Fortinet FortiGate 60M User Manual Download | Manualshive

Page: 6 / 26

background image

FortiGate User Authentication Version 1 Guide

6

01-28007-0233-20050825

The FortiGate administrator’s view of authentication

Introduction

VPN client-based authentication

VPNs provide remote clients with access to a private network for a variety of
services: web browsing, email, file shares and so on. A client program such as
FortiClient negotiates the connection to the VPN and manages the user
authentication challenge from the FortiGate unit.

FortiClient can store the user name and password for a VPN as part of the
configuration for the VPN connection and pass them to the FortiGate unit as
needed. Or, FortiClient can request the user name and password from the user
when the FortiGate unit requests them.

User access expires after a period of inactivity, the authentication timeout, that the
administrator configures. The default is five minutes. The user must then
authenticate again.

The FortiGate administrator’s view of authentication

Authentication is based on user groups. You configure authentication parameters
for firewall policies and VPN tunnels to permit access only to members of
particular user groups. A member of a user group can be:

• a user whose user name and password are stored on the FortiGate unit
• a user whose name is stored on the Fortigate unit and whose password is

stored on an external authentication server

• an external authentication server with a database that contains the user name

and password of each person who is permitted access

You need to set up authentication in the following order:

1

If external authentication is needed, configure the required servers.
• See

“Configuring the FortiGate unit to use a RADIUS server” on page 9

.

• See

“Configuring the FortiGate unit to use an LDAP server” on page 12

.

• See

“Configuring the FortiGate unit to use an Active Directory server” on

page 13

.

2

Configure local user identities. For each user, you can choose whether the
FortiGate unit or an external authentication server verifies the password.
• See

“Defining local users” on page 15

.

3

Create user groups.

Add local users to each user group as appropriate. You can also add an
authentication server to a user group. In this case, all users in the server’s
database can authenticate.
• See

“Defining user groups” on page 17

.

4

Configure firewall policies and VPN tunnels that require authenticated access.

See

“Configuring authentication for a firewall policy” on page 20

.

See

“Authenticating PPTP and L2TP VPN users” on page 22

.

See

“Authenticating remote IPSec VPN users using dialup groups” on page 23

.

Note:

In firmware releases prior to version 2.80 MR6, the authentication timeout period is

elapsed time, not inactive time.

«
...
4
5
6
7
8
...
»

Summary of Contents for FortiGate 60M

Page 1: ...www fortinet com FortiGate User Authentication Version 1 U S E R G U I D E ...

Page 2: ...y purpose without prior written permission of Fortinet Inc Trademarks ABACAS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiManager Fortinet FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield FortiVoIP and FortiWiFi are trademarks of Fortinet Inc in the Unite...

Page 3: ...your LDAP server 11 Configuring the FortiGate unit to use an LDAP server 12 Active Directory servers 13 Understanding your Active Directory server 13 Configuring the FortiGate unit to use an Active Directory server 13 Users and user groups 15 Users 15 Defining local users 15 User groups 17 Protection profiles 17 Defining user groups 17 Configuring authenticated access 19 Authentication timeout 19 ...

Page 4: ...FortiGate User Authentication Version 1 Guide 4 01 28007 0233 20050825 Table of Contents ...

Page 5: ...e VPN Guide The user s view of authentication The user sees a request for authentication when trying to access the protected resource The way in which the request is presented to the user depends on the method of access to that resource VPN authentication usually controls remote access to a private network Web based user authentication Firewall policies usually control browsing access to an extern...

Page 6: ...ate unit a user whose name is stored on the Fortigate unit and whose password is stored on an external authentication server an external authentication server with a database that contains the user name and password of each person who is permitted access You need to set up authentication in the following order 1 If external authentication is needed configure the required servers See Configuring th...

Page 7: ...ou to provide access only to selected employees for example You cannot combine these two uses of an authentication server in the same user group If you add the server to the user group adding individual users with authentication to that server is redundant If you want to use external authentication servers you must configure them before you configure users and user groups Users You define user ide...

Page 8: ...l is defined in the firewall policy that provides access to the network resource For example access to the Internet through the external interface from workstations on the internal network is made possible by an Internal to External firewall policy Firewall policies apply web filtering antivirus protection and spam filtering to the traffic they control according a protection profile When a firewal...

Page 9: ...IUS server listens on either port 1812 or port 1645 for authentication requests You must configure it to accept the FortiGate unit as a client The RADIUS server user database can be any combination of user names and passwords defined in a configuration file an SQL database the user account names and passwords configured on the computer where the RADIUS server is installed The RADIUS server uses a ...

Page 10: ...figuration You cannot remove a RADIUS server that belongs to a user group Remove it from the user group first 1 Go to User RADIUS 2 Select the Delete icon beside the RADIUS server name that you want to remove 3 Select OK To remove a RADIUS server from the FortiGate unit configuration CLI config user radius delete name end LDAP Servers Lightweight Directory Access Protocol LDAP is an Internet proto...

Page 11: ...n Unit OU level just above DC The Distinguished Name DN is ou People dc example dc com In addition to the DN the FortiGate unit needs an identifier for the individual person Although the FortiGate unit GUI calls this the Common Name CN the identifier you use is not necessarily CN On some servers CN is the full name of a person It might be more convenient to use the same identifier used on the loca...

Page 12: ...ifiers and the domain name or IP address of the LDAP server you can configure the server on the FortiGate unit To configure the FortiGate unit for LDAP authentication web based manager 1 Go to User LDAP 2 Select Create New to add a new LDAP server or select the Edit icon to edit an existing configuration 3 Enter a name for the LDAP server 4 Enter the domain name or IP address of the LDAP server 5 ...

Page 13: ...istinguished name For each object there is a shortcut to the distinguished name called the User Principal Name UPN The UPN looks similar to an email address It consists of a short name like a user ID followed by an symbol followed by the server domain name auser example com for example The user enters this as the user name at the authentication prompt Configuring the FortiGate unit to use an Activ...

Page 14: ...gure Active Directory server authentication using UPN queries CLI config user ldap edit name set server ip_address end To remove an Active Directory server from the FortiGate unit configuration You cannot remove an Active Directory server that has been added to a user group Remove it from the user group first 1 Go to User LDAP 2 Select Delete beside the server name that you want to delete 3 Select...

Page 15: ...tication server that has been configured on the FortiGate unit If the user is authenticated externally the user name on the FortiGate unit must be identical to the user name on the authentication server Table 1 How the FortiGate unit authenticates different types of users User type Authentication Local user with password stored on the FortiGate unit The user name and password must match a user acc...

Page 16: ...Directory server select LDAP and select the server name To authenticate this user using a RADIUS server select RADIUS and select the server name If you want to use an authentication server you must configure access to it first See Authentication servers on page 9 5 Select OK To define a local user CLI config user local edit user_name set type password set passwd user_password end or config user lo...

Page 17: ...ation its own protection profile is disabled and the user group protection profile applies For more information about protection profiles see Protection profile in the Firewall chapter of the FortiGate Administration Guide for your unit Protection profiles do not apply to VPN connections Defining user groups You define a user group by typing a name selecting users and or authentication servers and...

Page 18: ... User Authentication Version 1 Guide 18 01 28007 0233 20050825 User groups Users and user groups To define a group CLI config user group edit group_name set member user1 user2 usern set profile profile_name end ...

Page 19: ...et the firewall user authentication timeout Auth Timeout to control how long an authenticated connection can be idle before the user must authenticate again The maximum timeout is 480 minutes 8 hours The default timeout is 15 minutes To set the authentication timeout 1 Go to System Config Options 2 Enter the Auth Timeout value minutes 3 Select Apply Firewall policy authentication Firewall policies...

Page 20: ... move them to the Allowed list All members of the groups in the Allowed list will be authenticated to use the firewall policy 9 Select OK Configuring authenticated access to the Internet A policy for accessing the Internet is similar to a policy for accessing a specific network but the destination address is set to all The destination interface is the one that connects to the Internet service prov...

Page 21: ... these rules in mind More specific policies must be placed above more general ones Any policy that requires authentication must be placed above any similar policy that does not If a user fails authentication the firewall drops the request and does not check for a match with any of the remaining policies If you create a policy that requires authentication for HTTP access to the Internet you must pr...

Page 22: ...quired 3 Select Enable PPTP or Enable L2TP 4 Enter Starting IP and Ending IP addresses This defines the range of addresses assigned to VPN clients 5 Select the user group that is to have access to this VPN The FortiGate unit authenticates members of this user group 6 Select Apply To configure authentication for a PPTP or L2TP VPN CLI config vpn pptp set eip starting_ip set sip ending_ip set status...

Page 23: ...ure user group authentication for dialup IPSec web based manager 1 Configure the dialup users who are permitted to use this VPN Create a user group and add them to it For more information see Users and user groups on page 15 2 Go to VPN IPSec Phase 1 3 Select Create New or select Edit on an existing VPN gateway 4 From the Remote Gateway list select Dialup User 5 From the Authentication method list...

Page 24: ...rough an LDAP or RADIUS authentication server You must configure dialup users as members of a user group who are externally authenticated None can have passwords stored on the FortiGate unit To configure authentication for a dialup IPSec VPN web based manager 1 Configure the users who are permitted to use this VPN Create a user group and add them to it For more information see Users and user group...

Page 25: ...e user group that is to have access to this VPN The list of user groups does not include any group that has members whose password is stored on the FortiGate unit 9 Configure other VPN gateway parameters as needed 10 Select OK For more information about XAUTH configuration see Enabling XAUTH on the FortiGate unit in the FortiGate VPN Guide To configure authentication for a dialup IPSec VPN CLI con...

Page 26: ...FortiGate User Authentication Version 1 Guide 26 01 28007 0233 20050825 VPN authentication Configuring authenticated access ...

Reviews:

No comments

Related manuals for FortiGate 60M

Internet Backup

Brand: Swisscom Pages: 2

ProSafe FVS318N

Brand: NETGEAR Pages: 9

Brand: PaloAlto Networks Pages: 54

CloudGen F800 C

Brand: Barracuda Pages: 11

CloudGen F900 Revision B CCC

Brand: Barracuda Pages: 7

NG Firewall F180

Brand: Barracuda Pages: 5

SecPath F1000-AK108

Brand: H3C Pages: 39

Brand: H3C Pages: 59

SecPath F1000-AI-25

Brand: H3C Pages: 70

Brand: D-Link Pages: 140

DFL-260 - NetDefend - Security Appliance

Brand: D-Link Pages: 20

Brand: H3C Pages: 39

Brand: BESTEK Pages: 12

Brand: BESTEK Pages: 47

Brand: BESTEK Pages: 67

Brand: BESTEK Pages: 79

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands