Configuring authentication groups WAN optimization and web caching
FortiGate Version 4.0 Administration Guide
636 01-400-89802-20090424
http://docs.fortinet.com/ • Feedback
Details about WAN optimization peer authentication
When a client side FortiGate unit attempts to start a WAN optimization tunnel with a server
side FortiGate unit, the tunnel request includes the following information:
• The client side Local Host ID
• The name of an authentication group if included in the rule that initiates the tunnel
• The authentication method defined in the authentication group: pre-shared key or
certificate
• Whether the tunnel should be a secure tunnel or not
The authentication group is optional for unless the tunnel should be a secure tunnel
If the tunnel request includes an authentication group the authentication will be based on
the settings of this group as follows:
• The server side FortiGate unit searches its own configuration for the name of the
authentication group in the tunnel request. If no match is found, the authentication fails.
• If a match is found, the server side FortiGate unit compares the authentication method
in the client and server authentication groups. If the methods do not match, the
authentication fails.
• If the authentication methods match the server side FortiGate unit tests the peer
acceptance settings in its copy of the authentication group.
• If the setting is accept any peer, the authentication is successful.
• If the setting is specify peer the server side FortiGate unit compares the client side
Local Host ID in the tunnel request with the peer name in the server side
authentication group. If the names match authentication is successful. If a match is
not found, authentication fails.
• If the setting is accept defined peers, the server side FortiGate unit compares the
client side Local Host ID in the tunnel request with the with the server side peer list.
If a match is found authentication is successful. If a match is not found
authentication fails.
Pre-shared key If you select Pre-shared key add a pre-shared key. All peers that use this
authentication group must have the same authentication group with the
same pre-shared key.
If you selected Pre-shared Key, type the pre-shared key that the FortiGate
unit will use to authenticate itself to the remote peer. The key must contain at
least 6 printable characters and should be known only by network
administrators. For optimum protection against currently known attacks, the
key should consist of a minimum of 16 randomly chosen alphanumeric
characters.
Peer Acceptance One or more of the following options are available to authenticate VPN peers
or clients, depending on the Remote Gateway and Authentication Method
settings.
Accept any peer Authenticate with any peer. Use this setting if you don’t know the peer host
IDs or IP addresses of the peers that will use this authentication group. This
setting is most often used for WAN optimization with FortiClient.
Accept defined
peers
Authenticate with any peer in the FortiGate unit peer list.
Specify Peer Authenticate with the selected peer only. Select the peer to add to this
authentication group.
To Next Page
Loading...