manualshive.com logo in svg

Fortinet FortiGate 60M, Руководство пользователя

Поделиться
Скачать
Fortinet FortiGate 60M Скачать руководство пользователя страница 13

Authentication servers 

Active Directory servers

FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825

13

To remove an LDAP server from the FortiGate unit configuration

You cannot remove an LDAP server that belongs to a user group. Remove it from 
the user group first.

1

Go to 

User > LDAP

.

2

Select Delete beside the LDAP server name that you want to remove.

3

Select OK.

To remove an LDAP server from the FortiGate unit configuration - CLI

config user ldap

delete <name>
end

Active Directory servers

Active Directory server stores information about network objects, such as users, 
systems and services, on Microsoft Windows networks. It first became available in 
Windows 2000 Server. 

Understanding your Active Directory server

Active Directory server organizes information hierarchically, similar to an LDAP 
server. Although it accepts LDAP queries, the Active Directory server native form 
of query is simpler. It does not require a common name identifier or a 
distinguished name. For each object there is a shortcut to the distinguished name 
called the User Principal Name (UPN). The UPN looks similar to an email 
address. It consists of a short name like a user ID, followed by an “@” symbol, 
followed by the server domain name: [email protected], for example. The 
user enters this as the user name at the authentication prompt.

Configuring the FortiGate unit to use an Active Directory server

You can configure the FortiGate unit to access the Active Directory server using 
either distinguished name or UPN. 

To configure the FortiGate unit for Active Directory server authentication

1

Go to 

User > LDAP

.

2

Select Create New to add a new LDAP server, or select the Edit icon to edit an 
existing configuration.

3

Enter a name for the Active Directory server.

4

Enter the domain name or IP address of the Active Directory server.

5

Enter the port used to communicate with the Active Directory server.

6

Enter the common name identifier. If you want users to authenticate by UPN, 
leave this field blank.

7

Enter the distinguished name used to look up entries on the server. If you want 
users to authenticate by UPN, leave this field blank.

8

Select OK.

Содержание FortiGate 60M

Страница 1: ...www fortinet com FortiGate User Authentication Version 1 U S E R G U I D E ...

Страница 2: ...y purpose without prior written permission of Fortinet Inc Trademarks ABACAS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiManager Fortinet FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield FortiVoIP and FortiWiFi are trademarks of Fortinet Inc in the Unite...

Страница 3: ...your LDAP server 11 Configuring the FortiGate unit to use an LDAP server 12 Active Directory servers 13 Understanding your Active Directory server 13 Configuring the FortiGate unit to use an Active Directory server 13 Users and user groups 15 Users 15 Defining local users 15 User groups 17 Protection profiles 17 Defining user groups 17 Configuring authenticated access 19 Authentication timeout 19 ...

Страница 4: ...FortiGate User Authentication Version 1 Guide 4 01 28007 0233 20050825 Table of Contents ...

Страница 5: ...e VPN Guide The user s view of authentication The user sees a request for authentication when trying to access the protected resource The way in which the request is presented to the user depends on the method of access to that resource VPN authentication usually controls remote access to a private network Web based user authentication Firewall policies usually control browsing access to an extern...

Страница 6: ...ate unit a user whose name is stored on the Fortigate unit and whose password is stored on an external authentication server an external authentication server with a database that contains the user name and password of each person who is permitted access You need to set up authentication in the following order 1 If external authentication is needed configure the required servers See Configuring th...

Страница 7: ...ou to provide access only to selected employees for example You cannot combine these two uses of an authentication server in the same user group If you add the server to the user group adding individual users with authentication to that server is redundant If you want to use external authentication servers you must configure them before you configure users and user groups Users You define user ide...

Страница 8: ...l is defined in the firewall policy that provides access to the network resource For example access to the Internet through the external interface from workstations on the internal network is made possible by an Internal to External firewall policy Firewall policies apply web filtering antivirus protection and spam filtering to the traffic they control according a protection profile When a firewal...

Страница 9: ...IUS server listens on either port 1812 or port 1645 for authentication requests You must configure it to accept the FortiGate unit as a client The RADIUS server user database can be any combination of user names and passwords defined in a configuration file an SQL database the user account names and passwords configured on the computer where the RADIUS server is installed The RADIUS server uses a ...

Страница 10: ...figuration You cannot remove a RADIUS server that belongs to a user group Remove it from the user group first 1 Go to User RADIUS 2 Select the Delete icon beside the RADIUS server name that you want to remove 3 Select OK To remove a RADIUS server from the FortiGate unit configuration CLI config user radius delete name end LDAP Servers Lightweight Directory Access Protocol LDAP is an Internet proto...

Страница 11: ...n Unit OU level just above DC The Distinguished Name DN is ou People dc example dc com In addition to the DN the FortiGate unit needs an identifier for the individual person Although the FortiGate unit GUI calls this the Common Name CN the identifier you use is not necessarily CN On some servers CN is the full name of a person It might be more convenient to use the same identifier used on the loca...

Страница 12: ...ifiers and the domain name or IP address of the LDAP server you can configure the server on the FortiGate unit To configure the FortiGate unit for LDAP authentication web based manager 1 Go to User LDAP 2 Select Create New to add a new LDAP server or select the Edit icon to edit an existing configuration 3 Enter a name for the LDAP server 4 Enter the domain name or IP address of the LDAP server 5 ...

Страница 13: ...istinguished name For each object there is a shortcut to the distinguished name called the User Principal Name UPN The UPN looks similar to an email address It consists of a short name like a user ID followed by an symbol followed by the server domain name auser example com for example The user enters this as the user name at the authentication prompt Configuring the FortiGate unit to use an Activ...

Страница 14: ...gure Active Directory server authentication using UPN queries CLI config user ldap edit name set server ip_address end To remove an Active Directory server from the FortiGate unit configuration You cannot remove an Active Directory server that has been added to a user group Remove it from the user group first 1 Go to User LDAP 2 Select Delete beside the server name that you want to delete 3 Select...

Страница 15: ...tication server that has been configured on the FortiGate unit If the user is authenticated externally the user name on the FortiGate unit must be identical to the user name on the authentication server Table 1 How the FortiGate unit authenticates different types of users User type Authentication Local user with password stored on the FortiGate unit The user name and password must match a user acc...

Страница 16: ...Directory server select LDAP and select the server name To authenticate this user using a RADIUS server select RADIUS and select the server name If you want to use an authentication server you must configure access to it first See Authentication servers on page 9 5 Select OK To define a local user CLI config user local edit user_name set type password set passwd user_password end or config user lo...

Страница 17: ...ation its own protection profile is disabled and the user group protection profile applies For more information about protection profiles see Protection profile in the Firewall chapter of the FortiGate Administration Guide for your unit Protection profiles do not apply to VPN connections Defining user groups You define a user group by typing a name selecting users and or authentication servers and...

Страница 18: ... User Authentication Version 1 Guide 18 01 28007 0233 20050825 User groups Users and user groups To define a group CLI config user group edit group_name set member user1 user2 usern set profile profile_name end ...

Страница 19: ...et the firewall user authentication timeout Auth Timeout to control how long an authenticated connection can be idle before the user must authenticate again The maximum timeout is 480 minutes 8 hours The default timeout is 15 minutes To set the authentication timeout 1 Go to System Config Options 2 Enter the Auth Timeout value minutes 3 Select Apply Firewall policy authentication Firewall policies...

Страница 20: ... move them to the Allowed list All members of the groups in the Allowed list will be authenticated to use the firewall policy 9 Select OK Configuring authenticated access to the Internet A policy for accessing the Internet is similar to a policy for accessing a specific network but the destination address is set to all The destination interface is the one that connects to the Internet service prov...

Страница 21: ... these rules in mind More specific policies must be placed above more general ones Any policy that requires authentication must be placed above any similar policy that does not If a user fails authentication the firewall drops the request and does not check for a match with any of the remaining policies If you create a policy that requires authentication for HTTP access to the Internet you must pr...

Страница 22: ...quired 3 Select Enable PPTP or Enable L2TP 4 Enter Starting IP and Ending IP addresses This defines the range of addresses assigned to VPN clients 5 Select the user group that is to have access to this VPN The FortiGate unit authenticates members of this user group 6 Select Apply To configure authentication for a PPTP or L2TP VPN CLI config vpn pptp set eip starting_ip set sip ending_ip set status...

Страница 23: ...ure user group authentication for dialup IPSec web based manager 1 Configure the dialup users who are permitted to use this VPN Create a user group and add them to it For more information see Users and user groups on page 15 2 Go to VPN IPSec Phase 1 3 Select Create New or select Edit on an existing VPN gateway 4 From the Remote Gateway list select Dialup User 5 From the Authentication method list...

Страница 24: ...rough an LDAP or RADIUS authentication server You must configure dialup users as members of a user group who are externally authenticated None can have passwords stored on the FortiGate unit To configure authentication for a dialup IPSec VPN web based manager 1 Configure the users who are permitted to use this VPN Create a user group and add them to it For more information see Users and user group...

Страница 25: ...e user group that is to have access to this VPN The list of user groups does not include any group that has members whose password is stored on the FortiGate unit 9 Configure other VPN gateway parameters as needed 10 Select OK For more information about XAUTH configuration see Enabling XAUTH on the FortiGate unit in the FortiGate VPN Guide To configure authentication for a dialup IPSec VPN CLI con...

Страница 26: ...FortiGate User Authentication Version 1 Guide 26 01 28007 0233 20050825 VPN authentication Configuring authenticated access ...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды