Examples and Troubleshooting Authentication

Leave a reply

Creating a locally-authenticated user account

User1 is authenticated by a password stored on the FortiGate unit. It is very simple to create this type of account.

 

To create a local user – web-based manager:

1. Go to User & Device > User > User Definition and select Create New.

2. Follow the User Creation Wizard, entering the following information and then select Create:

User Type                                   Local User

User Name                                 User1

Password                                   hardtoguess

Email Address SM(optional)

Enable                                        Select.

 

To create a local user – CLI:

config user local edit user1

set type password

set passwd hardtoguess end

 

Creating a RADIUS-authenticated user account

To authenticate users using an external authentication server, you must first configure the FortiGate unit to access the server.

 

To configure the remote authentication server – web-based manager:

1. Go to User & Device > Authentication > RADIUS Servers and select Create New.

2. Enter the following information and select OK:

Name                                           OurRADIUSsrv

Primary Server Name/IP           10.11.101.15

Primary Server Secret               OurSecret

Authentication Scheme            Select Use Default Authentication Scheme.

 

To configure the remote authentication server – CLI:

config user radius edit OurRADIUSsrv

set server 10.11.102.15

set secret OurSecret set auth-type auto

end

Creation of the user account is similar to the locally-authenticated account, except that you specify the RADIUS

authentication server instead of the user’s password.

 

To configure a remote user – web-based manager:

1. Go to User & Device > User > User Definition and select Create New.

2. Follow the User Creation Wizard, entering the following information and then select Create:

User Type                                   Remote RADIUS User

User Name                                 User2

RADIUS server                           OurRADIUSsrv

Email Address SM(optional)

Enable                                        Select

 

To configure a remote user – CLI:

config user local edit User2

set name User2 set type radius

set radius-server OurRADIUSsrv end

 

Creating user groups

There are two user groups: an FSSO user group for FSSO users and a firewall user group for other users. It is not possible to combine these two types of users in the same user group.

 

Creating the FSSO user group

For this example, assume that FSSO has already been set up on the Windows network and that it uses Advanced mode, meaning that it uses LDAP to access user group information. You need to

  • configure LDAP access to the Windows AD global catalog
  • specify the collector agent that sends user logon information to the FortiGate unit
  • select Windows user groups to monitor
  • select and add the Engineering and Sales groups to an FSSO user group

 

To configure LDAP for FSSO – web-based manager:

1. Go to User & Device > Authentication > LDAP Servers and select Create New.

2. Enter the following information:

Name                                          ADserver

Server Name / IP                       10.11.101.160

Distinguished Name                 dc=office,dc=example,dc=com

Bind Type                                  Regular

User DN                                      cn=FSSO_Admin,cn=users,dc=office,dc=example,dc=com

Password                                   set_a_secure_password

3. Leave other fields at their default values.

4. Select OK.

Pages: 1 2 3 4 5 6

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.