Résumé du contenu de la page N° 1
USER GUIDE
FortiOS v3.0 MR7
User Authentication User Guide
www.fortinet.com
Résumé du contenu de la page N° 2
FortiOS v3.0 MR7 User Authentication User Guide 28 Aug 2008 01-30007-0347-20080828 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Fortinet, FortiGate and FortiGuard are registered trademarks and Dynami
Résumé du contenu de la page N° 3
Contents Contents Introduction ........................................................................................ 5 About authentication......................................................................................... 5 User’s view of authentication........................................................................... 6 Web-based user authentication .................................................................... 6 VPN client-based authentication .........................
Résumé du contenu de la page N° 4
Contents Users/peers and user groups ......................................................... 31 Users/peers...................................................................................................... 31 Creating local users .................................................................................... 32 Creating peer users .................................................................................... 34 User groups ........................................................
Résumé du contenu de la page N° 5
Introduction About authentication Introduction This section introduces you to the authentication process from the user and the administrators perspective, and provides supplementary information about Fortinet publications. Note: This document does not describe certificate-based VPN authentication. For information about this type of authentication, see the FortiGate IPSec VPN Guide and the FortiGate Certificate Management User Guide. The following topics are covered in this section: • About a
Résumé du contenu de la page N° 6
User’s view of authentication Introduction User’s view of authentication The user sees a request for authentication when they try to access a protected resource. The way in which the request is presented to the user depends on the method of access to that resource. VPN authentication usually controls remote access to a private network. Web-based user authentication Firewall policies usually control browsing access to an external network that provides connection to the Internet. In this case,
Résumé du contenu de la page N° 7
Introduction FortiGate administrator’s view of authentication FortiClient can store the user name and password for a VPN as part of the configuration for the VPN connection and pass them to the FortiGate unit as needed. Or, FortiClient can request the user name and password from the user when the FortiGate unit requests them. SSL VPN is a form of VPN that can be used with a standard Web browser. There are two modes of SSL VPN operation (supported in NAT/Route mode only): • web-only mode, for
Résumé du contenu de la page N° 8
FortiGate administrator’s view of authentication Introduction 3 Create user groups. Add local/peer user members to each user group as appropriate. You can also add an authentication server to a user group. In this case, all users in the server’s database can authenticate. You can only configure peer user groups through the CLI. •See “Configuring user groups” on page 41. 4 Configure firewall policies and VPN tunnels that require authenticated access. See “Configuring authentication for a firew
Résumé du contenu de la page N° 9
Introduction FortiGate administrator’s view of authentication Public Key Infrastructure (PKI) authentication A Public Key Infrastructure (PKI) is a comprehensive system of policies, processes, and technologies working together to enable users of the Internet to exchange information in a secure and confidential manner. PKIs are based on the use of cryptography - the scrambling of information by a mathematical formula and a virtual key so that it can only be decoded by an authorized party usin
Résumé du contenu de la page N° 10
About this document Introduction Authentication timeout An authenticated connection expires when it has been idle for a length of time that you specify. The authentication timeout value set in User > Authentication > Authentication applies to every user of the system. The choice of timeout duration is a balance between security and user convenience. The default is 5 minutes. For information about setting the authentication timeout, see “Authentication timeout” on page 47. Firewall policies
Résumé du contenu de la page N° 11
Introduction FortiGate documentation • In the examples, private IP addresses are used for both private and public IP addresses. • Notes and Cautions are used to provide important information: Note: Highlights useful additional information. Caution: Warns you about commands or procedures that could have unexpected or ! undesirable results including loss of data or damage to equipment. Typographic conventions FortiGate documentation uses the following typographical conventions: Convention Examp
Résumé du contenu de la page N° 12
Related documentation Introduction • FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit, including how to define FortiGate protection profiles and firewall policies; how to apply intrusion prevention, antivirus protection, web content filtering, and spam filtering; and how to configure a VPN. • FortiGate online help Provides a context-sensitive and searchable version of the Administration Guide in HTML format. You can access online help from the
Résumé du contenu de la page N° 13
Introduction Related documentation FortiManager documentation • FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings. • FortiManager System Administration Guide Describes how to use the FortiManager System to manage FortiGate devices. • FortiManager System online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the FortiManager Console as you wor
Résumé du contenu de la page N° 14
Customer service and technical support Introduction Fortinet Tools and Documentation CD All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation see the Fortinet Technical Documentation web site. Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowled
Résumé du contenu de la page N° 15
Authentication servers RADIUS servers Authentication servers FortiGate units support the use of authentication servers. If you are going to use FortiGate authentication servers, you must configure the servers before you configure FortiGate users or user groups that require them. An authentication server can provide password checking for selected FortiGate users or it can be added as a member of a FortiGate user group. This section describes: • RADIUS servers • LDAP servers • TACACS+ servers
Résumé du contenu de la page N° 16
RADIUS servers Authentication servers Table 1: RADIUS attributes sent in RADIUS accounting message ATTRIBUTE AUTHENTICATION METHOD 1 2 3456 7 Web XX X X XAuth of IPSec (without DHCP) XX X X XAuth of IPSec (with DHCP) XX X X X PPTP/L2TP (in PPP) X X XX XX X SSL-VPN XX X X In order to support vendor-specific attributes (VSA), the RADIUS server requires a dictionary to define what the VSAs are. Fortinet’s dictionary is configured this way: ## Fortinet’s VSA’s # VENDOR fortinet 12356 BEGIN-VENDOR f
Résumé du contenu de la page N° 17
Authentication servers RADIUS servers • Change the FortiGate unit default RADIUS port to 1645 using the CLI: config system global set radius_port 1645 end To configure the FortiGate unit for RADIUS authentication - web-based manager 1 Go to User > Remote > RADIUS and select Create New. 2 Enter the following information, and select OK. Figure 1: Configure FortiGate unit for RADIUS authentication Name Enter the name that is used to identify the RADIUS server on the FortiGate unit. Primary Server
Résumé du contenu de la page N° 18
RADIUS servers Authentication servers To configure the FortiGate unit for RADIUS authentication - CLI config user radius edit set all-usergroup {enable | disable } set auth-type set nas-ip set radius-port set secondary-server set secondary-secret set server set secret set use-group-for-profile set use-management-vdo
Résumé du contenu de la page N° 19
Authentication servers LDAP servers To remove a RADIUS server from the FortiGate unit configuration - CLI config user radius delete end LDAP servers Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. An LDAP consists of a data- representation scheme, a set of defined operations, and a request/response network. The scale of LDAP
Résumé du contenu de la page N° 20
LDAP servers Authentication servers FortiGate LDAP does not support proprietary functionality, such as notification of password expiration, which is available from some LDAP servers. FortiGate LDAP does not supply information to the user about why authentication failed. To configure your FortiGate unit to work with an LDAP server, you need to understand the organization of the information on the server. The top of the hierarchy is the organization itself. Usually this is defined as Domain Co