beautypg.com

Directory service servers – Fortinet FortiGate v3.0 MR7 User Manual

Page 27

background image

Authentication servers

Directory Service servers

FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828

27

To remove a TACACS+ server from the FortiGate unit configuration - CLI

config user tacacs+

delete

end

Directory Service servers

Windows Active Directory (AD) and Novell edirectory provide central
authentication services by storing information about network resources across a
domain (a logical group of computers running versions of an operating system) in
a central directory database. On networks that use Directory Service servers for
authentication, FortiGate units can transparently authenticate users without
asking them for their user name and password. Each person who uses computers
within a domain receives his or her own unique account/user name. This account
can be assigned access to resources within the domain. In a domain, the directory
resides on computers that are configured as domain controllers. A domain
controller is a server that manages all security-related features that affect the
user/domain interactions, security centralization, and administrative functions.

FortiGate units use firewall policies to control access to resources based on user
groups configured in the policies. Each FortiGate user group is associated with
one or more Directory Service user groups. When a user logs in to the Windows
or Novell domain, a Fortinet Server Authentication Extension (FSAE) sends the
FortiGate unit the user’s IP address and the names of the Directory Service user
groups to which the user belongs.

The FSAE has two components that you must install on your network:

The domain controller (DC) agent must be installed on every domain controller
to monitor user logons and send information about them to the collector agent.

The collector agent must be installed on at least one domain controller to send
the information received from the DC agents to the FortiGate unit.

The FortiGate unit uses this information to maintain a copy of the domain
controller user group database. Because the domain controller authenticates
users, the FortiGate unit does not perform authentication. It recognizes group
members by their IP address.

You must install the Fortinet Server Authentication Extensions (FSAE) on the
network domain controllers, and configure the FortiGate unit to retrieve
information from the Directory Service server.

Authentication Type

The supported authentication method. TACACS+ authentication
methods include: Auto, ASCII, PAP, CHAP, and MSCHAP.

Delete icon

Delete this TACACS+ server.

Edit icon

Edit this TACACS+ server.

See also other documents in the category Fortinet Hardware: