Fortinet FortiGate MR7 User Manual

USER GUIDE

FortiOS v3.0 MR7 User Authentication User Guide

www.fortinet.com

FortiOS v3.0 MR7 User Authentication User Guide

28 Aug 2008 01-30007-0347-20080828

© Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

Trademarks

Fortinet, FortiGate and FortiGuard are registered trademarks and Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiDB, FortiGate, FortiGate Unified Threat Management System, FortiGuard-Antisp am, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, and FortiV oIP, are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Introduction........................................................................................ 5

About authentication......................................................................................... 5

User’s view of authentication........................................................................... 6

Web-based user authentication .................................................................... 6

VPN client-based authentication................................................................... 6

FortiGate administrator’s view of authentication........................................... 7

Authentication servers................................................................................... 8

Public Key Infrastructure (PKI) authentication .................................... .......... 9

Peers............................................................................................................. 9

Users............................................................................................................. 9

User groups................................................................................................... 9

Authentication timeout................................................................................. 10

Firewall policies........................................................................................... 10

VPN tunnels..................................... ... ... .... ... ... ... ....................................... . 10

About this document....................................................................................... 10

Document conventions................................................................................ 10

Typographic conventions........................... ... ....................................... . 11

FortiGate documentation................................................................................ 11

Related documentation................................................................................... 12

FortiManager documentation.............................................. .... ... ... ... ....... ... . 13

FortiClient documentation ........................................................................... 13

FortiMail documentation................... ... ... .... ...................................... ... .... .... 13

FortiAnalyzer documentation ...................................................................... 13

Fortinet Tools and Documentation CD........................................................ 14

Fortinet Knowledge Center ........................................................................ 14

Comments on Fortinet technical documentation ................................ ........ 14

Customer service and technical support...................................................... 14

FortiGate authentication servers.................................................... 15

RADIUS servers............. ... .... ... ... ....................................... ... ........................... 15

Configuring the FortiGate unit to use a RADIUS server.............................. 16

LDAP servers................. ... .... ... ... ... ....................................... ... .... .................... 19

Configuring the FortiGate unit to use an LDAP server................................ 21

Using the Query icon............................................................................ 24

TACACS+ servers............................................................................................ 24

Configuring the FortiGate unit to use a TACACS+ authentication server... 25

Directory Service servers ............................................................................... 26

Configuring the FortiGate unit to use a Directory Service server................ 28

FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828 3

Contents

Users/peers and user groups......................................................... 31

Users/peers...................................................................................................... 31

Creating local users .................................................................................... 32

Creating peer users .................................................................................... 34

User groups ..................................................................................................... 37

Firewall user groups.................................................................................... 37

Directory Service user groups..................................................................... 37

SSL VPN user groups................... ... .... ... ... ....................................... ... ... .... 38

Protection profiles ................................ ... ... ... ... .... ... .................................... 38

Configuring user groups.............................................................................. 39

Configuring Directory Service user groups........................................... 40

Configuring SSL VPN user groups....................................................... 41

Configuring Peer user groups............................................................... 42

Configuring authenticated access ................................................. 43

Authentication timeout ........................ .... ...... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... . 43

Authentication protocols..... ... .... ... ................................................................. 43

Firewall policy authentication ........................................................................ 44

Configuring authentication for a firewall policy............................................ 45

Firewall policy order.................................................................................... 46

Configuring authenticated access to the Internet........................................ 47

VPN authentication.......................................................................................... 48

Configuring authentication of SSL VPN users ............................................ 48

Configuring strong authentication of SSL VPN users/user groups ............. 50

Configuring authentication of VPN peers and clients.................................. 51

Configuring authentication of PPTP VPN users/user groups............... 51

Configuring authentication of L2TP VPN users/user groups................ 52

Configuring authentication of remote IPSec VPN users....................... 52

Configuring XAuth authentication......................................................... 54

Index.................................................................................................. 57

FortiOS v3.0 MR7 User Authentication User Guide

4 01-30007-0347-20080828

Introduction About authentication

Introduction

This section introduces you to the authentication process from the user and the administrators perspective, and pr ovides supplementary information about Fortinet publications.

Note: This document does not describe certificate-based VPN authentication. For information about this type of authentication, see the FortiGate IPSec VPN Guide and the

FortiGate Certificate Management User Guide.

The following topics are covered in this section:

• About authentication

• User’s view of authentication

• FortiGate administrator’s view of authentication

• About this document

• FortiGate documentation

• Related documentation

• Customer service and technical support

About authentication

Computer networks have, for the most part, improved worker efficiency and helped a company’s bottom line. Along with these benefits, the need has arisen for workers to be able to remotely access their corporate network, with appropriate security measures in place. In general terms, authentication is the process of attempting to verify the (digital) identity of the sender of a communication such as a log in request. The sender may be someone using a computer, the computer itself, or a computer program. A computer system should only be used by those who are authorized to do so, therefore there must be a measure in place to detect and exclude any unauthorized access.

On a FortiGate unit, you can control access to network resources by defining list s of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must:

• belong to one of the user groups that is allowed access

• correctly enter a user name and password to prove his or her identity, if asked to do so

This process is called authentication. You can configure authentication for:

• any firewall policy with Action set to ACCEPT

• SSL VPNs

• PPTP and L2TP VPNs

• a dialup IPSec VPN set up as an XAUTH server (Phase 1)

• a dialup IPSec VPN that accepts user group authentication as a peer ID

FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828 5

User’s view of authentication Introduction

User’s view of authentication

The user sees a request for authentication when they try to access a protected resource. The way in which the request is presented to the user depends on the method of access to that resource.

VPN authentication usually controls remote access to a private network.

Web-based user authentication

Firewall policies usually control browsing access to an external network that provides connection to the Internet. In this case, the FortiGate unit requests authentication through the web browser:

The user types a user name and password and then selects Continue/Login. If the credentials are incorrect, the authentication screen is redisp layed with blank fields so that the user can try again. When the user enters valid credentials, they get access to the required resource. In some cases, if a user tries to authenticate several times without success, a message appears, such as: “Too many bad login attempts. Please try again in a few minutes.”

Note: After a defined period of user inactivity (the authentication timeout, defined by the FortiGate administrator), the user access will expire. The default is 5 minutes. To access the resource, the user will have to authenticate again.

VPN client-based authentication

VPNs provide remote clients with access to a private network for a variety of services that include web browsing, email, and file sharing. A client program such as FortiClient negotiates the connection to the VPN and manages the user authentication challenge from the FortiGate unit.

FortiOS v3.0 MR7 User Authentication User Guide

6 01-30007-0347-20080828

Introduction FortiGate administrator’s view of authentication

FortiClient can store the user name and password for a VPN as part of the configuration for the VPN connection and pass them to the FortiGate unit as needed. Or, FortiClient can request the user name and password from the user when the FortiGate unit requests them.

SSL VPN is a form of VPN that can be used with a standard Web browser. There are two modes of SSL VPN operation (supported in NAT/Route mode only):

• web-only mode, for thin remote clients equipped with a web-browser only

• tunnel mode, for remote computers that run a variety of client and server applications.

Note: After a defined period of user inactivity on the VPN connection (the idle timeout, defined by the FortiGate administrator), the user access will expire. The default is 1500 seconds (25 minutes). To access the resource, the user will have to authenticate again.

FortiGate administrator’s view of authentication

Authentication is based on user groups. You configure authentication parameters for firewall policies and VPN tunnels to permit access only to members of particular user groups. A member of a user group can be:

• a user whose user name and password are stored on the FortiGate unit

• a user whose name is stored on the FortiGate unit and whose password is stored on a remote or external authenticatio n serv er

• a remote or external authentication server with a database that contains the user name and password of each person who is permitted access

1 If remote or external authentication is needed, configure the required servers.

•See “Configuring the FortiGate unit to use a RADIUS server” on page 16.

•See “Configuring the FortiGate unit to use an LDAP server” on page 21.

•See “Configuring the FortiGate unit to use a Directory Service server” on

page 28.

2 Configure local and peer (PKI) user identities (see “Public Key Infrastructure (PKI)

authentication” on page 9). For each local user, you can choose whether the

FortiGate unit or a remote authentication server verifies the password. Peer members can be included in user groups for use in firewall policies.

•See “Creating local users” on page 34.

•See “Creating peer users” on page 36.

FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828 7

FortiGate administrator’s view of authentication Introduction

3 Create user groups.

Add local/peer user members to each user group as appropriate. You can also add an authentication server to a user group. In this case, a ll users in the serve r’s database can authenticate. You can only configure peer user groups through the CLI.

•See “Configuring user groups” on page 41.

4 Configure firewall policies and VPN tunnels that require authenticated access.

See “Configuring authentication for a firewall policy” on page 49. See “Configuring authentication of PPTP VPN users/user groups” on page 55. See “Configuring authentication of remote IPSec VPN users” on page 56. See “Configuring XAuth authentication” on page 58.

Authentication servers

The FortiGate unit can store user names and passwords and use them to authenticate users. In an enterprise environment, it might be more convenient to use the same system that provides authentication for local area network access, email and other services. Users who access the corporate network from home or while traveling could use the same user name and password that they use at the office.

Y ou can configure the FortiGate unit to work with remote or external authentication servers in two different ways:

• Add the authentication server to a user group. Anyone in the server’s database is a member of the user group. This is a

simple way to provide access to the corporate VPN for all employees, for example. You do not need to configure individual users on the FortiGate unit.

• Specify the authentication server instead of a password when you configure the individual user identity on the FortiGate unit.

The user name must exist on both the FortiGate unit and authentication server. User names that exist only on the authentication server cannot authenticate on the FortiGate unit. This method enables you to provide access only to selected employees, for example.

Note: You cannot combine these two uses of an authentication server in the same user group. If you add the server to the user group, adding individual users with authentication to that server is redundant.

If you want to use remote or external authentication servers, you must configure them before you configure users and user groups . See “RADIUS servers” on

page 15, “LDAP servers” on page 19, “TACACS+ servers” on page 25, and “Directory Service servers” on page 27.

FortiOS v3.0 MR7 User Authentication User Guide

8 01-30007-0347-20080828

Introduction FortiGate administrator’s view of authentication

Public Key Infrastructure (PKI) authentication

A Public Key Infrastructure (PKI) is a comprehensive system of policies, processes, and technologies workin g toge t her to enable users of the Internet to exchange information in a secure and confidential manner. PKIs are based on the use of cryptography - the scrambling of information by a mathematical formula and a virtual key so that it can only be decoded by an authorized party using a related key. The public and private cryptographic key pair is obtained and shared through a trusted authority. The public key infrastructure enables the creation of a digital certificate that can identify an individual or organization, and directory services that can store and also revoke the certificates.

Public Key Infrastructure (PKI) authentication utilizes a certificate authentication library that takes a list of ‘peers’, ‘peer’ groups, and/or user groups and returns authentication ‘successful’ or ‘denied’ notifications. Users only need a valid certificate for successful authentication - no username or password are necessary.

Peers

A peer is a user that is a digital certificate holder used in PKI authentication. To use PKI authentication, you must define peers to inc l ud e in th e au th en ticatio n user group. See “Users/peers” on page 33.

Users

User groups

Although it is simpler to define passwords locally, when there are many users the administrative effort to maintain the database is considerable. Users cannot change their own passwords on the FortiGate unit. When a remote or external remote authentication server is part of an enterprise network authentication system, users can change their own passwords. See “Users/peers” on page 33.

Note: Frequent changing of passwords is a good security practice.

A user group can contain individual users/peers and authentication servers. A user/peer or authentication server can belong to more than one group.

Authentication is group-based. Firewall policies can allow multiple groups access, but authentication for a VPN allows access to only one group. These considerations affect how you define the group s for your organization. Usually you need a user group for each VPN. For firewall policies, you ca n create user group s that reflect how you manage network privileges in your organization. For example, you might create a user group for each department or create user groups based on functions such as customer support or account management.

You select a protection profile for each user group. Protection profiles determine the level of web filtering, antivirus protection, an d spam filtering ap plie d to traffic controlled by the firewall policy to which members of this user group authenticate. For more information about protection profiles, see the FortiGate Administration

Guide.

FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828 9

About this document Introduction

Authentication timeout

An authenticated connection expires when it has been idle for a length of time that you specify. The authentication timeout value set in User > Authentication > Authentication applies to every user of the system. The choice of timeout duration is a balance between security and user convenience. The default is 5 minutes. For information about setting the authentication timeout, see

“Authentication timeout” on page 47.

Firewall policies

Access control is defined in the firewall policy that provides access to the network resource. For example, access to the Internet through the external interface from workstations on the internal network is made possible by an Internal to External firewall policy.

Firewall policies apply web filtering, antivirus protection, and spam filtering to the traffic they control according to a protection profile. If the firewall policy requires authentication, the protection profile in the firewall policy is disabled. Instead, the protection profile is configured in the authenticating user group.

For more information about firewall policies and protection profiles, see the Firewall chapters of the FortiGate Administration Guide.

VPN tunnels

When you configure a PPTP or L2TP VPN, you choose one user group to be permitted access. For IPSec VPNs, you can use authentication by user group or XAUTH authentication using an external authentication server as an alte rnative to authentication by peer ID. Access to SSL VPN applications is controlled through user groups. When the remote client connects to the FortiGate unit, the FortiGate unit authenticates the user based on user name, password, and authentication domain. Authentication for a VPN allows access to only one group.

For more information about VPNs, see the FortiGate PPTP VPN User Guide,

FortiGate SSL VPN User Guide, or the FortiGate IPSec VPN User Guide.

About this document

This document explains how to configure authentication for firewall policies, PP TP, L2TP and SSL VPNs, and dialup IPSec VPNs, and contains the following chapters:

• Authentication servers contains procedures for configurin g RADIUS, LDAP, and Microsoft Active Directory authentication servers.

• Users/peers and user groups contains procedures for defining users/peers and user groups.

• Configuring authenticated access contains procedures to set authentication timeouts, configure authentication in firewall policies, for PPTP, L2TP and SSL VPNs, and certain configurations of IPSec VPNs.

Document conventions

The following document conventions are used in this guide:

FortiOS v3.0 MR7 User Authentication User Guide

10 01-30007-0347-20080828

Introduction FortiGate documentation

• In the examples, private IP addresses are used for both private and public IP addresses.

• Notes and Cautions are used to provide important information:

Note: Highlights useful additional information.

Caution: Warns you about commands or procedures that could have unexpected or

undesirable results including loss of data or damage to equipment.

Typographic conventions

FortiGate documentation uses the following typographical conventions:

Convention Example Keyboard input Code examples config sys global

CLI command syntax config firewall policy

Document names File content <HTML><HEAD><TITLE>Firewall

Menu commands Go to VPN > SSL > Config. Program output Welcome! Variables <group_name>

In the Name field, type admin.

set ips-open enable

end

edit id_integer

set http_retry_count <retry_integer> set natip <address_ipv4mask>

end

FortiGate SSL VPN User Guide

Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4>

FortiGate documentation

The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site.

The following FortiGate product documentation is available:

• FortiGate QuickStart Guide

Provides basic information about connecting and installing a FortiGate unit.

• FortiGate Installation Guide

Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures. Choose the guide for your product model number.

FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828 11

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network.

Please visit the Fortinet Technical Support to learn about the technical support services that Fortinet provides.

FortiOS v3.0 MR7 User Authentication User Guide

14 01-30007-0347-20080828

Authentication servers RADIUS servers

Authentication servers

FortiGate units support the use of authentication servers. If you are going to use FortiGate authentication servers, you must configure the servers before you configure FortiGate users or user groups that require them. An authentication server can provide password checking for selected FortiGate users or it can be added as a member of a FortiGate user group.

This section describes:

• RADIUS servers

• LDAP servers

• TACACS+ servers

• Directory Service servers

RADIUS servers

Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and accounting functions. FortiGate units use the authentication and accounting functions of the RADIUS server.

Your RADIUS server listens on either port 1812 or port 1645 for authentication requests. You must configure it to accept the FortiGate unit as a client.

The RADIUS server user database can be any combination of:

• user names and passwords defined in a configuration file

• an SQL database

• user account names and passwords configured on the computer where the RADIUS server is installed.

The RADIUS server uses a “shared secret” key to encrypt information passed between it and clients such as the FortiGate unit.

The FortiGate units send the following RADIUS attributes in the accounting start/stop messages:

1. Acct-Session-ID

2. User Name

3. NAS-Identifier (FGT hostname)

4. Framed-IP-Address (IP address assigned to the client)

5. Fortinet-VSA (IP address client is connecting from)

6. Acct-Input-Octets

7. Acct-Output-Octets

Table 1 describes the supported authentication events and the RADIUS attributes

that are sent in the RADIUS accounting message.

FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828 15

RADIUS servers Authentication servers

Table 1: RADIUS attributes sent in RADIUS accounting message

A TTRIBUTE

AUTHENTICATION METHOD 1234567 Web XXX X XAuth of IPSec (without DHCP) XXX X XAuth of IPSec (with DHCP) XXXXX PPTP/L2TP (in PPP) XXXXXXX SSL-VPN XXX X

In order to support vendor-specific attributes (VSA), the RADIUS server requires a dictionary to define what the VSAs are.

Fortinet’s dictionary is configured this way:

## Fortinet’s VSA’s # VENDOR fortinet 12356 BEGIN-VENDOR fortinet ATTRIBUTE Fortinet-Group-Name 1 string ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr ATTRIBUTE Fortinet-Vdom-Name 3 string # # Integer Translations # END-VENDOR Fortinet

See the documentation provided with your RADIUS server for configuration details.

Configuring the FortiGate unit to use a RADIUS server

To configure the FortiGate unit to use a RADIUS server, you need to know the server’s domain name or IP address and its shared secret key. You will select the authentication protocol. The maximum number of remote RADIUS servers that can be configured for authentication is 10.

On the FortiGate unit, the default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645, you can either:

• Reconfigure the RADIUS server to use port 1812. See your RADIUS server documentation for more information.

FortiOS v3.0 MR7 User Authentication User Guide

16 01-30007-0347-20080828

Authentication servers RADIUS servers

• Change the FortiGate unit default RADIUS port to 1645 using the CLI:

config system global

set radius_port 1645

end

To configure the FortiGate unit for RADIUS authentication - web-based manager

1 Go to User > Remote > RADIUS and select Create New. 2 Enter the following information, and select OK.

Figure 1: Configure FortiGate unit for RADIUS authentication

Name Enter the name that is used to identify the RADIUS server

Primary Server Name/IP Enter the domain name or IP address of the primary

Primary Server Secret Enter the RADIUS server secret key for the primary

Secondary Server Name/IP Enter the domain name or IP address of the secondary

Secondary Server Secret Enter the RADIUS server secret key for the secondary

Authentication Scheme Select Use Default Authentication Scheme to authenticate

NAS IP/Called Station ID Enter the NAS IP address and Called Station ID (for more

Include in every User Group Select to have the RADIUS server automatically included in

on the FortiGate unit.

RADIUS server.

RADIUS server, if you have one.

RADIUS server.

with the default method. The default authentication scheme uses PAP, MS-CHAP-V2, and CHAP, in that order.

Select Specify Authentication Protocol to override the default authentication method, and choose the protocol from the list: MS-CHAP-V2, MS-CHAP, CHAP, or PAP, depending on what your RADIUS server needs.

information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiGate interface uses to communicate with the RADIUS server will be applied.

all user groups.

FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828 17

RADIUS servers Authentication servers

Edit

Delete

To configure the FortiGate unit for RADIUS authentication - CLI

config user radius

edit <server_name>

set all-usergroup {enable | disable } set auth-type <authentication_protocol> set nas-ip <nas_ip_called_id> set radius-port <radius_port_id> set secondary-server <secondary_ip_address> set secondary-secret <secondary_password> set server <primary_ip_address> set secret <primary_password> set use-group-for-profile <group_profile_select> set use-management-vdom <vdom_requests>

end

The use-group-for-profile and use-management-vdom can only be added to RADIUS authentication requests via the CLI. You enable use-group- for-profile to use the RADIUS group attribute to select the firewall protection profile to apply. Enable use-management-vdom to use the management VDOM to send all RADIUS requests. For more information, refer to the

Reference.

FortiGate CLI

To remove a RADIUS server from the FortiGate unit configuration - webbased manager

Note: You cannot remove a RADIUS server that belongs to a user group. Remove it from

the user group first.

1 Go to User > Remote > RADIUS. 2 Select the Delete icon beside the name of the RADIUS server that you want to

remove.

3 Select OK.

Figure 2: Delete (remove) a RADIUS server

Create New Add a new RADIUS server. The maximum number is 10. Name The name that identifies the RADIUS server on the FortiGate unit. Server Name/IP The domain name or IP address of the RADIUS server. Delete icon Delete (remove) a RADIUS server from the FortiGate configuration.

You cannot remove a RADIUS server that has been added to a user group.

Edit icon Edit a RADIUS server configuration.

18 01-30007-0347-20080828

FortiOS v3.0 MR7 User Authentication User Guide

Authentication servers LDAP servers

To remove a RADIUS server from the FortiGate unit configuration - CLI

config user radius

delete <server_name>

end

LDAP servers

Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. An LDAP consists of a datarepresentation scheme, a set of defined operations, and a request/response network.

The scale of LDAP servers ranges from big public servers such as BigFoot and Infospace, to large organizational servers at universities and corporations, to small LDAP servers for workgroups. This document focuses on the institutional and workgroup applications of LDAP.

A directory is a set of objects with similar attributes organized in a logical and hierarchical way. Generally, an LDAP directory tree reflects geographic and/or organizational boundaries, with the Domain name system (DNS) names to structure the top level of the hierarchy. The common name identifier for most LDAP servers is cn, however some servers use other common name identifiers such as uid.

If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the FortiGate unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiGate unit.

Binding is the step where the LDAP server authenticates the user, and if the user is successfully authenticated, allows the user access to the LDAP server based on that user’s permissions.

The FortiGate unit can be configured to use one of three types of binding:

• anonymous - bind using anonymous user search

• regular - bind using username/password and then search

• simple - bind using a simple password authentication without a search You can use simple authentication if the user records all fall under one dn. If the

users are under more than one dn, use the an onymous or regular type , which can search the entire LDAP database for the required user name.

If your LDAP server requires authenticati on to perform searches, use the regular type and provide values for username and password.

The FortiGate unit supports LDAP protocol functionality defined in RFC 2251: Lightweight Directory Access Protocol v3, for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition, FortiGate LDAP supports LDAP over SSL/TLS. To configure SSL/TLS authentication, refer to the

FortiGate CLI Reference.

FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080828 19

LDAP servers Authentication servers

FortiGate LDAP does not support proprietary functionality, such as notification of password expiration, which is available from some LDAP servers. FortiGate LDAP does not supply information to the user about why authentication failed.

To configure your FortiGate unit to work with an LDAP server, you need to understand the organization of the information on the server.

The top of the hierarchy is the organizat ion itself. Usually this is defined as Domain Component (DC), a DNS domain. If the name contains a dot, such as “example.com”, it is written as two parts: “dc=example,dc=com”.

In this example, Common Name (CN) identifiers reside at the Organization Unit (OU) level, just below DC. The Distinguished Name (DN) is ou=People,dc=example,dc=com.

In addition to the DN, the FortiGate unit needs an identifier for the individual person. Although the FortiGate unit GUI calls this the Common Name (CN), the identifier you use is not necessarily CN. On some servers, CN is the full name of a person. It might be more convenient to use the same identifier used on the local computer network. In this example, User ID (UID) is used.

You need to determine the levels of the hierarchy from the top to the level that contains the identifier you want to use. This defines the DN tha t the FortiGate unit uses to search the LDAP database. Frequently used distinguished name elements include:

• pw (password)

• cn (common name)

• ou (organizational unit)

• o (organization)

• c (country)

One way to test this is with a text-based LDAP client program. For example, OpenLDAP includes a client, ldapsearch, that you can use for this purpose.

Enter the following command:

ldapsearch -x '(objectclass=*)'

FortiOS v3.0 MR7 User Authentication User Guide

20 01-30007-0347-20080828

+ 46 hidden pages

Fortinet FortiGate MR7 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Introduction

About authentication

User’s view of authentication

Web-based user authentication

VPN client-based authentication

FortiGate administrator’s view of authentication

Authentication servers

Public Key Infrastructure (PKI) authentication

Peers

Users

User groups

Authentication timeout

Firewall policies

VPN tunnels

About this document

Document conventions

Typographic conventions

FortiGate documentation

Related documentation

FortiManager documentation

FortiClient documentation

FortiMail documentation

FortiAnalyzer documentation

Fortinet Tools and Documentation CD

Fortinet Knowledge Center

Comments on Fortinet technical documentation

Customer service and technical support

Authentication servers

RADIUS servers

Configuring the FortiGate unit to use a RADIUS server

LDAP servers