beautypg.com

Authentication servers – Fortinet FortiGate v3.0 MR7 User Manual

Page 8

background image

FortiOS v3.0 MR7 User Authentication User Guide

8

01-30007-0347-20080828

FortiGate administrator’s view of authentication

Introduction

3

Create user groups.

Add local/peer user members to each user group as appropriate. You can also
add an authentication server to a user group. In this case, all users in the server’s
database can authenticate. You can only configure peer user groups through the
CLI.

See

“Configuring user groups” on page 41

.

4

Configure firewall policies and VPN tunnels that require authenticated access.

See

“Configuring authentication for a firewall policy” on page 49

.

See

“Configuring authentication of PPTP VPN users/user groups” on page 55

.

See

“Configuring authentication of remote IPSec VPN users” on page 56

.

See

“Configuring XAuth authentication” on page 58

.

Authentication servers

The FortiGate unit can store user names and passwords and use them to
authenticate users. In an enterprise environment, it might be more convenient to
use the same system that provides authentication for local area network access,
email and other services. Users who access the corporate network from home or
while traveling could use the same user name and password that they use at the
office.

You can configure the FortiGate unit to work with remote or external authentication
servers in two different ways:

Add the authentication server to a user group.

Anyone in the server’s database is a member of the user group. This is a
simple way to provide access to the corporate VPN for all employees, for
example. You do not need to configure individual users on the FortiGate unit.

or

Specify the authentication server instead of a password when you configure
the individual user identity on the FortiGate unit.

The user name must exist on both the FortiGate unit and authentication server.
User names that exist only on the authentication server cannot authenticate on
the FortiGate unit. This method enables you to provide access only to selected
employees, for example.

If you want to use remote or external authentication servers, you must configure
them before you configure users and user groups. See

“RADIUS servers” on

page 15

,

“LDAP servers” on page 19

,

“TACACS+ servers” on page 25

, and

“Directory Service servers” on page 27

.

Note: You cannot combine these two uses of an authentication server in the same user
group. If you add the server to the user group, adding individual users with authentication to
that server is redundant.