advertisement
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2
Users and authentication
FortiGate units support user authentication to the FortiGate user database, to a
RADIUS server, and to an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. You can also add the names of RADIUS and LDAP servers. You can select RADIUS to allow the user to authenticate using the selected RADIUS server or LDAP to allow the user to authenticate using the selected LDAP server. You can disable a user name so that the user cannot authenticate.
To enable authentication, you must add user names to one or more user groups. You can also add RADIUS servers and LDAP servers to user groups. You can then select a user group when you require authentication.
You can select user groups to require authentication for:
• any firewall policy with Action set to ACCEPT
• IPSec dialup user phase 1 configurations
• XAuth functionality for Phase 1 IPSec VPN configurations
• PPTP
• L2TP
When a user enters a user name and password, the FortiGate unit searches the internal user database for a matching user name. If Disable is selected for that user name, the user cannot authenticate and the connection is dropped. If Password is selected for that user and the password matches, the connection is allowed. If the password does not match, the connection is dropped.
If RADIUS is selected and RADIUS support is configured and the user name and password match a user name and password on the RADIUS server, the connection is allowed. If the user name and password do not match a user name and password on the RADIUS server, the connection is dropped.
If LDAP is selected and LDAP support is configured and the user name and password match a user name and password on the LDAP server, the connection is allowed. If the user name and password do not match a user name and password on the LDAP server, the connection is dropped.
If the user group contains user names, RADIUS servers, and LDAP servers, the
FortiGate unit checks them in the order in which they have been added to the user group.
FortiGate-400 Installation and Configuration Guide
201
Setting authentication timeout Users and authentication
This chapter describes:
•
Setting authentication timeout
•
Adding user names and configuring authentication
•
•
•
Setting authentication timeout
1
2
To set authentication timeout:
Go to System > Config > Options.
Set Auth Timeout to control how long authenticated firewall connections can remain idle before users must authenticate again to get access through the firewall.
The default authentication timeout is 15 minutes.
Adding user names and configuring authentication
Use the following procedures to add user names and configure authentication.
This section describes:
•
Adding user names and configuring authentication
•
Deleting user names from the internal database
Adding user names and configuring authentication
1
2
3
4
Go to User > Local.
Select New to add a new user name.
Enter the user name.
The user name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select one of the following authentication configurations:
Disable
Password
LDAP
Radius
Prevent this user from authenticating.
Enter the password that this user must use to authenticate. The password should be at least six characters long. The password can contain numbers
(0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters
- and _. Other special characters and spaces are not allowed.
Require the user to authenticate to an LDAP server. Select the name of the
LDAP server to which the user must authenticate. You can only select an
LDAP server that has been added to the FortiGate LDAP configuration. See
“Configuring LDAP support” on page 205 .
Require the user to authenticate to a RADIUS server. Select the name of the
RADIUS server to which the user must authenticate. You can only select a
RADIUS server that has been added to the FortiGate RADIUS configuration.
See “Configuring RADIUS support” on page 204
.
202
Fortinet Inc.
Users and authentication Adding user names and configuring authentication
5
6
Select Try other servers if connect to selected server fails if you have selected Radius and you want the FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration.
Select OK.
Figure 17: Adding a user name
Deleting user names from the internal database
1
2
3
You cannot delete user names that have been added to user groups. Remove user names from user groups before deleting them
Go to User > Local.
Select Delete User for the user name to delete.
Select OK.
Note: Deleting the user name deletes the authentication configured for the user.
FortiGate-400 Installation and Configuration Guide
203
Configuring RADIUS support Users and authentication
Configuring RADIUS support
If you have configured RADIUS support and a user is required to authenticate using a
RADIUS server, the FortiGate unit contacts the RADIUS server for authentication.
This section describes:
•
•
Adding RADIUS servers
4
5
6
1
2
3
To configure the FortiGate unit for RADIUS authentication:
Go to User > RADIUS.
Select New to add a new RADIUS server.
Enter the name of the RADIUS server.
You can enter any name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Enter the domain name or IP address of the RADIUS server.
Enter the RADIUS server secret.
Select OK.
Figure 18: Example RADIUS configuration
204
Deleting RADIUS servers
1
2
3
You cannot delete RADIUS servers that have been added to user groups.
Go to User > RADIUS.
Select Delete beside the RADIUS server name that you want to delete.
Select OK.
Fortinet Inc.
Users and authentication Configuring LDAP support
Configuring LDAP support
If you have configured LDAP support and a user is required to authenticate using an
LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authentication with the FortiGate unit, the user enters a user name and password. The
FortiGate unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the
FortiGate unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiGate unit.
The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. ForitGate LDAP supports all
LDAP servers compliant with LDAP v3.
FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers.
FortiGate LDAP support does not supply information to the user about why authentication failed.
LDAP user authentication is supported for PPTP, L2TP, IPSec VPN and firewall authentication. With PPTP, L2TP, and IPSec VPN, PAP (packet authentication protocol) is supported and CHAP (Challenge-Handshake Authentication Protocol) is not.
This section describes:
•
•
Adding LDAP servers
1
2
3
4
5
6
To configure the FortiGate unit for LDAP authentication:
Go to User > LDAP.
Select New to add a new LDAP server.
Enter the name of the LDAP server.
You can enter any name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Enter the domain name or IP address of the LDAP server.
Enter the port used to communicate with the LDAP server.
By default LDAP uses port 389.
Enter the common name identifier for the LDAP server.
The common name identifier for most LDAP servers is cn. However some servers use other common name identifiers such as uid.
FortiGate-400 Installation and Configuration Guide
205
Configuring LDAP support Users and authentication
7
8
Enter the distinguished name used to look up entries on the LDAP server.
Enter the base distinguished name for the server using the correct X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server.
For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component
You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com
Select OK.
Figure 19: Example LDAP configuration
Deleting LDAP servers
1
2
3
You cannot delete LDAP servers that have been added to user groups.
Go to User > LDAP.
Select Delete beside the LDAP server name that you want to delete.
Select OK.
206
Fortinet Inc.
Users and authentication Configuring user groups
Configuring user groups
To enable authentication, you must add user names, RADIUS servers and LDAP servers to one or more user groups. You can then select a user group when you require authentication. You can select a user group to configure authentication for:
• Policies that require authentication. Only users in the selected user group or that can authenticate with the RADIUS servers added to the user group can authenticate with these policies.
• IPSec VPN Phase 1 configurations for dialup users. Only users in the selected user group can authenticate to use the VPN tunnel.
• XAuth for IPSec VPN Phase 1 configurations. Only users in the selected user group can be authenticated using XAuth.
• The FortiGate PPTP configuration. Only users in the selected user group can use
PPTP.
• The FortiGate L2TP configuration. Only users in the selected user group can use
L2TP.
When you add user names, RADIUS servers, and LDAP servers to a user group the order in which they are added affects the order in which the FortiGate unit checks for authentication. If user names are first, then the FortiGate unit checks for a match with these local users. If a match is not found, the FortiGate unit checks the RADIUS or
LDAP server. If a RADIUS or LDAP server is added first, the FortiGate unit checks the server and then the local users.
If the user group contains users, RADIUS servers, and LDAP servers, the FortiGate unit checks them in the order in which they have been added to the user group.
This section describes:
•
•
Adding user groups
1
2
Use the following procedure to add user groups to the FortiGate configuration. You can add user names, RADIUS servers, and LDAP servers to user groups.
To add a user group:
Go to User > User Group.
Select New to add a new user group.
FortiGate-400 Installation and Configuration Guide
207
Configuring user groups
Figure 20: Adding a user group
Users and authentication
208
3
4
5
6
7
8
Enter a Group Name to identify the user group.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
To add users to the user group, select a user from the Available Users list and select the right arrow to add the name to the Members list.
To add a RADIUS server to the user group, select a RADIUS server from the Available
Users list and select the right arrow to add the RADIUS server to the Members list.
To add an LDAP server to the user group, select an LDAP server from the Available
Users list and select the right arrow to add the LDAP server to the Members list.
To remove users, RADIUS servers, or LDAP servers from the user group, select a user, RADIUS server, or LDAP server from the Members list and select the left arrow to remove the name, RADIUS server, or LDAP server from the group.
Select OK.
Deleting user groups
1
2
3
You cannot delete user groups that have been selected in a policy, a dialup user phase1 configuration, or in a PPTP or L2TP configuration.
To delete a user group:
Go to User > User Group
Select Delete
Select OK.
beside the user group that you want to delete.
Fortinet Inc.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
