beautypg.com

Fortinet FortiGate v3.0 MR7 User Manual

Page 54

background image

FortiOS v3.0 MR7 User Authentication User Guide

54

01-30007-0347-20080828

VPN authentication

Configuring authenticated access

To configure authentication for an SSL VPN - CLI

config vpn ssl settings

set algorithm

set auth-timeout

set dns-server1

set dns-server2

set idle-timeout

set portal-heading

set reqclientcert

set route-source-interface

set servercert

set sslv2

set sslv3

set sslvpn-enable

set tunnel-endip

set tunnel-startip

set url-obscuration

set wins-server1

set wins-server2

end

The tunnel-endip and tunnel-startip keywords are required for tunnel-
mode access only. All other keywords are optional.

When you configure the timeout settings, if you set the authentication timeout
(auth-timeout) to 0, then the remote client does not have to re-authenticate
again unless they log out of the system. In order to fully take advantage of this
setting, the value for idle-timeout has to be set to 0 also, so the client does
not timeout if the maximum idle time is reached. If the idle-timeout is not set
to the infinite value, the system will log out if it reaches the limit set, regardless of
the auth-timeout setting.

Strong authentication is a form of computer security in which the identities of
networked users, clients, and servers are verified without transmitting passwords
over the internet. To verify a user’s identity, strong authentication combines
something the user knows (a user name and password) with something the user
has (a client-side certificate). Strong authentication can be configured for SSL
VPN user groups using X.509 (version 1 or 3) digital certificates.

Configuring strong authentication of SSL VPN users/user groups

You can use strong authentication to verify the identities of SSL VPN user group
members. The accounts for individual users and user groups containing those
users have to be created prior to configuring strong authentication, and a firewall
encryption policy has to be created to permit access by that user group.To enable
strong authentication for an SSL VPN user group:

Obtain a signed group certificate from a CA and load the signed group
certificate into the web browser used by each user. Follow the browser
documentation to load the certificates.

Install the root certificate and the CRL from the issuing CA on the FortiGate
unit.

Configure strong authentication for the group of users having a copy of the
group certificate.

See also other documents in the category Fortinet Hardware: