Configuring authenticated access

When you have configured authentication servers, users, and user groups, you are ready to configure security policies and certain types of VPNs to require user authentication.

This section describes:

• Authentication timeout
• Password policy
• Authentication protocols
• Authentication in Captive Portals
• Authentication in security policies
• VPN authentication

Authentication timeout

An important feature of the security provided by authentication is that it is temporary—a user must re- authenticate after logging out. Also if a user is logged on and authenticated for an extended period of time, it is a good policy to have them re-authenticate at set periods. This ensures a user’s session is cannot be spoofed and used maliciously for extended periods of time — re-authentication will cut any spoof attempts short. Shorter timeout values are more secure.

Security authentication timeout

You set the security user authentication timeout to control how long an authenticated connection can be idle before the user must authenticate again. The maximum timeout is 1440 minutes (24 hours).

To set the security authentication timeout – web-based manager:

1. Go to User & Device > Authentication > Settings.

2. Enter the Authentication Timeout value in minutes.

The default authentication timeout is 5 minutes.

3. Select Apply.

SSL VPN authentication timeout

You set the SSL VPN user authentication timeout (Idle Timeout) to control how long an authenticated connection can be idle before the user must authenticate again. The maximum timeout is 259 200 seconds. The default timeout is 300 seconds.

To set the SSL VPN authentication timeout – web-based manager:

1. Go to VPN > SSL > Settings.

2. Under Idle Logout, make sure that Logout users when inactive for specified period is enabled and enter the Inactive For value (seconds).

3. Select Apply.

Managing Guest Access

Visitors to your premises might need user accounts on your network for the duration of their stay. If you are hosting a large event such as a conference, you might need to create many such temporary accounts. The FortiOS Guest Management feature is designed for this purpose.

A guest user account User ID can be the user’s email address, a randomly generated string, or an ID that the administrator assigns. Similarly, the password can be administrator-assigned or randomly generated.

You can create many guest accounts at once using randomly-generated User IDs and passwords. This reduces administrator workload for large events.

User’s view of guest access

1. The user receives an email, SMS message, or printout from a FortiOS administrator listing a User ID and password.

2. The user logs onto the network with the provided credentials.

3. After the expiry time, the credentials are no longer valid.

Administrator’s view of guest access

1. Create one or more guest user groups.

All members of the group have the same characteristics: type of User ID, type of password, information fields used, type and time of expiry.

2. Create guest accounts using Guest Management.

3. Use captive portal authentication and select the appropriate guest group.

Configuring guest user access

To set up guest user access, you need to create at least one guest user group and add guest user accounts. Optionally, you can create a guest management administrator whose only function is the creation of guest accounts in specific guest user groups. Otherwise, any administrator can do guest management.

Creating guest management administrators

To create a guest management administrator

1. Go to System > Admin > Administrators and create a regular administrator account.

For detailed information see the System Administration chapter.

2. Select Restrict to Provision Guest Accounts.

3. In Guest Groups, add the guest groups that this administrator manages.

Creating guest user groups

The guest group configuration determines the fields that are provided when you create a guest user account.

To create a guest user group:

1. Go to User & Device > User > User Groups and select Create New.

2. Enter the following information:

Name                                           Enter a name for the group.

Type                                            Guest

Viewing, editing and deleting user groups

To view the list of FortiGate user groups, go to User & Device > User > User Groups.

Editing a user group

When editing a user group in the CLI you must set the type of group this will be — either a firewall group, a Fortinet Single Sign-On Service group (FSSO), a Radius based Single Sign-On Service group (RSSO), or a guest group. Once the type of group is set, and members are added you cannot change the group type without removing the members.

In the web-based manager, if you change the type of the group any members will be removed automatically.

To edit a user group – web-based manager:

1. Go to User & Device > User > User Groups.

2. Select the user group that you want to edit.

3. Select the Edit button.

4. Modify the user group as needed.

5. Select OK.

To edit a user group – CLI example:

This example adds user3 to Group1. Note that you must re-specify the full list of users:

config user group edit Group1

set group-type firewall

set member user2 user4 user3 end

Deleting a user group

Before you delete a user group, you must ensure there are no objects referring to, it such as security policies. If there are, you must remove those references before you are able to delete the user group.

To remove a user group – web-based manager:

1. Go to User & Device > User > User Groups.

2. Select the user group that you want to remove.

3. Select the Delete button.

4. Select OK.

To remove a user group – CLI example:

config user group delete Group2

end

Configuring Peer user groups

Peer user groups can only be configured using the CLI. Peers are digital certificate holders defined using the config user peer command. The peer groups you define here are used in dialup IPsec VPN configurations that accept RSA certificate authentication from members of a peer certificate group.

To create a peer group – CLI example:

config user peergrp edit vpn_peergrp1

set member pki_user1 pki_user2 pki_user3 end

SSO user groups

SSO user groups are part of FSSO authentication and contain only Windows or Novell network users. No other user types are permitted as members. Information about the Windows or Novell user groups and the logon activities of their members is provided by the Fortinet Single Sign On (FSSO) which is installed on the network domain controllers.

You can specify FSSO user groups in security policies in the same way as you specify firewall user groups. FSSO user groups cannot have SSL VPN or dialup IPsec VPN access.

For information about configuring FSSO user groups, see Creating Fortinet Single Sign-On (FSSO) user groups on page 589. For complete information about installing and configuring FSSO, see Agent-based FSSO on page 553.