FortiGate User Authentication Version 1 Guide
6 01-28007-0233-20050825
The FortiGate administrator’s view of authentication Introduction
VPN client-based authentication
VPNs provide remote clients with access to a private network for a variety of
services: web browsing, email, file shares and so on. A client program such as
FortiClient negotiates the connection to the VPN and manages the user
authentication challenge from the FortiGate unit.
FortiClient can store the user name and password for a VPN as part of the
configuration for the VPN connection and pass them to the FortiGate unit as
needed. Or, FortiClient can request the user name and password from the user
when the FortiGate unit requests them.
User access expires after a period of inactivity, the authentication timeout, that the
administrator configures. The default is five minutes. The user must then
authenticate again.
The FortiGate administrator’s view of authentication
Authentication is based on user groups. You configure authentication parameters
for firewall policies and VPN tunnels to permit access only to members of
particular user groups. A member of a user group can be:
• a user whose user name and password are stored on the FortiGate unit
• a user whose name is stored on the Fortigate unit and whose password is
stored on an external authentication server
• an external authentication server with a database that contains the user name
and password of each person who is permitted access
You need to set up authentication in the following order:
1 If external authentication is needed, configure the required servers.
•See “Configuring the FortiGate unit to use a RADIUS server” on page 9.
•See “Configuring the FortiGate unit to use an LDAP server” on page 12.
•See “Configuring the FortiGate unit to use an Active Directory server” on
page 13.
2 Configure local user identities. For each user, you can choose whether the
FortiGate unit or an external authentication server verifies the password.
•See “Defining local users” on page 15.
3 Create user groups.
Add local users to each user group as appropriate. You can also add an
authentication server to a user group. In this case, all users in the server’s
database can authenticate.
•See “Defining user groups” on page 17.
4 Configure firewall policies and VPN tunnels that require authenticated access.
See “Configuring authentication for a firewall policy” on page 20.
See “Authenticating PPTP and L2TP VPN users” on page 22.
See “Authenticating remote IPSec VPN users using dialup groups” on page 23.
Note: In firmware releases prior to version 2.80 MR6, the authentication timeout period is
elapsed time, not inactive time.
To Next Page
Loading...
Need help?
General