beautypg.com

Users and authentication, Users and – Fortinet FortiGate 100 User Manual

Page 173

background image

FortiGate-100 Installation and Configuration Guide Version 2.50 MR2

FortiGate-100 Installation and Configuration Guide

173

Users and authentication

FortiGate units support user authentication to the FortiGate user database, to a
RADIUS server, and to an LDAP server. You can add user names to the FortiGate
user database and then add a password to allow the user to authenticate using the
internal database. You can also add the names of RADIUS and LDAP servers. You
can select RADIUS to allow the user to authenticate using the selected RADIUS
server or LDAP to allow the user to authenticate using the selected LDAP server. You
can disable a user name so that the user cannot authenticate.

To enable authentication, you must add user names to one or more user groups. You
can also add RADIUS servers and LDAP servers to user groups. You can then select
a user group when you require authentication.

You can select user groups to require authentication for:

• any firewall policy with Action set to ACCEPT
• IPSec dialup user phase 1 configurations
• XAuth functionality for Phase 1 IPSec VPN configurations
• PPTP
• L2TP

When a user enters a user name and password, the FortiGate unit searches the
internal user database for a matching user name. If Disable is selected for that user
name, the user cannot authenticate and the connection is dropped. If Password is
selected for that user and the password matches, the connection is allowed. If the
password does not match, the connection is dropped.

If RADIUS is selected and RADIUS support is configured and the user name and
password match a user name and password on the RADIUS server, the connection is
allowed. If the user name and password do not match a user name and password on
the RADIUS server, the connection is dropped.

If LDAP is selected and LDAP support is configured and the user name and password
match a user name and password on the LDAP server, the connection is allowed. If
the user name and password do not match a user name and password on the LDAP
server, the connection is dropped.

If the user group contains user names, RADIUS servers, and LDAP servers, the
FortiGate unit checks them in the order in which they have been added to the user
group.