FortiCache 4.0.1 Administration Guide

User Authentication

The User menu allows you to configure authentication settings and user accounts. Users can also be monitored, and user groups and remote servers can be configured.

The following topics are included in this section:

  • User
  • Authentication l Monitor

User

A user is a user account that consists of a user name, password and, in some cases, other information that can be

configured on the unit or on an external authentication server. Users can access resources that require authentication only if they are members of an allowed user group.

User definition

A local user is a user configured on a unit. The user can be authenticated with a password stored on the unit or with a password stored on an authentication server. The user name must match a user account stored on the unit and the user name and password must match a user account stored on the authentication server associated with the user.

New users can be created using the Users/Groups Creation Wizard.

To configure users, go to User> User> UserDefinition.

Create New Run the new user wizard and create a new user.
Edit Edit a user.
Delete Delete a user or users.
Search Enter a search term to search the user list.
User Name The name of the user.
Type The type of user, such as Local or LDAP.
Two-factor Authentication Displays whether the user has token two-factor authentication enabled.
Ref. Displays the number of times the user is referenced to other objects.

To view the location of the referenced user, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object.

User

To edit a user:

  1. Select the user you would like to edit then select Edit from the toolbar, or double-click on the user in the table. The Edit User window opens.
  2. Edit the user information as required, or select Disable to disable the user.
  3. Select OK to apply your changes.

To delete a user or users:

  1. Select the user or users that you would like to delete. You cannot delete a user that is currently in a group.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected user or users.

New user wizard

The Users/Groups Creation Wizard is used to create new user accounts. From the user list, select Create New to start the wizard.

To create a new local user:

  1. In the UserType page, select Local User, then select Next.
  2. In the Login Credentials page, enter a UserName and Password for the user, then select Next.
  3. In the Contact Info page, enter an Email Address for the user, then select Next. Alternatively, you can supply the user’s SMS contact information. The Contact Info page is optional.
  4. In the Extra Info page, select Enable to enable the new user. To assign a FortiToken to the user, enable TwofactorAuthentication and select a token from the dropdown menu provided. To place the user into a group, select UserGroup, then select a group from the dropdown menu. For information on user groups, see User on page 103.
  5. Select Create to create the new local user.

To create a new remote RADIUS user:

  1. In the UserType page, select Remote RADIUS User, then select Next.
  2. In the RADIUS Server page, enter a UserName and select a RADIUS Server from the dropdown menu, then select Next. For information on RADIUS servers, see RADIUS servers on page 113.
  3. In the Contact Info page, enter the user’s information as required.
  4. In the Extra Info page, configure additional settings for the user as required, including placing the user into a group. For information on user groups, see User on page 103.
  5. Select Create to create the new RADIUS user.

To create a new remote TACACS+ user:

Note that, by default, the TACACS+ Servers option under User> Authentication is not visible unless you add a server using the following CLI command:

config user tacacs+    edit <name>

set server <IP>

next end

  1. In the UserType page, select Remote TACACS+ User, then select Next.
  2. In the TACACS+ Server page, enter a UserName and select a TACACS+ Server from the dropdown menu, then select Next. For information on TACACS+ servers, see TACACS+ servers on page 115
  3. In the Contact Info page, enter the user’s information as required.
  4. In the Extra Info page, configure additional settings for the user as required, including placing the user into a group. For information on user groups, see User on page 103.
  5. Select Create to create the new TACACS+ user.

To create a new remote LDAP user:

  1. In the UserType page, select Remote LDAP User, then select Next.
  2. In the LDAP Server page, choose an existing LDAP server from the dropdown menu, or create a new LDAP server and enter the required information, then select Next. For information on LDAP servers, see LDAP servers on page 111.
  3. In the Remote Users page, enter and apply the LDAP filter, enter a search term to search the server and select a user from the results.
  4. Select Create to create the remote LDAP user.

User groups

A user group is a list of user identities. An identity can be:

l a local user account (user name and password) stored on the Fortinet unit l a local user account with a password stored on a RADIUS, LDAP, or TACACS+ server l a RADIUS, LDAP, or TACACS+ server (all identities on the server can authenticate) l a user or user group defined on a Directory Service server.

Each user group belongs to one of three types: Firewall, FSSO, Guest, or RADIUS Single Sign-On (RSSO).

For each resource that requires authentication, you specify which user groups are permitted access. You need to determine the number and membership of user groups appropriate to your authentication needs.

Users that are associated with multiple groups have access to all services within all the user groups that they are associated with. This is only available in the CLI. The command used is auth-multi-group, which is enabled by default. This feature checks all groups a user belongs to for firewall authentication.

To configure user groups, go to User> UserGroup.

User

Create New Create a new user group.
Edit Edit a user group.
Delete Delete a group or groups.
Search Enter a search term to search the user group list.
Group Name The name of the group.
Group Type The type of group.
Members The names of the members in the group. To adjust the way users are listed in the column, see To configure the member column: on page 108.
Ref. Displays the number of times the group is referenced to other objects.

To view the location of the referenced group, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object.

To create a new user group:

  1. In the user group list, select Create New from the toolbar. The New UserGroup window opens.
  2. Enter a name for the group in the Name
  3. Select the group type in the Type field, one of: Firewall, FSSO, Guest, or RSSO.
  4. Enter the following information, depending on the group type selected:
Firewall   This type of group can be selected in any security policy that requires firewall authentication.
  Members Select users to add to the group from the drop-down list.
  Remote groups Add remote authentication servers to the group.

Select Create New, then select the server from the dropdown menu. If required, select a group for the server.

Fortinet (FSSO) Single      Sign- On This type of group can be selected in any security policy that requires Fortinet Single Sign-On (FSSO) authentication.
  Members Select users to add to the group from the drop-down list.
Guest   This type of group can be selected in any security policy that allows guest authentication.
  Enable          Batch

Guest       Account

Creation

Select to enable the creation of batches of guest accounts.

When enabled, only the Expire Type and Default Expire Time options will be available.

  User ID Select a user ID option from the drop-down list.

l Auto-Generate: The user ID is generated automatically. l Email: The user ID is emailed. l Specify: The user ID must be specified.

  Password Select a password option from the drop-down list.

l Auto-Generate: The password is generated automatically. l Specify: The password must be specified. l Disable: No password is required.

  Expire Type Select the expire type, either Afterfirst login, or Immediately.
  Default  Expire Time Select the default expire time in Days, Hours, Minutes, or Seconds.
  Enable Name Select to enable name.
  Enable Sponsor Select to enable sponsor. Select Required to make a sponsor a requirement.
  Enable Company Select to enable company. Select Required to make a company a requirement.
  Enable Email Select to enable email.
  Enable SMS Select to enable SMS, then select a service type from the Service Type dropdown menu.
RADIUS (RSSO) Signle      Sign- On This type of group can be selected in any security policy that requires RSSO authentication.
  RADIUS Attribute Value Enter the RADIUS attribute value. This value matches the value from the RADIUS Accounting-Start attribute “Class”.
  1. Select OK to create the new user group.

To edit a user group:

  1. Select the group you would like to edit then select Edit from the toolbar, or double-click on the group in the table. The Edit UserGroup window opens.

 

  1. Edit the information as required, then select OK to apply your changes.

To delete a user group or groups:

  1. Select the group or groups that you would like to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected group or groups.

To configure the member column:

  1. In the user group list, right-click anywhere on the column headings and select Members Column Option. The MemberColumn Option window opens.
  2. Enter the number of subcolumns that the member column will contain in the Numberof Sub-Columns field, from 1 to 12 (default = 4).
  3. Enter the number of lines to display in the Lines of Objects to Display field, from 1 to 100 (default = 6).

If more users are in a group than can be displayed in accordance with the member column settings, a Display More option will be added to the row that also shows how many users are hidden and how many users are contained in the group in total.

Authentication

FortiCache units support the use of external authentication servers. An authentication server can provide password checking for selected FortiCache users or it can be added as a member of a FortiCache user group.

If you are going to use authentication servers, you must configure the servers before you configure FortiCache users or user groups that require them.

The following menus are available:

l Single sign-on l LDAP servers l RADIUS servers l TACACS+ servers l Settings

Single sign-on

Fortinet units use security policies to control access to resources based on user groups configured in the policies.

Each Fortinet user group is associated with one or more Directory Service user groups. When a user logs in to the Windows or Novell domain, an FSSO agent sends the user’s IP address, and the names of the Directory Service user groups that the user belongs to, to the FortiCache unit.

The FSSO agent has two components that must be installed on your network:

  • The domain controller agent must be installed on every domain controller to monitor user logins and send information about them to the collector agent.
  • The Collector agent must be installed on at least one domain controller to send the information received from the domain controller agents to the Fortinet unit. Alternately a FortiAuthenticator server can take the place of the Collector agent in an FSSO polling mode configuration.

The unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the unit does not perform authentication. It recognizes group members by their IP address. You must install the FSSO Agent on the network and configure the unit to retrieve information from the Directory Service server.

To manage single sign-on (SSO) servers, go to User> Authentication > Single Sign-on.

Create New Create a new FSSO server.
Edit Edit an FSSO server.
Delete Delete an FSSO server or servers.
Name The name of the FSSO server.
Type An icon representing the type of server. Hover your cursor over the icon to view the type.
LDAP Server The LDAP server associated with the FSSO server.
Users/Groups The users and groups associated with the server.
FSSO Agent IP/Name The IP address or name of the FSSO agent.
Status The status of the FSSO server.
Ref. Displays the number of times the server is referenced to other objects. To view the location of the referenced server, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object.

To create a new SSO server:

  1. In the single sign-on server list, select Create New from the toolbar. The New Single Sign-On Server page opens.
  2. Select the type of server that will be created in the Type One of: Poll Active Directory Server, Fortinet Single Sign-On Agent, or RADIUS Single Sign-On Agent.
  3. Enter the following information, depending on the type selected:
Poll Active Directory Server
                    Server IP/Name         Enter the server name or IP address.
                    User                             Enter the user name.
                    Password                   Enter the password for the user.
                    LDAP Server             Select an LDAP server from the drop-down list to access the Directory

Service.

                    Enable Polling          Select to enable polling.
Users/Groups            If an LDAP server is selected, view or edit the users or groups associated with the server.
Fortinet Single Sign-On Agent
                    Name                           Enter a name for the agent.
Primary           Agent    Enter the IP address or name for the primary agent. Then enter the IP/Name          password in the Password field.
Secondary Agent        Enter the IP address or name for the secondary agent. Then enter the IP/Name          password in the Password field.
                    More              FSSO   Select More FSSO agents to add up to three more FSSO agents.

agents                        Enter the IP address or name of the Directory Service server where the

collector agent is installed. The maximum number of characters is 63. Then enter the password for the collector agent. This is required only if you configured your FSSO agent collector agent to require authenticated access.

                    LDAP Server             Select an LDAP server from the drop-down list to access the Directory

Service.

Users/Groups            If an LDAP server is selected, view or edit the users or groups associated with the server.
RADIUS Single Sign-On Agent
Use RADIUS Select to use a RADIUS shared secret, then enter the shared secret in the Shared Secret Shared Secret field.
Send RADIUS               Select to send RADIUS responses. Responses
  1. Select OK to create the new single sign-on server.

To edit an SSO server:

  1. Select the server you would like to edit, then select Edit from the toolbar, or double-click on the address group. The Edit Single Sign-On Server window opens.
  2. Edit the server information as required and select OK to apply your changes.

To delete a server or servers:

  1. Select the server or servers that you would like to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected server or servers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.