User Group User
FortiGate Version 4.0 MR1 Administration Guide
668 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
A firewall user group can also provide access to an IPSec VPN for dialup users. In this
case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer
option. The user’s VPN client is configured with the user name as peer ID and the
password as pre-shared key. The user can connect successfully to the IPSec VPN only if
the user name is a member of the allowed user group and the password matches the one
stored on the FortiGate unit.
For more information, see “Creating a new phase 1 configuration” on page 614.
For information about configuring a Firewall user group, see “Configuring a user group” on
page 669.
You can also use a firewall user group to provide override privileges for FortiGuard web
filtering. For more information, see “Configuring FortiGuard Web filtering override options”
on page 672. For detailed information about FortiGuard Web Filter, including the override
feature, see “FortiGuard - Web Filter” on page 559.
Directory Service user groups
On a network, you can configure the FortiGate unit to allow access to members of
Directory Service server user groups who have been authenticated on the network. The
Fortinet Server Authentication Extensions (FSAE) must be installed on the network
domain controllers.
A Directory Service user group provides access to a firewall policy that requires Directory
Service type authentication and lists the user group as one of the allowed groups. The
members of the user group are Directory Service users or groups that you select from a
list that the FortiGate unit receives from the Directory Service servers that you have
configured. See “Directory Service” on page 662.
You can also use a Directory Service user group to provide override privileges for
FortiGuard web filtering. For more information, see “Configuring FortiGuard Web filtering
override options” on page 672. For detailed information about FortiGuard Web Filter,
including the override feature, see “FortiGuard - Web Filter” on page 559.
For information on configuring user groups, see “Configuring a user group” on page 669.
SSL VPN user groups
An SSL VPN user group provides access to a firewall policy that requires SSL VPN type
authentication and lists the user group as one of the allowed groups. Local user accounts,
LDAP, and RADIUS servers can be members of an SSL VPN user group. The FortiGate
unit requests the user’s user name and password when the user accesses the SSL VPN
web portal. The user group settings include options for SSL VPN features.
Note: A user group cannot be a dialup group if any member is authenticated using a
RADIUS or LDAP server.
Note: You cannot use Directory Service user groups directly in FortiGate firewall policies.
You must add Directory Service groups to FortiGate user groups. A Directory Service group
should belong to only one FortiGate user group. If you assign it to multiple FortiGate user
groups, the FortiGate unit recognizes only the last user group assignment.
Note: A Directory Service user group cannot have SSL VPN access.
To Next Page
Loading...
Need help?
General
