USER GUIDE
FortiGate User Authentication
Version 1
www.fortinet.com
FortiGate User Authentication Guide
Version 1
25 August 2005
01-28007-0233-20050825
© Copyright 2005 Fortinet, Inc. All rights reserved. No part of this
publication including text, examples, diagrams or illustrations may be
reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose,
without prior written permission of Fortinet, Inc.
Trademarks
ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus,
FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet,
FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse,
FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the
United States and/or other countries. The names of actual companies and
products mentioned herein may be the trademarks of their respective
owners.
Table of Contents
Table of Contents
Introduction ........................................................................................ 5
The user’s view of authentication.................................................................... 5
Web-based user authentication .................................................................... 5
VPN client-based authentication ................................................................... 6
The FortiGate administrator’s view of authentication.................................... 6
Authentication servers................................................................................... 7
Users............................................................................................................. 7
User groups................................................................................................... 7
Authentication timeout................................................................................... 8
Firewall policies............................................................................................. 8
VPN tunnels .................................................................................................. 8
Authentication servers ...................................................................... 9
RADIUS Servers................................................................................................. 9
Understanding your RADIUS server ............................................................. 9
Configuring the FortiGate unit to use a RADIUS server................................ 9
LDAP Servers................................................................................................... 10
Understanding your LDAP server ............................................................... 11
Configuring the FortiGate unit to use an LDAP server................................ 12
Active Directory servers ................................................................................. 13
Understanding your Active Directory server................................................ 13
Configuring the FortiGate unit to use an Active Directory server ................ 13
Users and user groups.................................................................... 15
Users................................................................................................................. 15
Defining local users..................................................................................... 15
User groups...................................................................................................... 17
Protection profiles ....................................................................................... 17
Defining user groups ................................................................................... 17
Configuring authenticated access ................................................. 19
Authentication timeout.................................................................................... 19
Firewall policy authentication ........................................................................ 19
Configuring authentication for a firewall policy............................................ 20
Configuring authenticated access to the Internet........................................ 20
Firewall policy order .................................................................................... 21
VPN authentication.......................................................................................... 21
Authenticating PPTP and L2TP VPN users ................................................ 22
Authenticating remote IPSec VPN users using dialup groups .................... 23
Enabling XAuth authentication for dialup IPSec VPN clients ...................... 24
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 3
Table of Contents
FortiGate User Authentication Version 1 Guide
4 01-28007-0233-20050825
Introduction The user’s view of authentication
Introduction
On a FortiGate unit, you can control access to network resources by defining lists
of authorized users, called user groups. To use a particular resource, such as a
network or a VPN tunnel, the user must belong to one of the user groups that is
allowed access. The user then must correctly enter a user name and password to
prove his or her identity. This is called authentication.
You can configure authentication for:
• any firewall policy with Action set to ACCEPT
• PPTP and L2TP VPNs
• a dialup IPSec VPN set up as an XAUTH server (Phase 1)
• a dialup IPSec VPN that accepts user group authentication as a peer ID
This document does not describe certificate-based VPN authentication. For
information about this type of authentication, see the FortiGate VPN Guide.
The user’s view of authentication
The user sees a request for authentication when trying to access the protected
resource. The way in which the request is presented to the user depends on the
method of access to that resource.
VPN authentication usually controls remote access to a private network
Web-based user authentication
Firewall policies usually control browsing access to an external network that
provides connection to the Internet. In this case, the FortiGate unit requests
authentication through the web browser:
The user types a user name and password and then selects OK. If the credentials
are incorrect, the FortiGate unit redisplays the authentication screen with blank
fields so that the user can try again. When the user enters valid credentials, the
FortiGate unit provides a success message:
At this point, the user selects OK and then can access the required resource. The
user gains access for the duration of the authentication timeout that the FortiGate
administrator configures. When this time period expires, the user must
authenticate again.
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 5
The FortiGate administrator’s view of authentication Introduction
VPN client-based authentication
VPNs provide remote clients with access to a private network for a variety of
services: web browsing, email, file shares and so on. A client program such as
FortiClient negotiates the connection to the VPN and manages the user
authentication challenge from the FortiGate unit.
FortiClient can store the user name and password for a VPN as part of the
configuration for the VPN connection and pass them to the FortiGate unit as
needed. Or, FortiClient can request the user name and password from the user
when the FortiGate unit requests them.
User access expires after a period of inactivity, the authentication timeout, that the
administrator configures. The default is five minutes. The user must then
authenticate again.
Note: In firmware releases prior to version 2.80 MR6, the authentication timeout period is
elapsed time, not inactive time.
The FortiGate administrator’s view of authentication
Authentication is based on user groups. You configure authentication parameters
for firewall policies and VPN tunnels to permit access only to members of
particular user groups. A member of a user group can be:
• a user whose user name and password are stored on the FortiGate unit
• a user whose name is stored on the Fortigate unit and whose password is
stored on an external authentication server
• an external authentication server with a database that contains the user name
and password of each person who is permitted access
You need to set up authentication in the following order:
1 If external authentication is needed, configure the required servers.
•See “Configuring the FortiGate unit to use a RADIUS server” on page 9.
•See “Configuring the FortiGate unit to use an LDAP server” on page 12.
•See “Configuring the FortiGate unit to use an Active Directory server” on
page 13.
2 Configure local user identities. For each user, you can choose whether the
FortiGate unit or an external authentication server verifies the password.
•See “Defining local users” on page 15.
3 Create user groups.
Add local users to each user group as appropriate. You can also add an
authentication server to a user group. In this case, all users in the server’s
database can authenticate.
•See “Defining user groups” on page 17.
4 Configure firewall policies and VPN tunnels that require authenticated access.
See “Configuring authentication for a firewall policy” on page 20.
See “Authenticating PPTP and L2TP VPN users” on page 22.
See “Authenticating remote IPSec VPN users using dialup groups” on page 23.
FortiGate User Authentication Version 1 Guide
6 01-28007-0233-20050825
Introduction The FortiGate administrator’s view of authentication
See “Enabling XAuth authentication for dialup IPSec VPN clients” on page 24.
Authentication servers
The FortiGate unit can store user names and passwords and use them to
authenticate users. In an enterprise environment, it might be more convenient to
use the same system that provides authentication for local area network access,
email and other services. Users who access the corporate network from home or
while traveling could use the same user name and password that they use at the
office.
You can configure the FortiGate unit to work with external authentication servers
in two different ways:
• Add the authentication server to a user group.
Anyone in the server’s database is a member of the user group. This is a
simple way to provide access to the corporate VPN for all employees, for
example. You do not need to configure individual users on the FortiGate unit.
or
• Specify the authentication server instead of a password when you configure
the individual user identity on the FortiGate unit.
The user name must exist on both the FortiGate unit and authentication server.
User names that exist only on the authentication server cannot authenticate on
the FortiGate unit. This method enables you to provide access only to selected
employees, for example.
You cannot combine these two uses of an authentication server in the same user
group. If you add the server to the user group, adding individual users with
authentication to that server is redundant.
Users
User groups
If you want to use external authentication servers, you must configure them before
you configure users and user groups.
You define user identities in the User > Local page of the web-based manager.
Although it is simpler to define passwords locally, when there are many users the
administrative effort to maintain the database is considerable. Users cannot
change their own passwords on the FortiGate unit. When an external
authentication server is part of an enterprise network authentication system, users
can change their own passwords. Frequent changing of passwords is a good
security practice.
A user group can contain individual users and authentication servers. A user or
authentication server can belong to more than one group.
Authentication is group based. Firewall policies can allow multiple groups access,
but authentication for a VPN allows access to only one group. These
considerations affect how you define the groups for your organization. Usually you
need a user group for each VPN. For firewall policies, you can create user groups
that reflect how you manage network privileges in your organization. For example,
you might create a user group for each department or create user groups based
on functions such as customer support or account manager.
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 7
The FortiGate administrator’s view of authentication Introduction
You select a protection profile for each User Group. Protection profiles determine
the level of web filtering, antivirus protection and spam filtering applied to traffic
controlled by the firewall policy to which members of this user group authenticate.
For more information about protection profiles, see the FortiGate Administration
Guide.
Authentication timeout
An authenticated connection expires when it has been idle for a length of time that
you specify. There is a single authentication timeout value that applies to every
case. The choice of timeout duration is a balance between security and user
convenience. The default is five minutes. For information about setting the
authentication timeout, see “Authentication timeout” on page 19.
Note: In firmware releases prior to version 2.80 MR6, the authentication timeout period
is elapsed time, not inactive time.
Firewall policies
Access control is defined in the firewall policy that provides access to the network
resource. For example, access to the Internet through the external interface from
workstations on the internal network is made possible by an Internal to External
firewall policy.
Firewall policies apply web filtering, antivirus protection and spam filtering to the
traffic they control according a protection profile. When a firewall policy requires
authentication, its own protection profile option is disabled and the user group’s
protection profile applies.
For more information about firewall policies and protection profiles, see the
Firewall chapter of the FortiGate Administration Guide.
VPN tunnels
When you configure a PPTP or L2TP VPN, you choose one user group to be
permitted access. For IPSec VPNs, you can use authentication by user group or
XAUTH authentication using an external authentication server as an alternative to
authentication by peer ID.
For more information about VPNs, see the FortiGate VPN Guide.
FortiGate User Authentication Version 1 Guide
8 01-28007-0233-20050825
Authentication servers RADIUS Servers
Authentication servers
FortiGate units support the following external authentication servers:
•RADIUS
•LDAP
• Microsoft Active Directory
If you are going to use authentication servers, you must configure the servers
before you configure FortiGate users or user groups that require them. An
authentication server can provide password checking for selected FortiGate users
or it can be added as a member of a FortiGate user group.
RADIUS Servers
Remote Authentication and Dial-in User Service (RADIUS) servers provide
authentication, authorization and accounting functions. FortiGate units use the
authentication function of the RADIUS server.
Understanding your RADIUS server
Your RADIUS server listens on either port 1812 or port 1645 for authentication
requests. You must configure it to accept the FortiGate unit as a client.
The RADIUS server user database can be any combination of:
• user names and passwords defined in a configuration file
• an SQL database
• the user account names and passwords configured on the computer where the
RADIUS server is installed
The RADIUS server uses a “shared secret” key to encrypt information passed
between it and clients such as the FortiGate unit.
See the documentation provided with your RADIUS server for configuration
details.
Configuring the FortiGate unit to use a RADIUS server
On the FortiGate unit, the default port for RADIUS traffic is 1812. If your RADIUS
server is using port 1645, you can either
• Reconfigure the RADIUS server to use port 1812. See your RADIUS server
documentation for more information.
or
• Change the FortiGate unit default RADIUS port to 1645 using the the CLI:
config system global
end
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 9
set radius_port 1645
LDAP Servers Authentication servers
To configure the FortiGate unit, you need to know the server’s domain name or IP
address and its shared secret key.
To configure the FortiGate unit for RADIUS authentication - web-based
manager
1 Go to User > RADIUS.
2 Select Create New to add a new RADIUS server or select the Edit icon to edit an
existing configuration.
3 Enter the Name of the RADIUS server.
4 Enter the domain name or IP address of the RADIUS server.
5 Enter the RADIUS server secret.
6 Select OK.
To configure the FortiGate unit for RADIUS authentication - CLI
config user radius
edit <name>
set secret <password>
set server <ip_address>
end
LDAP Servers
To remove a RADIUS server from the FortiGate unit configuration
You cannot remove a RADIUS server that belongs to a user group. Remove it
from the user group first.
1 Go to User > RADIUS.
2 Select the Delete icon beside the RADIUS server name that you want to remove.
3 Select OK.
To remove a RADIUS server from the FortiGate unit configuration - CLI
config user radius
delete <name>
end
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to
maintain databases of user names, passwords, email addresses and other
information.
The scale of LDAP servers ranges from big public servers such as BigFoot and
Infospace to large organizational servers at universities and corporations to small
LDAP servers for workgroups. This document focuses on the institutional and
workgroup applications of LDAP.
The FortiGate unit supports LDAP protocol functionality as defined in RFC 2251
for looking up and validating user names and passwords. FortiGate LDAP
supports all LDAP servers compliant with LDAP v3.
FortiGate User Authentication Version 1 Guide
10 01-28007-0233-20050825
Authentication servers LDAP Servers
FortiGate LDAP does not support proprietary functionality, such as notification of
password expiration, which is available from some LDAP servers. FortiGate LDAP
does not supply information to the user about why authentication failed.
Understanding your LDAP server
To configure your FortiGate unit to work with an LDAP server, you need to
understand the organization of the information on the server.
The top of the hierarchy is the organization itself. Usually this is defined as
Domain Component (DC), a DNS domain. If the name contains a dot, such as
“example.com”, it is written as two parts: “dc=example,dc=com”.
In this example, Common Name (CN) identifiers reside at the Organization Unit
(OU) level, just above DC. The Distinguished Name (DN) is
ou=People,dc=example,dc=com.
In addition to the DN, the FortiGate unit needs an identifier for the individual
person. Although the FortiGate unit GUI calls this the Common Name (CN), the
identifier you use is not necessarily CN. On some servers, CN is the full name of a
person. It might be more convenient to use the same identifier used on the local
computer network. In this example, User ID (UID) is used.
You need to determine the levels of the hierarchy from the top to the level that
contains the identifier you want to use. This defines the DN that the FortiGate unit
uses to search the LDAP database. Frequently used distinguished name
elements include:
• pw (password)
• cn (common name)
• ou (organizational unit)
• o (organization)
• c (country)
One way to test this is with a text-based LDAP client program. For example,
OpenLDAP includes a client, ldapsearch, that you can use for this purpose.
Enter the following command:
ldapsearch -x '(objectclass=*)'
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 11
LDAP Servers Authentication servers
The output is lengthy, but the information you need is in the first few lines:
version: 2
#
# filter: (objectclass=*)
# requesting: ALL
#
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
...
dn: uid=auser,ou=People,dc=example,dc=com
uid: auser
cn: Alex User
Configuring the FortiGate unit to use an LDAP server
After you determine the common name and distinguished name identifiers and the
domain name or IP address of the LDAP server, you can configure the server on
the FortiGate unit.
To configure the FortiGate unit for LDAP authentication - web-based
manager
1 Go to User > LDAP.
2 Select Create New to add a new LDAP server, or select the Edit icon to edit an
existing configuration.
3 Enter a name for the LDAP server.
4 Enter the domain name or IP address of the LDAP server.
5 Enter the port used to communicate with the LDAP server.
6 Enter the common name identifier for the LDAP server.
7 Enter the distinguished name used to look up entries on the LDAP server.
8 Select OK.
To configure the FortiGate unit for LDAP authentication - CLI
config user ldap
edit <name>
set cnid <common_name_identifier>
set dn <distinguished_name>
set server <ip_address>
end
FortiGate User Authentication Version 1 Guide
12 01-28007-0233-20050825
Authentication servers Active Directory servers
To remove an LDAP server from the FortiGate unit configuration
You cannot remove an LDAP server that belongs to a user group. Remove it from
the user group first.
1 Go to User > LDAP.
2 Select Delete beside the LDAP server name that you want to remove.
3 Select OK.
To remove an LDAP server from the FortiGate unit configuration - CLI
config user ldap
delete <name>
end
Active Directory servers
Active Directory server stores information about network objects, such as users,
systems and services, on Microsoft Windows networks. It first became available in
Windows 2000 Server.
Understanding your Active Directory server
Active Directory server organizes information hierarchically, similar to an LDAP
server. Although it accepts LDAP queries, the Active Directory server native form
of query is simpler. It does not require a common name identifier or a
distinguished name. For each object there is a shortcut to the distinguished name
called the User Principal Name (UPN). The UPN looks similar to an email
address. It consists of a short name like a user ID, followed by an “@” symbol,
followed by the server domain name: auser@example.com, for example. The
user enters this as the user name at the authentication prompt.
Configuring the FortiGate unit to use an Active Directory server
You can configure the FortiGate unit to access the Active Directory server using
either distinguished name or UPN.
To configure the FortiGate unit for Active Directory server authentication
1 Go to User > LDAP.
2 Select Create New to add a new LDAP server, or select the Edit icon to edit an
existing configuration.
3 Enter a name for the Active Directory server.
4 Enter the domain name or IP address of the Active Directory server.
5 Enter the port used to communicate with the Active Directory server.
6 Enter the common name identifier. If you want users to authenticate by UPN,
leave this field blank.
7 Enter the distinguished name used to look up entries on the server. If you want
users to authenticate by UPN, leave this field blank.
8 Select OK.
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 13
Active Directory servers Authentication servers
To configure Active Directory server authentication using LDAP queries CLI
config user ldap
edit <name>
set cnid <common_name_identifier>
set dn <distinguished_name>
set server <ip_address>
end
To configure Active Directory server authentication using UPN queries - CLI
config user ldap
edit <name>
set server <ip_address>
end
To remove an Active Directory server from the FortiGate unit configuration
You cannot remove an Active Directory server that has been added to a user
group. Remove it from the user group first.
1 Go to User > LDAP.
2 Select Delete beside the server name that you want to delete.
3 Select OK.
To remove an Active Directory server from the FortiGate unit configuration CLI
config user ldap
delete <name>
end
FortiGate User Authentication Version 1 Guide
14 01-28007-0233-20050825
Users and user groups Users
Users and user groups
Authentication is based on user groups. First you configure users, then you create
user groups and add users to them.
Users
A user is a user account configured on the FortiGate unit and/or on an external
authentication server. Users can access resources that require authentication
only if they are members of an allowed user group.
Table 1: How the FortiGate unit authenticates different types of users
User type Authentication
Local user with password
stored on the FortiGate unit
Local user with password
stored on an authentication
server
Authentication server user Any user with an identity on the authentication server can
The user name and password must match a user account
stored on the FortiGate unit.
The user name must match a user account stored on the
FortiGate unit and the user name and password must match a
user account stored on the authentication server associated
with that user.
authenticate on the FortiGate unit by providing a user name
and password that match a user identity stored on the
authentication server.
This section describes how to configure local users. For information about
configuration of authentication servers see “Authentication servers” on page 9.
Defining local users
To define a local user you need:
• a user name
• a password or the name of an authentication server that has been configured
on the FortiGate unit
If the user is authenticated externally, the user name on the FortiGate unit must be
identical to the user name on the authentication server.
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 15
Users Users and user groups
To define a local user - web-based manager
1 Go to User > Local.
2 Select Create New.
3 Enter the user name.
4 Do one of the following:
• To authenticate this user locally, select Password and type a password.
• To authenticate this user using an LDAP or Active Directory server, select
LDAP and select the server name.
• To authenticate this user using a RADIUS server, select RADIUS and select
the server name.
If you want to use an authentication server, you must configure access to it first.
See “Authentication servers” on page 9.
5 Select OK.
To define a local user - CLI
config user local
edit <user_name>
set type password
set passwd <user_password>
end
or
config user local
edit <user_name>
set type ldap
set ldap_server <server_name>
end
or
config user local
edit <user_name>
set type radius
set radius_server <server_name>
end
FortiGate User Authentication Version 1 Guide
16 01-28007-0233-20050825
Users and user groups User groups
User groups
User groups have users or authentication servers as members. Firewall policies
and some types of VPN configurations allow access to user groups, not to
individual users.
Protection profiles
Each user group is associated with a protection profile to determine the antivirus,
web filtering, spam filtering, and intrusion protection settings that apply to the
authenticated connection. The FortiGate unit contains several pre-configured
protection profiles and you can create your own as needed.
When you create or modify any firewall policy, you can select a protection profile.
But when a firewall policy requires authentication, its own protection profile is
disabled and the user group protection profile applies. For more information about
protection profiles, see “Protection profile” in the Firewall chapter of the FortiGate
Administration Guide for your unit.
Protection profiles do not apply to VPN connections.
Defining user groups
You define a user group by typing a name, selecting users and/or authentication
servers and selecting a protection profile.
To define a group - web-based manager
1 Go to User > User Group.
2 Select Create New.
3 Enter a name for the user group.
4 One at a time, select user names from the Available Users list and select the right-
pointing arrow to move them to the Members List.
In the lists, users defined in User > Local are listed under Local Users and
authentication servers are listed under Users on RADIUS/LDAP servers.
5 If you are using this user group for firewall policy authentication, select a
protection profile.
6 Select OK.
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 17
User groups Users and user groups
To define a group - CLI
config user group
edit <group_name>
set member <user1> <user2> ... <usern>
set profile <profile_name>
end
FortiGate User Authentication Version 1 Guide
18 01-28007-0233-20050825
Configuring authenticated access Authentication timeout
Configuring authenticated access
When you have configured authentication servers, users and user groups, you
are ready to configure firewall policies and certain types of VPNs to require user
authentication.
This chapter describes:
• how to set the authentication timeout for all authenticated connections
• how to configure authentication in firewall policies
• how to configure authentication for PPTP and L2TP VPNs and certain
configurations of IPSec VPNs
Authentication timeout
Set the firewall user authentication timeout (Auth Timeout) to control how long an
authenticated connection can be idle before the user must authenticate again.
The maximum timeout is 480 minutes (8 hours). The default timeout is 15
minutes.
To set the authentication timeout
1 Go to System > Config > Options.
2 Enter the Auth Timeout value (minutes).
3 Select Apply.
Firewall policy authentication
Firewall policies control traffic between FortiGate interfaces, both physical
interfaces and VLAN subinterfaces. Without authentication, a firewall policy
enables access from one network to another for all users on the source network.
Authentication enables you to allow access only for users who are members of
selected user groups.
You can configure user authentication only for firewall policies where the Action is
Accept.
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 19
Firewall policy authentication Configuring authenticated access
Configuring authentication for a firewall policy
Authentication is an Advanced firewall option.
To configure authentication for a firewall policy
1 Create users and one or more user groups.
For more information, see “Users and user groups” on page 15.
2 Go to Firewall > Policy.
3 Select Create New and create a new policy or select Edit on an existing policy.
4 From the Action list, select ACCEPT.
5 Configure the other firewall policy parameters as appropriate.
For information about firewall policies, see the Firewall chapter of the FortiGate
Administration Guide.
6 Select Advanced.
7 Select Authentication.
8 One at a time, select user group names from the Available Groups list and select
the right-pointing arrow button to move them to the Allowed list. All members of
the groups in the Allowed list will be authenticated to use the firewall policy.
9 Select OK.
Configuring authenticated access to the Internet
A policy for accessing the Internet is similar to a policy for accessing a specific
network, but the destination address is set to all. The destination interface is the
one that connects to the Internet service provider. For general purpose Internet
access, the Service is set to ANY.
Access to HTTP, HTTPS, FTP and Telnet sites may require access to a domain
name service. DNS requests do not trigger authentication. You must configure a
policy to permit unauthenticated access to the appropriate DNS server, and this
policy must precede the policy for Internet access.
To configure a firewall policy for access to a DNS server
1 Go to Firewall > Policy.
2 Select Create New.
3 From the Source Interface/Zone list, select the interface to which computers on
your network are connected.
4 From the Destination Interface/Zone list, select the interface that connects to the
Internet.
FortiGate User Authentication Version 1 Guide
20 01-28007-0233-20050825
Configuring authenticated access VPN authentication
5 Set Source Address and Destination Address to all.
6 From the Schedule list, select always.
7 From the Service list, select DNS.
8 From the Action list, select ACCEPT.
9 Select OK.
10 In the Policy list, select Move To for the DNS policy and move it so that it precedes
the policy that provides access to the Internet.
The FortiGate unit performs authentication only on requests to access HTTP,
HTTPS, FTP and Telnet. Once the user is authenticated, the user can access
other services if the firewall policy permits.
Firewall policy order
The firewall policies that you create must be correctly placed in the policy list to be
effective. The firewall evaluates a connection request by checking the policy list
from the top down, looking for the first policy that matches the source and
destination addresses of the packet. Keep these rules in mind:
• More specific policies must be placed above more general ones.
• Any policy that requires authentication must be placed above any similar policy
that does not.
• If a user fails authentication, the firewall drops the request and does not check
for a match with any of the remaining policies.
• If you create a policy that requires authentication for HTTP access to the
Internet, you must precede this policy with a policy for unauthenticated access
to the appropriate DNS server.
To change the position of a policy in the policy list
1 Go to Firewall > Policy.
2 If necessary, expand the list to view your policies.
3 Select the Move To icon beside the policy you want to move.
4 Select the position for the policy.
5 Select OK.
VPN authentication
All VPN configurations require users to authenticate. Authentication based on
user groups applies to:
• PPTP and L2TP VPNs
• an IPSec VPN that authenticates users using dialup groups
• a dialup IPSec VPN that uses XAUTH authentication (Phase 1)
This document does not describe the use of certificates for VPN authentication.
See the FortiGate VPN Guide for information on this type of authentication.
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 21
VPN authentication Configuring authenticated access
You must create user accounts and user groups before performing the procedures
in this section. If you create a user group for dialup IPSec clients or peers that
have unique peer IDs, their user accounts must be stored locally on the FortiGate
unit. You cannot authenticate these types of users using a RADIUS or LDAP
server.
Authenticating PPTP and L2TP VPN users
On FortiGate units, configuration for PPTP and L2TP VPNs is very similar. The
procedures in this section apply to both types.
To configure authentication for a PPTP or L2TP VPN - web-based manager
1 Configure the users who are permitted to use this VPN. Create a user group and
add them to it.
For more information, see “Users and user groups” on page 15.
2 Go to VPN > PPTP or VPN > L2TP as required.
3 Select Enable PPTP or Enable L2TP.
4 Enter Starting IP and Ending IP addresses. This defines the range of addresses
assigned to VPN clients.
5 Select the user group that is to have access to this VPN. The FortiGate unit
authenticates members of this user group.
6 Select Apply.
To configure authentication for a PPTP or L2TP VPN - CLI
config vpn pptp
set eip <starting_ip>
set sip <ending_ip>
set status enable
set usrgrp <user_group_name>
end
Note: The commands for an L2TP VPN are the same, except that the first command is
config vpn l2tp.
You also need to define a firewall policy that permits packets to pass from VPN
clients with addresses in the specified range to IP addresses that the VPN clients
need to access on the private network behind the FortiGate unit. The action for
this firewall policy is ACCEPT, not ENCRYPT, because the allowed user group is
defined in the PPTP or L2TP VPN configuration, not in the firewall policy.
For detailed information about configuring PPTP or L2TP VPNs, see “Configuring
PPTP VPNs” or “Configuring L2TP VPNs” in the FortiGate VPN Guide.
FortiGate User Authentication Version 1 Guide
22 01-28007-0233-20050825
Configuring authenticated access VPN authentication
Authenticating remote IPSec VPN users using dialup groups
An IPSec VPN on a FortiGate unit can authenticate remote users through a dialup
group instead of using peer IDs. For information about authentication using peer
IDs and peer groups, see “Enabling VPN peer identification“ in the FortiGate VPN
Guide.
Authentication through user groups is supported for groups containing only local
users. To authenticate users using a RADIUS or LDAP server, you must configure
XAUTH settings. See “Enabling XAuth authentication for dialup IPSec VPN
clients” on page 24.
To configure user group authentication for dialup IPSec - web-based
manager
1 Configure the dialup users who are permitted to use this VPN. Create a user
group and add them to it.
For more information, see “Users and user groups” on page 15.
2 Go to VPN > IPSec > Phase 1.
3 Select Create New or select Edit on an existing VPN gateway.
4 From the Remote Gateway list, select Dialup User.
5 From the Authentication method list, select Preshared key.
6 In Peer Options, select Accept peer ID in dialup group and then select the user
group that is to be allowed access to the VPN.
The listed user groups contain only users with passwords on the FortiGate unit.
This peer option does not support authentication of users through an
authentication server.
7 Select OK.
To configure user group authentication for dialup IPSec - CLI
config vpn ipsec phase1
edit <gateway_name>
set peertype dialup
set usrgrp <user_group_name>
end
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 23
VPN authentication Configuring authenticated access
Parameters specific to setting up the VPN itself are not shown here. For detailed
information, see the “Configuring IPSec VPNs” chapter of the FortiGate VPN
Guide.
Enabling XAuth authentication for dialup IPSec VPN clients
XAuth can be used in addition to or in place of IPSec phase 1 peer options to
provide access security through an LDAP or RADIUS authentication server. You
must configure dialup users as members of a user group who are externally
authenticated. None can have passwords stored on the FortiGate unit.
To configure authentication for a dialup IPSec VPN - web-based manager
1 Configure the users who are permitted to use this VPN. Create a user group and
add them to it.
For more information, see “Users and user groups” on page 15.
2 Go to VPN > IPSec > Phase 1.
3 Select Create New or select Edit on an existing VPN gateway.
4 From the Remote Gateway list, select Dialup User.
5 Select Advanced to reveal additional parameters.
6 In the XAuth options, select Enable as Server.
FortiGate User Authentication Version 1 Guide
24 01-28007-0233-20050825
Configuring authenticated access VPN authentication
7 Under Server Type: select PAP, CHAP or Mixed.
Use CHAP whenever possible. Use PAP with all implementations of LDAP and
with other authentication servers that do not support CHAP, including some
implementations of Microsoft RADIUS. Use MIXED with the Fortinet Remote VPN
Client and where the authentication server supports CHAP but the XAuth client
does not.
8 Select the user group that is to have access to this VPN.
The list of user groups does not include any group that has members whose
password is stored on the FortiGate unit.
9 Configure other VPN gateway parameters as needed.
10 Select OK.
For more information about XAUTH configuration, see “Enabling XAUTH on the
FortiGate unit” in the FortiGate VPN Guide.
To configure authentication for a dialup IPSec VPN - CLI
config vpn ipsec phase1
edit <gateway_name>
set peertype dialup
set xauthtype pap
set authusrgrp <user_group_name>
end
Parameters specific to setting up the VPN itself are not shown here. For detailed
information about configuring an IPSec VPN, see “Configuring IPSec VPNs” in the
FortiGate VPN Guide.
FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825 25
VPN authentication Configuring authenticated access
FortiGate User Authentication Version 1 Guide
26 01-28007-0233-20050825
Loading...