Firewall user groups

Leave a reply

To create a firewall user group – CLI example:

In this example, the members of accounting_group are User1 and all of the members of rad_

accounting_group on myRADIUS external RADIUS server.

config user group

edit accounting_group

set group-type firewall set member User1 myRADIUS config match

edit 0

set server-name myRADIUS

set group-name rad_accounting_group end

end

 

Matching user group names from an external authentication server might not work if the list of group memberships for the user is longer than 8000 bytes. Group names beyond this limit are ignored.

 

server_name is the name of the RADIUS, LDAP, or TACACS+ server, but it must be a member of this group first and must also be a configured remote server on the FortiGate unit.

group_name is the name of the group on the RADIUS, LDAP, or TACACS+ server such as “engineering” or “cn=users,dc=test,dc=com”.

Before using group matching with TACACS+, you must first enable authentication. For example if you have a configured TACACS+ server called myTACS, use the following CLI commands.

config user tacacs+

edit myTACS

set authorization enable next

end

 

For more information about user group CLI commands, see the Fortinet CLI Guide.

 

Multiple group enforcement support

Previously, when a user belonged to multiple user groups, this user could only access the group services that were within one group. With multiple group enforcement, a user can access the services within the groups that the user is part of.

For example, userA belongs to user_group1, user_group2, user_group3, and user_group4; previously userA could only access services within one of those four groups, typically the group that matches the first security policy. This can be annoying if HTTP access is in user_group1, FTP access is in user_group2, and email access is in user_group3. Now userA can access services within user_group1, user_group2, user_group3, and user_group4.

This feature is available only in the CLI and is enabled by default. It applies to RADIUS, LDAP, and TACACS+ servers. The new command for this feature is auth-multi-group found in config user settings and checks all groups a user belongs to for authentication.

 

User group timeouts

User groups can have timeout values per group in addition to FortiGate-wide timeouts. There are essentially three different types of timeouts that are configurable for user authentication on the FortiGate unit — idle timeout, hard timeout, and session timeout. These are in addition to any external timeouts such as those associated with RADIUS servers.

If VDOMs are enabled, the global level user setting authtimeout is the default all VDOMs inherit. If VDOMs are not enabled, user settings authtimeout is the default. The default timeout value is used when the authtimeout keyword for a user group is set to zero.

Each type of timeout will be demonstrated using the existing user group example_group. Timeout units are minutes. A value of zero indicates the global timeout is used.

 

Membership in multiple groups

When a user belongs to multiple groups in RADIUS groups, the group auth-timeout values are ignored. Instead the global timeout value is used. The default value is 5 minutes, but it can be set from 1 to 1440 minutes (24 hours).

config user setting

set auth-timeout-type idle-timeout set auth-timeout 300

end

 

Idle timeout

The default type of timeout is idle timeout. When a user initiates a session, it starts a timer. As long as data is transferred in this session, the timer continually resets. If data flow stops, the timer is allowed to advance until it reaches its limit. At that time the user has been idle for too long, and the user is forced to re-authenticate before traffic is allowed to continue in that session.

 

To configure user group authentication idle timeout – CLI:

config user settings

set auth-timeout-type idle-timeout end

config user group

edit example_group

set authtimeout 5 //range is 0-1440 minutes (0 = use global authtimeout value)

next end

 

Hard timeout

Where the idle timeout is reset with traffic, the hard timeout is absolute. From the time the first session a user establishes starts, the hard timeout counter starts. When the timeout is reached, all the sessions for that user must be re-authenticated. This timeout is not affected by any event.

 

To configure user group authentication hard timeout – CLI:

config user settings

set auth-timeout-type hard-timeout end

config user group

edit example_group

set authtimeout 1440 //range is 0-1440 minutes (0 = use global authtimeout value)

next end

 

Session timeout

The session timeout works much like the hard timeout in that its an absolute timer that can not be affected by events. However, when the timeout is reached existing sessions may continue but new sessions are not allowed until re-authentication takes place.

 

To configure a user group authentication new session hard timeout – CLI:

config user setting

set auth-timeout-type new-session end

config user group

edit example_group

set authtimeout 30 //range is 0-1440 minutes (0 = use global authtimeout value)

next end

Pages: 1 2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.