unit To Use A Directory Service Server

    Directory Service servers Configuring the FortiGate unit to use a Directory Service server To view the list of Directory Service servers, go to User > Directory Service. Figure 8: Example Directory Service server list Server Expand Arrow (Directory Service server) Domain and groups Create New Add a new Directory Service server.
  • Page 29 Authentication servers For more information about FSAE, see the To configure the FortiGate unit for Directory Service authentication - web-based manager Go to User > Directory Service and select Create New. Enter the following information, and select OK. Figure 9: Directory Service server configuration Name FSAE Collector IP/Name...
  • Page 30 Directory Service servers To remove a Directory Service server from the FortiGate unit configuration - web-based manager Note: You cannot remove a Directory Service server that belongs to a user group. Remove it from the user group first. Go to User > Directory Service. Select the Delete icon beside the name of the Directory Service server that you want to remove.
  • Page 31 Authentication servers Figure 11: Example Directory Service server list Server Expand Arrow (Directory Service server) Domain and groups Create New Name FSAE Collector IP Delete icon Edit icon Add User/Group Edit Users/Group FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828 Add a new Directory Service server.
  • Page 32 Directory Service servers Authentication servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828...

  • Page 33: Creating Local Users

    Users/peers and user groups Users/peers and user groups FortiGate authentication controls system access by user group. First you configure users/peers, then you create user groups and add users/peers to them. • Configure local user accounts. For each user, you can choose whether the password is verified by the FortiGate unit, by a RADIUS server, by an LDAP server, or by a TACACS+ server.

  • Page 34: Creating Local Users

    Users/peers Creating local users User type Authentication Authentication server user Any user with an identity on the authentication server can authenticate on the FortiGate unit by providing a user name and password that match a user identity stored on the authentication server.
  • Page 35 Users/peers and user groups User Name Disable Password LDAP RADIUS TACACS+ To view a list of all local users, go to User > Local. Figure 13: Local user list Create New User Name Type Delete icon Edit icon To create a local user - CLI config user local FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828...

  • Page 36: Creating Peer Users

    Users/peers Creating peer users config user local edit <user_name> set type ldap set ldap_server <server_name> config user local edit <user_name> set type radius set radius_server <server_name> config user local edit <user_name> set type tacacs+ set tacacs+_server <server_name> To remove a user from the FortiGate unit configuration - web-based manager Note: You cannot remove a user that belongs to a user group that is part of a firewall policy.
  • Page 37 Users/peers and user groups • a peer user name • the text from the subject field of the certificate of the authenticating peer user, or the CA certificate used to authenticate the peer user. You can configure a peer user with no values for the subject and certificate fields. This user behaves like a user account or policy that is disabled.
  • Page 38 Users/peers Delete icon Delete this PKI peer user. Note: The delete icon is not available if the peer user belongs to a user group. Edit icon Edit this PKI peer user. To create a peer user for PKI authentication - CLI config user peer edit <peer name>...

  • Page 39: User Groups

    On a network, you can configure the FortiGate unit to allow access to members of Directory Service server user groups who have been authenticated on the network. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers.

  • Page 40: Ssl Vpn User Groups

    User groups SSL VPN user groups Protection profiles Note: You cannot use Directory Service user groups directly in FortiGate firewall policies. You must add Directory Service groups to FortiGate user groups. A Directory Service group should belong to only one FortiGate user group. If you assign it to multiple FortiGate user groups, the FortiGate unit recognizes only the last user group assignment.

  • Page 41: Configuring User Groups

    Users/peers and user groups For more information about protection profiles, see the Guide. Configuring user groups You create a user group by typing a name, selecting users and/or authentication servers, and selecting a protection profile. To create a Firewall user group - web-based manager Go to User >...

  • Page 42: Configuring Directory Service User Groups

    On a network, you can configure the FortiGate unit to allow access to members of Directory Service server user groups who have been authenticated on the network. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers.

  • Page 43: Configuring Ssl Vpn User Groups

    Users/peers and user groups Figure 19: User group configuration - Directory Service Expand Arrow Name Type Protection Profile Available Users/Groups or Available Members* Members FortiGuard Web Filtering Override SSL-VPN User Group Options Configuring SSL VPN user groups For detailed instructions about how to configure SSL VPN web-only mode or tunnel mode operation, see the FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828...

  • Page 44: Configuring Peer User Groups

    User groups Configuring Peer user groups Peer user groups can only be configured using the CLI. Peers are digital certificate holders defined using the config user peer command. You use the peer groups you define here in the config vpn ipsec phase1 command if you specify peertype as peergrp.
  • Page 45 Users/peers and user groups To remove a user group from the FortiGate unit configuration - web-based manager Go to User > User Group. Select the Delete icon beside the name of the user group that you want to remove. Select OK. Figure 21: Remove user group Expand Arrow To remove a user group from the FortiGate unit configuration - CLI...
  • Page 46 User groups Users/peers and user groups FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828...

  • Page 47: Firewall Policy Authentication

    Configuring authenticated access Configuring authenticated access When you have configured authentication servers, users, and user groups, you are ready to configure firewall policies and certain types of VPNs to require user authentication. This section describes: • Authentication timeout • Authentication protocols •...

  • Page 48: Firewall Policy Authentication

    Firewall policy authentication Firewall policy authentication When user authentication is enabled on a firewall policy, the authentication challenge is normally issued for any of the four protocols (dependent on the connection protocol). By making selections in the Protocol Support list, the user controls which protocols support the authentication challenge.

  • Page 49: Configuring Authentication For A Firewall Policy

    Configuring authenticated access The style of the authentication method varies by the authentication protocol. If you have selected HTTP, FTP or Telnet, user name and password-based authentication occurs: the FortiGate unit prompts network users to input their firewall user name and password. If you have selected HTTPS, certificate-based authentication (HTTPS or HTTP redirected to HTTPS only) occurs: you must install customized certificates on the FortiGate unit and on the browsers of network users, which the FortiGate unit matches.

  • Page 50: Firewall Policy Order

    Firewall policy authentication Firewall policy order One at a time, select user group names from the Available Groups list and select the right-pointing arrow button to move them to the Allowed list. All members of the groups in the Allowed list will be authenticated with this firewall policy. To use a CA certificate for authentication, in Certificate, select the certificate to use from the drop-down list.

  • Page 51: Configuring Authenticated Access To The Internet

    Configuring authenticated access The FortiGate unit performs authentication only on requests to access HTTP, HTTPS, FTP, and Telnet. Once the user is authenticated, the user can access other services if the firewall policy permits. Select the position of the DNS policy so that it precedes the policy that provides access to the Internet.

  • Page 52: Vpn Authentication

    VPN authentication VPN authentication Configuring authentication of SSL VPN users All VPN configurations require users to authenticate. Authentication based on user groups applies to: • SSL VPNs • PPTP and L2TP VPNs • an IPSec VPN that authenticates users using dialup groups •...
  • Page 53 Select the signed server certificate to use for authentication purposes. If you leave the default setting (Self-Signed), the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect. If you want to enable the use of group certificates for authenticating remote clients, select the check box.

  • Page 54: Configuring Strong Authentication Of Ssl Vpn Users/User Groups

    VPN authentication Configuring strong authentication of SSL VPN users/user groups To configure authentication for an SSL VPN - CLI config vpn ssl settings set algorithm set auth-timeout set dns-server1 set dns-server2 set idle-timeout set portal-heading set reqclientcert set route-source-interface set servercert set sslv2 set sslv3 set sslvpn-enable...

  • Page 55: Configuring Authentication Of Vpn Peers And Clients

    Configuring authenticated access Note: The SSL protocol requires that the FortiGate unit identify itself whenever a web browser accesses the web portal login page through an HTTPS link. If you would like to configure the FortiGate unit to identify itself using a CA-issued server certificate instead of the factory-installed self-signed certificate, select the name of the signed server certificate from the Server Certificate list on the SSL-VPN Settings page when you enable strong authentication for SSL VPN users.

  • Page 56: Configuring Authentication Of L2Tp Vpn Users/User Groups

    VPN authentication Enter Starting IP and Ending IP addresses. This defines the range of addresses assigned to VPN clients. Select the user group that is to have access to this VPN. The FortiGate unit authenticates members of this user group. Select Apply.
  • Page 57 Configuring authenticated access Go to VPN > IPSec > Auto Key (IKE), select Create Phase 1 and enter the following information. Figure 28: Configure VPN IPSec dialup authentication Name Remote Gateway Authentication Method Peer Options Note: The Accept peer ID in dialup group option does not support authentication of users through an authentication server.

  • Page 58: Configuring Xauth Authentication

    VPN authentication Configuring XAuth authentication Extended Authentication (XAuth) increases security by requiring additional user authentication in a separate exchange at the end of the VPN Phase 1 negotiation. The FortiGate unit challenges the user for a user name and password. It then forwards the user credentials to an external RADIUS or LDAP server for verification.
  • Page 59 CHAP, including some implementations of Microsoft RADIUS. Use AUTO with the Fortinet Remote VPN Client and where the authentication server supports CHAP but the XAuth client does not. List of available user groups. Select the user group that is to have access to the VPN.
  • Page 60 VPN authentication Configuring authenticated access FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828...

  • Page 61: Index

    Index Index Active Directory - see Directory Service administrator authentication 7 ASCII 25 attributes RADIUS 15 authenticated access configuring 47 authenticating users FortiGate 33 with LDAP servers 34 with RADIUS servers 34 with TACACS+ servers 34 authentication 54 about 5 access to DNS server 51 certificate 54 firewall policy 48, 49...
  • Page 62 Knowledge Center 14 product documentation 12 technical support 14 Fortinet documentation 11 commenting on 14 Fortinet Knowledge Center 14 Fortinet Server Authentication Extension - see FSAE FSAE 27 collector agent 27 components 27 domain controller 27 hierarchy LDAP servers 20...
  • Page 63 Index list order changing 50 firewall policy 50 local users configuring 34 creating 34 deleting from FortiGate configuration 36 removing from FortiGate configuration 36 viewing list of 35 MS-CHAP 25 Novell edirectory - see Directory Service PAP 25 peer user groups configuring 44 creating 44 peer users 33, 36...
  • Page 64 timeout authentication 10 tunnel mode SSL VPN IP range 52 types of user groups 39 types of users 33 Typographic conventions 11 user authentication IPSec VPN dialup users 56 L2TP VPN 56 PPTP VPN 55 protocols 47 SSL VPN 52 timeout 47 XAuth 58 user groups 39...
  • Page 65 www.fortinet.com...
  • Page 66 www.fortinet.com...

Table of Contents

Save PDF