LDAP servers
LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network.
To manage LDAP servers, go to User> Authentication > LDAP Servers.
The following information is available:
Create New | Create a new LDAP server. | |
Edit | Edit an LDAP server. | |
Delete | Delete a server or servers. | |
Name | The name that identifies the LDAP server on the Fortinet unit. | |
Server Name/IP | The domain name or IP address of the LDAP server. | |
Port | The TCP port used to communicate with the LDAP server. By default, LDAP uses port 389. | |
Common Name Identifier | The common name identifier for the LDAP server. | |
Distinguished Names | The base distinguished name for the server using the correct X.500 or LDAP format. The unit passes this distinguished name unchanged to the server. | |
Ref. | Displays the number of times the server is referenced to other objects. To view the location of the referenced server, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. | |
To add a new LDAP server:
- In the LDAP server list, select Create New from the toolbar. The New LDAP Server window opens.
- Configure the following:
Name | Enter the name that identifies the LDAP server on the Fortinet unit. |
Server IP/Name | Enter the domain name or IP address of the LDAP server. |
Server Port | Enter the TCP port used to communicate with the LDAP server. By default, LDAP uses port 389.
If you use a secure LDAP server, the default port changes if you select Secure Connection. |
Common Name Identifier | Enter the common name identifier for the LDAP server. The maximum number of characters is 20. |
Distinguished Name | Enter the base distinguished name for the server using the correct X.500 or LDAP format. The unit passes this distinguished name unchanged to the server. The maximum number of characters is 512. You can also select Fetch DN to contact and retrieve the specified LDAP server. |
Bind Type | Select the type of binding for LDAP authentication.
l Simple: Connect directly to the LDAP server with user name/password authentication. l Anonymous: Connect as an anonymous user on the LDAP server, then retrieve the user name/password and compare them to given values. l Regular: Connect to the LDAP server directly with user name/password, then receive accept or reject based on search of given values. Enter the distinguished name and password of the user to be authenticated in the UserDN and Password fields. |
Secure Connection | Select to use a secure LDAP server connection for authentication. |
Protocol | Select a secure LDAP protocol to use for authentication, either LDAPS or STARTTLS.
Depending on your selection, the server port will change to the default port for the selected protocol: l LDAPS: port 636 l STARTTLS: port 389 |
Certificate | Select a certificate to use for authentication from the list. |
Test | Select Test to test the LDAP query. |
- Select OK to create the new LDAP server.
To edit an LDAP server:
- Select the LDAP server you would like to edit then select Edit from the toolbar, or double-click on the address in the address table. The Edit LDAP Server window opens.
- Edit the server information as required and select OK to apply your changes.
To delete a server or servers:
- Select the server or servers that you would like to delete.
- Select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected server or servers.
RADIUS servers
RADIUS is a broadly supported client server protocol that provides centralized authentication, authorization, and accounting functions. RADIUS clients are built into gateways that allow access to networks such as Virtual Private Network (VPN) servers, Network Access Servers (NAS), as well as network switches and firewalls that use authentication. FortiCache units fall into the last category.
RADIUS servers use UDP packets to communicate with the RADIUS clients on the network to:
l Authenticate users before allowing them access to the network l Authorize access to resources by appropriate users l Account or bill for those resources that are used.
RADIUS servers are currently defined by RFC 2865 (RADIUS) and RFC 2866 (Accounting), and listen on either UDP ports 1812 (authentication) and 1813 (accounting) or ports 1645 (authentication) and 1646 (accounting) requests. RADIUS servers exist for all major operating systems.
You must configure the RADIUS server to accept the FortiCache unit as a client. FortiCache units use the authentication and accounting functions of the RADIUS server.
When a configured user attempts to access the network, the FortiCache unit will forward the authentication request to the RADIUS server, which will then match the username and password remotely. Once authenticated, the RADIUS server passes the Authorization Granted message to the FortiCache unit, which then grants the user permission to access the network.
The RADIUS server uses a “shared secret” key, along with MD5 hashing, to encrypt information passed between RADIUS servers and clients, including the FortiCache unit. Typically, only user credentials are encrypted.
To manage RADIUS servers, go to User> Authentication > RADIUS Servers.
Create New | Create a new RADIUS server. |
Edit | Edit an RADIUS server. |
Delete | Delete a server or servers. |
Name | The name that identifies the RADIUS server on the unit. |
Server IP/Name | The domain name or IP address of the primary and, if applicable, secondary, RADIUS server. |
Ref. | Displays the number of times the server is referenced to other objects. To view the location of the referenced server, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. |
To add a new RADIUS server:
- In the RADIUS server list, select Create New from the toolbar. The New RADIUS Server window opens.
- Configure the following:
Name | Enter the name that is used to identify the RADIUS server on the unit. | |
Primary Server IP/Name | Enter the domain name or IP address of the primary RADIUS server. | |
Primary Server Secret | Enter the RADIUS server secret key for the primary RADIUS server. The primary server secret key length can be up to a maximum of 16 characters. For security reason, it is recommended that the server secret key be the maximum length. | |
Secondary Server IP/Name | Enter the domain name or IP address of the secondary RADIUS server, if applicable. | |
Secondary Server Secret | Enter the RADIUS server secret key for the secondary RADIUS server. The secondary server secret key can be up to a maximum length of 16 characters. | |
Authentication Method | Select Default to authenticate with the default method.
Select Specify to override the default authentication method, then choose the protocol from the list: MSCHAP-V2, MS-CHAP, CHAP, or PAP. |
|
NAS IP/Called Station ID | Optionally, enter the NAS IP address (RADIUS Attribute 31, outlined in RFC 2548).
In this configuration, the FortiCache unit is the NAS and this is how the RADIUS server registers all valid servers that use its records. If you do not enter an IP address, the IP address that the Fortinet interface uses to communicate with the RADIUS server will be applied. |
|
Include in every User
Group |
Select Enable to have the RADIUS server automatically included in all user groups. |
- Select OK to create the new RADIUS server.
To edit a RADIUS server:
- Select the RADIUS server you would like to edit then select Edit from the toolbar, or double-click on the address in the address table. The Edit RADIUS Server window opens.
- Edit the server information as required and select OK to apply your changes.
To delete a server or servers:
- Select the server or servers that you would like to delete.
- Select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected server or servers.
TACACS+ servers
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS+ allows a client to accept a username and password and send a query to a TACACS+ authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies the user access to the network.
TACACS+ offers fully encrypted packet bodies, and supports both IP and AppleTalk protocols. TACACS+ uses TCP port 49, which is seen as more reliable than RADIUS’s UDP protocol.
By default, the TACACS+ Servers option is not visible unless you add a server using the following CLI command:
config user tacacs+ edit <name>
set server <IP>
next end
To manage TACACS+ servers, go to User> Authentication > TACACS+ Servers.
Create New | Create a new TACACS+ server. |
Edit | Edit an TACACS+ server. |
Delete | Delete a server or servers. |
Name | The name that identifies the TACACS+ server on the unit. |
Server | The domain name or IP address of the TACACS+ server. |
Authentication Type | The authentication type used by the server. |
Ref. | Displays the number of times the server is referenced to other objects.
To view the location of the referenced server, select the number in Ref. The Object Usage window appears displaying the various locations of the referenced object. |
To add a new TACACS+ server:
- In the TACACS+ server list, select Create New from the toolbar. The New TACACS+ Server window opens.
There are several different authentication protocols that TACACS+ can use during the authentication process.
ASCII | Machine-independent technique that uses representations of English characters. Requires user to type a username and password that are sent in clear text (unencrypted) and matched with an entry in the user database stored in ASCII format. | |
PAP | Password Authentication Protocol (PAP) Used to authenticate PPP connections. Transmits passwords and other user information in clear text. | |
CHAP | Challenge-Handshake Authentication Protocol (CHAP) Provides the same functionality as PAP, but is more secure as it does not send the password and other user information over the network to the security server. | |
MS-CHAP | MS-CHAP MicroSoft Challenge-Handshake Authentication Protocol v1 (MSCHAP) Microsoft-specific version of CHAP. | |
Auto | The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order. | |
Configure the following:
Name | Enter the name of the TACACS+ server. |
Server IP/Name | Enter the server domain name or IP address of the TACACS+ server. |
Server Secret | Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length. |
Authentication Type | Select the authentication type to use for the TACACS+ server: Auto, MSCHAP, CHAP, PAP, or ASCII.
Auto authenticates using PAP, MSCHAP, then CHAP (in that order). |
- Select OK to create the new TACACS+ server.
To edit a TACACS+ server:
- Select the TACACS+ server you would like to edit then select Edit from the toolbar, or double-click on the address in the address table. The Edit TACACS+ Server window opens.
- Edit the server information as required and select OK to apply your changes.
To delete a server or servers:
- Select the server or servers that you would like to delete.
- Select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected server or servers.
Settings
This submenu provides settings for configuring authentication timeout, protocol support, and authentication certificates. When user authentication is enabled within a security policy, the authentication challenge is normally issued for any of the four protocols (depending on the connection protocol):
l HTTP (can also be set to redirect to HTTPS) l HTTPS l FTP l Telnet.
Monitor
The selections control which protocols support the authentication challenge. Users must connect with a supported protocol first so that they can subsequently connect with other protocols. If HTTPS is selected as a method of protocol support, it allows the user to authenticate with a customized local certificate.
When you enable user authentication within a security policy, the security policy user will be challenged to authenticate. For user ID and password authentication, users must provide their user names and passwords. For certificate authentication (HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on the unit, and the users can also have customized certificates installed on their browsers. Otherwise, users will see a warning message and have to accept a default Fortinet certificate.
To configure authentication settings, go to User > Authentication > Settings.
Configure the following settings, then select Apply to save your changes:
Authentication Timeout | Enter the amount of time, in minutes, that an authenticated firewall connection can be idle before the user must authenticate again. From 1 to 480 minutes (default = 5). |
Protocol Support | Select the protocols to challenge during firewall user authentication from the following:
l HTTP l Redirect HTTP Challenge to a Secure Channel (HTTPS) l HTTPS l FTP l TELNET |
Certificate | Select the local certificate to use for authentication.
This option is only available if HTTPS or HTTP redirected to HTTPS is selected. |