FortiGate-3000 Administration Guide Version 2.80 MR6
FortiGate-3000 Administration Guide 01-28006-0010-20041105 241
Users and authentication
You can control access to network resources by defining lists of authorized users,
called user groups. To use a particular resource, such as a network or a VPN tunnel,
the user must belong to one of the user groups that is allowed access. The user then
must correctly enter a user name and password to prove his or her identity. This is
called authentication.
You can configure authentication in:
• any firewall policy with Action set to ACCEPT
• IPSec, PPTP and L2TP VPN configurations
When the user attempts to access the resource, the FortiGate unit requests a user
name and password. The FortiGate unit can verify the user’s credentials locally or
using an external LDAP or RADIUS server.
Authentication expires if the user leaves the connection idle for longer than the
authentication timeout period.
You need to determine the number and membership of your user groups appropriate
to your authentication needs.
To set up user groups
1 If external authentication is needed, configure RADIUS or LDAP servers. See
“RADIUS” on page 243 and “LDAP” on page 244.
2 Configure local user identities in User > Local. For each user, you can choose
whether the password is verified by the FortiGate unit, by a RADIUS server or by an
LDAP server. See “Local” on page 242.
3 Create user groups in User > User Group. Add local users as appropriate. See “User
group” on page 247.
You can also add a RADIUS or LDAP server to a user group. In this case, all users in
the external server’s database can authenticate.
This chapter describes:
• Setting authentication timeout
• Local
• RADIUS
• LDAP
• User group
To Next Page
Loading...
Need help?
General