beautypg.com

Fortigate administrator’s view of authentication – Fortinet FortiGate v3.0 MR7 User Manual

Page 7

background image

Introduction

FortiGate administrator’s view of authentication

FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828

7

FortiClient can store the user name and password for a VPN as part of the
configuration for the VPN connection and pass them to the FortiGate unit as
needed. Or, FortiClient can request the user name and password from the user
when the FortiGate unit requests them.

SSL VPN is a form of VPN that can be used with a standard Web browser. There
are two modes of SSL VPN operation (supported in NAT/Route mode only):

web-only mode, for thin remote clients equipped with a web-browser only

tunnel mode, for remote computers that run a variety of client and server
applications.

FortiGate administrator’s view of authentication

Authentication is based on user groups. You configure authentication parameters
for firewall policies and VPN tunnels to permit access only to members of
particular user groups. A member of a user group can be:

a user whose user name and password are stored on the FortiGate unit

a user whose name is stored on the FortiGate unit and whose password is
stored on a remote or external authentication server

a remote or external authentication server with a database that contains the
user name and password of each person who is permitted access

1

If remote or external authentication is needed, configure the required servers.

See

“Configuring the FortiGate unit to use a RADIUS server” on page 16

.

See

“Configuring the FortiGate unit to use an LDAP server” on page 21

.

See

“Configuring the FortiGate unit to use a Directory Service server” on

page 28

.

2

Configure local and peer (PKI) user identities (see

“Public Key Infrastructure (PKI)

authentication” on page 9

). For each local user, you can choose whether the

FortiGate unit or a remote authentication server verifies the password. Peer
members can be included in user groups for use in firewall policies.

See

“Creating local users” on page 34

.

See

“Creating peer users” on page 36

.

Note: After a defined period of user inactivity on the VPN connection (the idle
timeout, defined by the FortiGate administrator), the user access will expire. The
default is 1500 seconds (25 minutes). To access the resource, the user will have
to authenticate again.