beautypg.com

User groups, Firewall user groups, Directory service user groups – Fortinet FortiGate v3.0 MR7 User Manual

Page 39

background image

Users/peers and user groups

User groups

FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828

39

User groups

A user group is a list of user/peer identities. An identity can be:

a local user account (user name/password) stored on the FortiGate unit

a local user account with the password stored on a RADIUS, LDAP, or
TACACS+ server

a peer user account with digital client authentication certificate stored on the
FortiGate unit

a RADIUS, LDAP, or TACACS+ server (all identities on the server can
authenticate)

a user group defined on a Directory Service server.

Firewall policies and some types of VPN configurations allow access to user
groups, not to individual users.

Each user group belongs to one of three types: Firewall, Directory Service or
SSL VPN. For information about each type, see

“Firewall user groups” on

page 39

,

“Directory Service user groups” on page 39

, and

“SSL VPN user groups”

on page 40

. For information on configuring each type of user group, see

“Configuring user groups” on page 41

.

In most cases, the FortiGate unit authenticates users by requesting their user
name and password. The FortiGate unit checks local user accounts first. If a
match is not found, the FortiGate unit checks the RADIUS, LDAP, or TACACS+
servers that belong to the user group. Authentication succeeds when a matching
user name and password are found.

Firewall user groups

A firewall user group provides access to a firewall policy that requires
authentication and lists the user group as one of the allowed groups. The
FortiGate unit requests the group member’s user name and password when the
user attempts to access the resource that the policy protects.

You can also authenticate a user by certificate if you have selected this method.
For more information, see

“Adding authentication to firewall policies” on page 286

.

A firewall user group can also provide access to an IPSec VPN for dialup users. In
this case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup
group peer option. The user’s VPN client is configured with the user name as peer
ID and the password as pre-shared key. The user can connect successfully to the
IPSec VPN only if the user name is a member of the allowed user group and the
password matches the one stored on the FortiGate unit.

Directory Service user groups

On a network, you can configure the FortiGate unit to allow access to members of
Directory Service server user groups who have been authenticated on the
network. The Fortinet Server Authentication Extensions (FSAE) must be installed
on the network domain controllers.

Note: A user group cannot be a dialup group if any member is authenticated using a
RADIUS or LDAP server.