Configuring authenticated access
VPN authentication
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825
21
5
Set Source Address and Destination Address to all.
6
From the Schedule list, select always.
7
From the Service list, select DNS.
8
From the Action list, select ACCEPT.
9
Select OK.
10
In the Policy list, select Move To for the DNS policy and move it so that it precedes
the policy that provides access to the Internet.
The FortiGate unit performs authentication only on requests to access HTTP,
HTTPS, FTP and Telnet. Once the user is authenticated, the user can access
other services if the firewall policy permits.
Firewall policy order
The firewall policies that you create must be correctly placed in the policy list to be
effective. The firewall evaluates a connection request by checking the policy list
from the top down, looking for the first policy that matches the source and
destination addresses of the packet. Keep these rules in mind:
• More specific policies must be placed above more general ones.
• Any policy that requires authentication must be placed above any similar policy
that does not.
• If a user fails authentication, the firewall drops the request and does not check
for a match with any of the remaining policies.
• If you create a policy that requires authentication for HTTP access to the
Internet, you must precede this policy with a policy for unauthenticated access
to the appropriate DNS server.
To change the position of a policy in the policy list
1
Go to
Firewall > Policy
.
2
If necessary, expand the list to view your policies.
3
Select the Move To icon beside the policy you want to move.
4
Select the position for the policy.
5
Select OK.
VPN authentication
All VPN configurations require users to authenticate. Authentication based on
user groups applies to:
• PPTP and L2TP VPNs
• an IPSec VPN that authenticates users using dialup groups
• a dialup IPSec VPN that uses XAUTH authentication (Phase 1)
This document does not describe the use of certificates for VPN authentication.
See the
FortiGate VPN Guide
for information on this type of authentication.