Fortinet FortiGate User Manual
USER GUIDE
FortiGate User Authentication
Version 1
www.fortinet.com
FortiGate User Authentication Guide
Version 1
25 August 2005
01-28007-0233-20050825
© Copyright 2005 Fortinet, Inc. All rights reserved. No part of this
publication including text, examples, diagrams or illustrations may be
reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose,
without prior written permission of Fortinet, Inc.
Trademarks
ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus,
FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet,
FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse,
FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the
United States and/or other countries. The names of actual companies and
products mentioned herein may be the trademarks of their respective
owners.
Table of Contents
Table of Contents
Introduction ........................................................................................ 5
The user’s view of authentication.................................................................... 5
Web-based user authentication .................................................................... 5
VPN client-based authentication ................................................................... 6
The FortiGate administrator’s view of authentication.................................... 6
Authentication servers................................................................................... 7
Users............................................................................................................. 7
User groups................................................................................................... 7
Authentication timeout................................................................................... 8
Firewall policies............................................................................................. 8
VPN tunnels .................................................................................................. 8
Authentication servers ...................................................................... 9
RADIUS Servers................................................................................................. 9
Understanding your RADIUS server ............................................................. 9
Configuring the FortiGate unit to use a RADIUS server................................ 9
LDAP Servers................................................................................................... 10
Understanding your LDAP server ............................................................... 11
Configuring the FortiGate unit to use an LDAP server................................ 12
Active Directory servers ................................................................................. 13
Understanding your Active Directory server................................................ 13
Configuring the FortiGate unit to use an Active Directory server ................ 13
Users and user groups.................................................................... 15
Users................................................................................................................. 15
Defining local users..................................................................................... 15
User groups...................................................................................................... 17
Protection profiles ....................................................................................... 17
Defining user groups ................................................................................... 17
Configuring authenticated access ................................................. 19
Authentication timeout.................................................................................... 19
Firewall policy authentication ........................................................................ 19
Configuring authentication for a firewall policy............................................ 20
Configuring authenticated access to the Internet........................................ 20
Firewall policy order .................................................................................... 21
VPN authentication.......................................................................................... 21
Authenticating PPTP and L2TP VPN users ................................................ 22
Authenticating remote IPSec VPN users using dialup groups .................... 23
Enabling XAuth authentication for dialup IPSec VPN clients ...................... 24
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 3
Table of Contents
FortiGate User Authentication Version 1 Guide
4 01-28007-0233-20050825
Introduction The user’s view of authentication
Introduction
On a FortiGate unit, you can control access to network resources by defining lists
of authorized users, called user groups. To use a particular resource, such as a
network or a VPN tunnel, the user must belong to one of the user groups that is
allowed access. The user then must correctly enter a user name and password to
prove his or her identity. This is called authentication.
You can configure authentication for:
• any firewall policy with Action set to ACCEPT
• PPTP and L2TP VPNs
• a dialup IPSec VPN set up as an XAUTH server (Phase 1)
• a dialup IPSec VPN that accepts user group authentication as a peer ID
This document does not describe certificate-based VPN authentication. For
information about this type of authentication, see the FortiGate VPN Guide.
The user’s view of authentication
The user sees a request for authentication when trying to access the protected
resource. The way in which the request is presented to the user depends on the
method of access to that resource.
VPN authentication usually controls remote access to a private network
Web-based user authentication
Firewall policies usually control browsing access to an external network that
provides connection to the Internet. In this case, the FortiGate unit requests
authentication through the web browser:
The user types a user name and password and then selects OK. If the credentials
are incorrect, the FortiGate unit redisplays the authentication screen with blank
fields so that the user can try again. When the user enters valid credentials, the
FortiGate unit provides a success message:
At this point, the user selects OK and then can access the required resource. The
user gains access for the duration of the authentication timeout that the FortiGate
administrator configures. When this time period expires, the user must
authenticate again.
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 5
The FortiGate administrator’s view of authentication Introduction
VPN client-based authentication
VPNs provide remote clients with access to a private network for a variety of
services: web browsing, email, file shares and so on. A client program such as
FortiClient negotiates the connection to the VPN and manages the user
authentication challenge from the FortiGate unit.
FortiClient can store the user name and password for a VPN as part of the
configuration for the VPN connection and pass them to the FortiGate unit as
needed. Or, FortiClient can request the user name and password from the user
when the FortiGate unit requests them.
User access expires after a period of inactivity, the authentication timeout, that the
administrator configures. The default is five minutes. The user must then
authenticate again.
Note: In firmware releases prior to version 2.80 MR6, the authentication timeout period is
elapsed time, not inactive time.
The FortiGate administrator’s view of authentication
Authentication is based on user groups. You configure authentication parameters
for firewall policies and VPN tunnels to permit access only to members of
particular user groups. A member of a user group can be:
• a user whose user name and password are stored on the FortiGate unit
• a user whose name is stored on the Fortigate unit and whose password is
stored on an external authentication server
• an external authentication server with a database that contains the user name
and password of each person who is permitted access
You need to set up authentication in the following order:
1 If external authentication is needed, configure the required servers.
•See “Configuring the FortiGate unit to use a RADIUS server” on page 9.
•See “Configuring the FortiGate unit to use an LDAP server” on page 12.
•See “Configuring the FortiGate unit to use an Active Directory server” on
page 13.
2 Configure local user identities. For each user, you can choose whether the
FortiGate unit or an external authentication server verifies the password.
•See “Defining local users” on page 15.
3 Create user groups.
Add local users to each user group as appropriate. You can also add an
authentication server to a user group. In this case, all users in the server’s
database can authenticate.
•See “Defining user groups” on page 17.
4 Configure firewall policies and VPN tunnels that require authenticated access.
See “Configuring authentication for a firewall policy” on page 20.
See “Authenticating PPTP and L2TP VPN users” on page 22.
See “Authenticating remote IPSec VPN users using dialup groups” on page 23.
FortiGate User Authentication Version 1 Guide
6 01-28007-0233-20050825
Introduction The FortiGate administrator’s view of authentication
See “Enabling XAuth authentication for dialup IPSec VPN clients” on page 24.
Authentication servers
The FortiGate unit can store user names and passwords and use them to
authenticate users. In an enterprise environment, it might be more convenient to
use the same system that provides authentication for local area network access,
email and other services. Users who access the corporate network from home or
while traveling could use the same user name and password that they use at the
office.
You can configure the FortiGate unit to work with external authentication servers
in two different ways:
• Add the authentication server to a user group.
Anyone in the server’s database is a member of the user group. This is a
simple way to provide access to the corporate VPN for all employees, for
example. You do not need to configure individual users on the FortiGate unit.
or
• Specify the authentication server instead of a password when you configure
the individual user identity on the FortiGate unit.
The user name must exist on both the FortiGate unit and authentication server.
User names that exist only on the authentication server cannot authenticate on
the FortiGate unit. This method enables you to provide access only to selected
employees, for example.
You cannot combine these two uses of an authentication server in the same user
group. If you add the server to the user group, adding individual users with
authentication to that server is redundant.
Users
User groups
If you want to use external authentication servers, you must configure them before
you configure users and user groups.
You define user identities in the User > Local page of the web-based manager.
Although it is simpler to define passwords locally, when there are many users the
administrative effort to maintain the database is considerable. Users cannot
change their own passwords on the FortiGate unit. When an external
authentication server is part of an enterprise network authentication system, users
can change their own passwords. Frequent changing of passwords is a good
security practice.
A user group can contain individual users and authentication servers. A user or
authentication server can belong to more than one group.
Authentication is group based. Firewall policies can allow multiple groups access,
but authentication for a VPN allows access to only one group. These
considerations affect how you define the groups for your organization. Usually you
need a user group for each VPN. For firewall policies, you can create user groups
that reflect how you manage network privileges in your organization. For example,
you might create a user group for each department or create user groups based
on functions such as customer support or account manager.
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 7
The FortiGate administrator’s view of authentication Introduction
You select a protection profile for each User Group. Protection profiles determine
the level of web filtering, antivirus protection and spam filtering applied to traffic
controlled by the firewall policy to which members of this user group authenticate.
For more information about protection profiles, see the FortiGate Administration
Guide.
Authentication timeout
An authenticated connection expires when it has been idle for a length of time that
you specify. There is a single authentication timeout value that applies to every
case. The choice of timeout duration is a balance between security and user
convenience. The default is five minutes. For information about setting the
authentication timeout, see “Authentication timeout” on page 19.
Note: In firmware releases prior to version 2.80 MR6, the authentication timeout period
is elapsed time, not inactive time.
Firewall policies
Access control is defined in the firewall policy that provides access to the network
resource. For example, access to the Internet through the external interface from
workstations on the internal network is made possible by an Internal to External
firewall policy.
Firewall policies apply web filtering, antivirus protection and spam filtering to the
traffic they control according a protection profile. When a firewall policy requires
authentication, its own protection profile option is disabled and the user group’s
protection profile applies.
For more information about firewall policies and protection profiles, see the
Firewall chapter of the FortiGate Administration Guide.
VPN tunnels
When you configure a PPTP or L2TP VPN, you choose one user group to be
permitted access. For IPSec VPNs, you can use authentication by user group or
XAUTH authentication using an external authentication server as an alternative to
authentication by peer ID.
For more information about VPNs, see the FortiGate VPN Guide.
FortiGate User Authentication Version 1 Guide
8 01-28007-0233-20050825
Loading...