beautypg.com

Users and authentication, Users and – Fortinet FortiGate 4000 User Manual

Page 227

background image

FortiGate-4000 Installation and Configuration Guide Version 2.50

FortiGate-4000 Installation and Configuration Guide

227

Users and authentication

FortiGate units support user authentication to the FortiGate user database, a RADIUS
server, and an LDAP server. You can add user names to the FortiGate user database
and then add a password to allow the user to authenticate using the internal database.
You can also add the names of RADIUS and LDAP servers. You can select RADIUS
to allow the user to authenticate using the selected RADIUS server or LDAP to allow
the user to authenticate using the selected LDAP server. You can disable a user name
so that the user cannot authenticate.

To enable authentication, you must add user names to one or more user groups. You
can also add RADIUS servers and LDAP servers to user groups. You can then select
a user group when you require authentication.

You can select user groups to require authentication for:

• any firewall policy with Action set to ACCEPT
• IPSec dialup user phase 1 configurations
• XAuth functionality for phase 1 IPSec VPN configurations
• PPTP
• L2TP

When a user enters a user name and password, the FortiGate unit searches the
internal user database for a matching user name. If Disable is selected for that user
name, the user cannot authenticate and the connection is dropped. If Password is
selected for that user and the password matches, the connection is allowed. If the
password does not match, the connection is dropped.

If RADIUS is selected and RADIUS support is configured and the user name and
password match a user name and password on the RADIUS server, the connection is
allowed. If the user name and password do not match a user name and password on
the RADIUS server, the connection is dropped.

If LDAP is selected and LDAP support is configured and the user name and password
match a user name and password on the LDAP server, the connection is allowed. If
the user name and password do not match a user name and password on the LDAP
server, the connection is dropped.

If the user group contains user names, RADIUS servers, and LDAP servers, the
FortiGate unit checks them in the order in which they have been added to the user
group.