FortiGate Version 3.0 MR4 Administration Guide
328 01-30004-0203-20070102
User group User
You can configure user groups to provide authenticated access to:
• Firewall policies that require authentication
See “Adding authentication to firewall policies” on page 222.
• SSL VPNs on the FortiGate unit
See “SSL-VPN firewall policy options” on page 226.
• IPSec VPN Phase 1 configurations for dialup users
See “Creating a new phase 1 configuration” on page 287.
• XAuth for IPSec VPN Phase 1 configurations
See XAUTH in “Defining phase 1 advanced settings” on page 290.
• FortiGate PPTP configuration
See “PPTP Range” on page 303.
• FortiGate L2TP configuration
This is configurable only using the config vpn l2tp CLI command. See
the FortiGate CLI Reference.
• Administrator login with RADIUS authentication
See “Configuring RADIUS authentication for administrators” on page 144.
• FortiGuard Web Filtering override groups
See “FortiGuard - Web Filter” on page 373.
For each resource that requires authentication, you specify which user groups are
permitted access. You need to determine the number and membership of user
groups appropriate to your authentication needs.
User group types
There are three types of user group:
• “Firewall”
• “Active Directory”
• “SSL VPN”
Firewall
A firewall user group provides access to a firewall policy that requires firewall type
authentication and lists the user group as one of the allowed groups. The
FortiGate unit requests the group member’s user name and password when the
user attempts to access the resource that the policy protects. For more
information, see “Adding authentication to firewall policies” on page 222.
A firewall user group can also provide access to an IPSec VPN for dialup users. In
this case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup
group peer option. The user’s VPN client is configured with the user name as peer
ID and the password as pre-shared key. The user can connect successfully to the
IPSec VPN only if the user name is a member of the allowed user group and the
password matches the one stored on the FortiGate unit. A user group cannot be a
dialup group if any member is authenticated using a RADIUS or LDAP server. For
more information, see “Creating a new phase 1 configuration” on page 287.
A firewall user group can be used to provide override privileges for FortiGuard
web filtering. See “Configuring FortiGuard override options for a user group” on
page 331. For detailed information about FortiGuard Web Filter, including the
override feature, see “FortiGuard - Web Filter” on page 373.
To Next Page
Loading...
