FortiGate administrator’s view of authentication
Authentication is based on user groups. The FortiGate administrator configures authentication for security policies and VPN tunnels by specifying the user groups whose members can use the resource. Some planning is required to determine how many different user groups need to be created. Individual user accounts can belong to multiple groups, making allocation of user privileges very flexible.
A member of a user group can be:
- a user whose username and password are stored on the FortiGate unit l a user whose name is stored on the FortiGate unit and whose password is stored on a remote or external authentication server
- a remote or external authentication server with a database that contains the username and password of each person who is permitted access
The general process of setting up authentication is as follows:
- If remote or external authentication is needed, configure the required servers.
- Configure local and peer (PKI) user identities. For each local user, you can choose whether the FortiGate unit or a remote authentication server verifies the password. Peer members can be included in user groups for use in security policies.
- Create user groups.
- Add local/peer user members to each user group as appropriate. You can also add an authentication server to a user group. In this case, all users in the server’s database can authenticate. You can only configure peer user groups through the CLI.
- Configure security policies and VPN tunnels that require authenticated access.
For authentication troubleshooting, see the specific chapter for the topic or for general issues see Troubleshooting on page 213.
General authentication settings
Go to User & Device > Authentication Settings to configure authentication timeout, protocol support, and authentication certificates.
When user authentication is enabled within a security policy, the authentication challenge is normally issued for any of the four protocols (depending on the connection protocol):
General authentication settings
- HTTP (can also be set to redirect to HTTPS) l HTTPS l FTP
The selections made in the Protocol Support list of Authentication Settings control which protocols support the authentication challenge. Users must connect with a supported protocol first so they can subsequently connect with other protocols. If HTTPS is selected as a method of protocol support, it allows the user to authenticate with a customized Local certificate.
When you enable user authentication within a security policy, the security policy user will be challenged to authenticate. For user ID and password authentication, users must provide their user names and passwords. For certificate authentication (HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on the unit and the users can also have customized certificates installed on their browsers. Otherwise, users will see a warning message and have to accept a default Fortinet certificate.
|Authentication Timeout||Enter a length of time in minutes, from 1 to 4320 (72 hours). Authentication timeout controls how long an authenticated firewall connection can be idle before the user must authenticate again. The default value is 5.|
|Protocol Support||Select the protocols to challenge during firewall user authentication.|
|Certificate||If using HTTPS protocol support, select the local certificate to use for authentication. Available only if HTTPS protocol support is selected.|
|Apply||Select to apply the selections for user authentication settings.|
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!