Fortinet FortiGate 60M User Manual Download | Manualshive

Page: 9 / 26

background image

Authentication servers

RADIUS Servers

FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825

9

Authentication servers

FortiGate units support the following external authentication servers:

• RADIUS
• LDAP
• Microsoft Active Directory

If you are going to use authentication servers, you must configure the servers
before you configure FortiGate users or user groups that require them. An
authentication server can provide password checking for selected FortiGate users
or it can be added as a member of a FortiGate user group.

RADIUS Servers

Remote Authentication and Dial-in User Service (RADIUS) servers provide
authentication, authorization and accounting functions. FortiGate units use the
authentication function of the RADIUS server.

Understanding your RADIUS server

Your RADIUS server listens on either port 1812 or port 1645 for authentication
requests. You must configure it to accept the FortiGate unit as a client.

The RADIUS server user database can be any combination of:

• user names and passwords defined in a configuration file
• an SQL database
• the user account names and passwords configured on the computer where the

RADIUS server is installed

The RADIUS server uses a “shared secret” key to encrypt information passed
between it and clients such as the FortiGate unit.

See the documentation provided with your RADIUS server for configuration
details.

Configuring the FortiGate unit to use a RADIUS server

On the FortiGate unit, the default port for RADIUS traffic is 1812. If your RADIUS
server is using port 1645, you can either

• Reconfigure the RADIUS server to use port 1812. See your RADIUS server

documentation for more information.

or

• Change the FortiGate unit default RADIUS port to 1645 using the the CLI:

config system global

set radius_port 1645

end

«
...
7
8
9
10
11
...
»

Summary of Contents for FortiGate 60M

Page 1: ...www fortinet com FortiGate User Authentication Version 1 U S E R G U I D E ...

Page 2: ...y purpose without prior written permission of Fortinet Inc Trademarks ABACAS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiManager Fortinet FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield FortiVoIP and FortiWiFi are trademarks of Fortinet Inc in the Unite...

Page 3: ...your LDAP server 11 Configuring the FortiGate unit to use an LDAP server 12 Active Directory servers 13 Understanding your Active Directory server 13 Configuring the FortiGate unit to use an Active Directory server 13 Users and user groups 15 Users 15 Defining local users 15 User groups 17 Protection profiles 17 Defining user groups 17 Configuring authenticated access 19 Authentication timeout 19 ...

Page 4: ...FortiGate User Authentication Version 1 Guide 4 01 28007 0233 20050825 Table of Contents ...

Page 5: ...e VPN Guide The user s view of authentication The user sees a request for authentication when trying to access the protected resource The way in which the request is presented to the user depends on the method of access to that resource VPN authentication usually controls remote access to a private network Web based user authentication Firewall policies usually control browsing access to an extern...

Page 6: ...ate unit a user whose name is stored on the Fortigate unit and whose password is stored on an external authentication server an external authentication server with a database that contains the user name and password of each person who is permitted access You need to set up authentication in the following order 1 If external authentication is needed configure the required servers See Configuring th...

Page 7: ...ou to provide access only to selected employees for example You cannot combine these two uses of an authentication server in the same user group If you add the server to the user group adding individual users with authentication to that server is redundant If you want to use external authentication servers you must configure them before you configure users and user groups Users You define user ide...

Page 8: ...l is defined in the firewall policy that provides access to the network resource For example access to the Internet through the external interface from workstations on the internal network is made possible by an Internal to External firewall policy Firewall policies apply web filtering antivirus protection and spam filtering to the traffic they control according a protection profile When a firewal...

Page 9: ...IUS server listens on either port 1812 or port 1645 for authentication requests You must configure it to accept the FortiGate unit as a client The RADIUS server user database can be any combination of user names and passwords defined in a configuration file an SQL database the user account names and passwords configured on the computer where the RADIUS server is installed The RADIUS server uses a ...

Page 10: ...figuration You cannot remove a RADIUS server that belongs to a user group Remove it from the user group first 1 Go to User RADIUS 2 Select the Delete icon beside the RADIUS server name that you want to remove 3 Select OK To remove a RADIUS server from the FortiGate unit configuration CLI config user radius delete name end LDAP Servers Lightweight Directory Access Protocol LDAP is an Internet proto...

Page 11: ...n Unit OU level just above DC The Distinguished Name DN is ou People dc example dc com In addition to the DN the FortiGate unit needs an identifier for the individual person Although the FortiGate unit GUI calls this the Common Name CN the identifier you use is not necessarily CN On some servers CN is the full name of a person It might be more convenient to use the same identifier used on the loca...

Page 12: ...ifiers and the domain name or IP address of the LDAP server you can configure the server on the FortiGate unit To configure the FortiGate unit for LDAP authentication web based manager 1 Go to User LDAP 2 Select Create New to add a new LDAP server or select the Edit icon to edit an existing configuration 3 Enter a name for the LDAP server 4 Enter the domain name or IP address of the LDAP server 5 ...

Page 13: ...istinguished name For each object there is a shortcut to the distinguished name called the User Principal Name UPN The UPN looks similar to an email address It consists of a short name like a user ID followed by an symbol followed by the server domain name auser example com for example The user enters this as the user name at the authentication prompt Configuring the FortiGate unit to use an Activ...

Page 14: ...gure Active Directory server authentication using UPN queries CLI config user ldap edit name set server ip_address end To remove an Active Directory server from the FortiGate unit configuration You cannot remove an Active Directory server that has been added to a user group Remove it from the user group first 1 Go to User LDAP 2 Select Delete beside the server name that you want to delete 3 Select...

Page 15: ...tication server that has been configured on the FortiGate unit If the user is authenticated externally the user name on the FortiGate unit must be identical to the user name on the authentication server Table 1 How the FortiGate unit authenticates different types of users User type Authentication Local user with password stored on the FortiGate unit The user name and password must match a user acc...

Page 16: ...Directory server select LDAP and select the server name To authenticate this user using a RADIUS server select RADIUS and select the server name If you want to use an authentication server you must configure access to it first See Authentication servers on page 9 5 Select OK To define a local user CLI config user local edit user_name set type password set passwd user_password end or config user lo...

Page 17: ...ation its own protection profile is disabled and the user group protection profile applies For more information about protection profiles see Protection profile in the Firewall chapter of the FortiGate Administration Guide for your unit Protection profiles do not apply to VPN connections Defining user groups You define a user group by typing a name selecting users and or authentication servers and...

Page 18: ... User Authentication Version 1 Guide 18 01 28007 0233 20050825 User groups Users and user groups To define a group CLI config user group edit group_name set member user1 user2 usern set profile profile_name end ...

Page 19: ...et the firewall user authentication timeout Auth Timeout to control how long an authenticated connection can be idle before the user must authenticate again The maximum timeout is 480 minutes 8 hours The default timeout is 15 minutes To set the authentication timeout 1 Go to System Config Options 2 Enter the Auth Timeout value minutes 3 Select Apply Firewall policy authentication Firewall policies...

Page 20: ... move them to the Allowed list All members of the groups in the Allowed list will be authenticated to use the firewall policy 9 Select OK Configuring authenticated access to the Internet A policy for accessing the Internet is similar to a policy for accessing a specific network but the destination address is set to all The destination interface is the one that connects to the Internet service prov...

Page 21: ... these rules in mind More specific policies must be placed above more general ones Any policy that requires authentication must be placed above any similar policy that does not If a user fails authentication the firewall drops the request and does not check for a match with any of the remaining policies If you create a policy that requires authentication for HTTP access to the Internet you must pr...

Page 22: ...quired 3 Select Enable PPTP or Enable L2TP 4 Enter Starting IP and Ending IP addresses This defines the range of addresses assigned to VPN clients 5 Select the user group that is to have access to this VPN The FortiGate unit authenticates members of this user group 6 Select Apply To configure authentication for a PPTP or L2TP VPN CLI config vpn pptp set eip starting_ip set sip ending_ip set status...

Page 23: ...ure user group authentication for dialup IPSec web based manager 1 Configure the dialup users who are permitted to use this VPN Create a user group and add them to it For more information see Users and user groups on page 15 2 Go to VPN IPSec Phase 1 3 Select Create New or select Edit on an existing VPN gateway 4 From the Remote Gateway list select Dialup User 5 From the Authentication method list...

Page 24: ...rough an LDAP or RADIUS authentication server You must configure dialup users as members of a user group who are externally authenticated None can have passwords stored on the FortiGate unit To configure authentication for a dialup IPSec VPN web based manager 1 Configure the users who are permitted to use this VPN Create a user group and add them to it For more information see Users and user group...

Page 25: ...e user group that is to have access to this VPN The list of user groups does not include any group that has members whose password is stored on the FortiGate unit 9 Configure other VPN gateway parameters as needed 10 Select OK For more information about XAUTH configuration see Enabling XAUTH on the FortiGate unit in the FortiGate VPN Guide To configure authentication for a dialup IPSec VPN CLI con...

Page 26: ...FortiGate User Authentication Version 1 Guide 26 01 28007 0233 20050825 VPN authentication Configuring authenticated access ...

Reviews:

No comments

Related manuals for FortiGate 60M

Brand: Keezel Pages: 27

SURFboard SVG2500

Brand: Motorola Pages: 185

Brand: IBM Pages: 40

Brand: Freedom9 Pages: 310

Brand: Billion Pages: 130

Brand: BuildingLink Pages: 20

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands