PKI or peer users

A PKI, or peer user, is a digital certificate holder. A PKI user account on the FortiGate unit contains the information required to determine which CA certificate to use to validate the user’s certificate. Peer users can be included in firewall user groups or peer certificate groups used in IPsec VPNs. For more on certificates, see Certificates overview on page 523.

To define a peer user you need:

• a peer username
• the text from the subject field of the user’s certificate, or the name of the CA certificate used to validate the user’s certificate

 

Creating a peer user

The peer user can be configured only in the CLI.

 

To create a peer user for PKI authentication – CLI example:

config user peer edit peer1

set subject peer1@mail.example.com set ca CA_Cert_1

end

There are other configuration settings that can be added or modified for PKI authentication. For example, you can configure the use of an LDAP server to check access rights for client certificates. For information about the detailed PKI configuration settings, see the FortiGate CLI Reference.

Local and remote users

Local and remote users are defined on the FortiGate unit in User & Device > User > User Definition.

Create New    Creates a new user account. When you select Create New, you are automatically redirected to the User Creation Wizard.

Edit User    Modifies a user’s account settings. When you select Edit, you are automatically redir- ected to the Edit User page.

Delete     Removes a user from the list. Removing the user name removes the authentication configured for the user.

The Delete icon is not available if the user belongs to a user group.

To remove multiple local user accounts from within the list, on the User page, in each of the rows of user accounts you want removed, select the check box and then select Delete.

To remove all local user accounts from the list, on the User page, select the check box in the check box column and then select Delete.

User Name     The user name. For a remote user, this username must be identical to the username on the authentication server.

Type         Local indicates a local user authenticated on the FortiGate unit. For remote users, the type of authentication server is shown: LDAP, RADIUS, or TACACS+.

Two-factor

Authentication         Indicates whether two-factor authentication is configured for the user.

Ref.            Displays the number of times this object is referenced by other objects. Select the number to open the Object Usage window and view the list of referring objects. The

list is grouped into expandable categories, such as Firewall Policy. Numbers of objects are shown in parentheses.

To view more information about the referring object, use the icons:

• View the list page for these objects – available for object categories. Goes to the page where the object is listed. For example, if the category is User Groups, opens User Groups list.
• Edit this object – opens the object for editing.
• View the details for this object – displays current settings for the object.

 

To create a local or remote user account – web-based manager:

1. Go to User & Device > User > User Definition and select Create New.

2. On the Choose User Type page select:

Local User                                 Select to authenticate this user using a password stored on the FortiGate unit.

Remote RADIUS User Remote TACACS+ User Remote LDAP User

To authenticate this user using a password stored on an authentication server, select the type of server and then select the server from the list. You can select only a server that has already been added to the FortiGate unit configuration.

3. Select Next and provide user authentication information.

For a local user, enter the User Name and Password.

For a remote user, enter the User Name and the server name.

4. Select Next and enter Contact Information.

If email or SMS is used for two-factor authentication, provide the email address or SMS cell number at which the user will receive token password codes. If a custom SMS service is used, it must already be configured in System

Config > Advanced >SMS Service. See FortiToken on page 481.

5. Select Next, then on the Provide Extra Info page enter

 

Two-factor Authentication       Select to enable two-factor authentication. Then select the Token (FortiToken or FortiToken Mobile) for this user account. See Associating FortiTokens with accounts on page 485.

User Group                                Select the user groups to which this user belongs.

6. Select Create.

 

To create a local user – CLI example:

Locally authenticated user

config user local edit user1

set type password

set passwd ljt_pj2gpepfdw end

 

To create a remote user – CLI example:

config user local edit user2

set type ldap

set ldap_server ourLDAPsrv end

For a RADIUS or TACACS+ user, set type to radius or tacacs+, respectively.

 

To create a user with FortiToken Mobile two-factor authentication – CLI example:

config user local

edit user5

set type password

set passwd ljt_pj2gpepfdw set two_factor fortitoken set fortitoken 182937197

end

Remote users are configured for FortiToken two-factor authentication similarly.

 

To create a user with SMS two-factor authentication using FortiGuard messaging Service – CLI example:

config user local edit user6

set type password

set passwd 3ww_pjt68dw set two_factor sms

set sms-server fortiguard set sms-phone 1365984521

end

 

Removing users

Best practices dictate that when a user account is no longer in use, it should be deleted. Removing local and remote users from FortiOS involve the same steps.

If the user account is referenced by any configuration objects, those references must be removed before the user can be deleted. See Removing references to users on page 477.

To remove a user from the FortiOS configuration – web-based manager:

1. Go to User & Device > User > User Definition.

2. Select the check box of the user that you want to remove.

3. Select Delete.

4. Select OK.

 

To remove a user from the FortiOS configuration – CLI example:

config user local delete user4444

end

 

Removing references to users

You cannot remove a user that belongs to a user group. Remove the user from the user group first, and then delete the user.

 

To remove references to a user – web-based manager

1. Go to User & Device > User > User Definition.

2. If the number in the far right column for the selected user contains any number other than zero, select it.

3. A more detailed list of object references to this user is displayed. Use its information to find and remove these references to allow you to delete this user.

 

Users and user groups

FortiGate authentication controls system access by user group. By assigning individual users to the appropriate user groups you can control each user’s access to network resources. The members of user groups are user accounts, of which there are several types. Local users and peer users are defined on the FortiGate unit. User accounts can also be defined on remote authentication servers.

This section describes how to configure local users and peer users and then how to configure user groups. For information about configuration of authentication servers see Authentication servers on page 451.

This section contains the following topics:

• Users
• User groups

 

Users

A user is a user account consisting of username, password, and in some cases other information, configured on the FortiGate unit or on an external authentication server. Users can access resources that require authentication only if they are members of an allowed user group. There are several different types of user accounts with slightly different methods of authentication:

User type                 Authentication

Local user The username and password must match a user account stored on the FortiGate unit.

Authentication by FortiGate security policy.

Remote user

The username must match a user account stored on the FortiGate unit and the user- name and password must match a user account stored on the remote authentication server. FortiOS supports LDAP, RADIUS, and TACACS+ servers.

 

Authentication server user

A FortiGate user group can include user accounts or groups that exist on a remote authentication server.

 

FSSO user

With Fortinet Single Sign On (FSSO), users on a Microsoft Windows or Novell network can use their network authentication to access resources through the FortiGate unit. Access is controlled through FSSO user groups which contain Windows or Novell user groups as their members.

 

PKI or Peer user      A Public Key Infrastructure (PKI) or peer user is a digital certificate holder who authen- ticates using a client certificate. No password is required, unless two-factor authen- tication is enabled.

 

IM Users

IM users are not authenticated. The FortiGate unit can allow or block each IM user name from accessing the IM protocols. A global policy for each IM protocol governs access to these protocols by unknown users.

 

Guest Users             Guest user accounts are temporary. The account expires after a selected period of time.

 

This section includes:

• Local and remote users
• PKI or peer users
• Two-factor authentication
• FortiToken
• Monitoring users

Authentication servers

FortiGate units support the use of external authentication servers. An authentication server can provide password checking for selected FortiGate users or it can be added as a member of a FortiGate user group.

If you are going to use authentication servers, you must configure the servers before you configure FortiGate users or user groups that require them.

Mac OS and iOS devices, including iPhones and iPads, can perform user authen- tication with FortiOS units using RADIUS servers, but not with LDAP or TACACS+ serv- ers.

This section includes the following topics:

• FortiAuthenticator servers
• RADIUS servers
• LDAP servers
• TACACS+ servers
• POP3 servers
• SSO servers
• RSA ACE (SecurID) servers

 

FortiAuthenticator servers

FortiAuthenticator is an Authentication, Authorization, and Accounting (AAA) server, that includes a RADIUS server, an LDAP server, and can replace the FSSO Collector Agent on a Windows AD network. Multiple FortiGate units can use a single FortiAuthenticator for FSSO, remote authentication, and FortiToken management.

For more information, see the FortiAuthenticator Administration Guide.

 

RADIUS servers

Remote Authentication and Dial-in User Service (RADIUS) is a broadly supported client-server protocol that provides centralized authentication, authorization, and accounting functions. RADIUS clients are built into gateways that allow access to networks such as Virtual Private Network servers, Network Access Servers (NAS), as well as network switches and firewalls that use authentication. FortiGate units fall into the last category.

RADIUS servers use UDP packets to communicate with the RADIUS clients on the network to authenticate users before allowing them access to the network, to authorize access to resources by appropriate users, and to account or bill for those resources that are used. RADIUS servers are currently defined by RFC 2865 (RADIUS) and RFC 2866 (Accounting), and listen on either UDP ports 1812 (authentication) and 1813 (accounting) or ports 1645 (authentication) and 1646 (accounting) requests. RADIUS servers exist for all major operating systems.

You must configure the RADIUS server to accept the FortiGate unit as a client. FortiGate units use the authentication and accounting functions of the RADIUS server.

FortiOS does not accept all characters from auto generated keys from MS Windows 2008. These keys are very long and as a result RADIUS authentication will not work. Maximum key length for MS Windows 2008 is 128 bytes. In older versions of FSAE, it was 40 bytes.

General authentication settings

Go to User & Device > Authentication > Settings to configure authentication timeout, protocol support, and authentication certificates.

When user authentication is enabled within a security policy, the authentication challenge is normally issued for any of the four protocols (depending on the connection protocol):

• HTTP (can also be set to redirect to HTTPS)
• HTTPS
• FTP
• Telnet

 

The selections made in the Protocol Support list of Authentication Settings control which protocols support the authentication challenge. Users must connect with a supported protocol first so they can subsequently connect with other protocols. If HTTPS is selected as a method of protocol support, it allows the user to authenticate with a customized Local certificate.

When you enable user authentication within a security policy, the security policy user will be challenged to authenticate. For user ID and password authentication, users must provide their user names and passwords. For certificate authentication (HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on the unit and the users can also have customized certificates installed on their browsers. Otherwise, users will see a warning message and have to accept a default Fortinet certificate.

Authentication Timeout           Enter a length of time in minutes, from 1 to 1440 (24 hours). Authentication timeout controls how long an authenticated firewall connection can be idle before the user must authenticate again. The default value is 5.

Protocol Support                      Select the protocols to challenge during firewall user authentication.

Certificate                                   If using HTTPS protocol support, select the local certificate to use for authentication. Available only if HTTPS protocol support is selected.

Apply                                          Select to apply the selections for user authentication settings.

 

Types of authentication

FortiOS supports two different types of authentication based on your situation and needs.

Security policy authentication is easily applied to all users logging on to a network, or network service. For example if a group of users on your network such as the accounting department who have access to sensitive data need to access the Internet, it is a good idea to make sure the user is a valid user and not someone trying to send company secrets to the Internet. Security policy authentication can be applied to as many or as few users as needed, and it supports a number of authentication protocols to easily fit with your existing network.

Virtual Private Network (VPN) authentication enables secure communication with hosts located outside the company network, making them part of the company network while the VPN tunnel is operating. Authentication applies to the devices at both ends of the VPN and optionally VPN users can be authenticated as well.

 

Security policy authentication

Security policies enable traffic to flow between networks. Optionally, the policy can allow access only to specific originating addresses, device types, users or user groups. Where access is controlled by user or user group, users must authenticate by entering valid username and password credentials.

The user’s authentication expires if the connection is idle for too long, 5 minutes by default but that can be customized.

Security policies are the mechanism for FSSO, NTLM, certificate based, and RADIUS SSO authentication.

 

FSSO

Fortinet Single Sign on (FSSO) provides seamless authentication support for Microsoft Windows Active Directory (AD) and Novell eDirectory users in a FortiGate environment.

On a Microsoft Windows or Novell network, users authenticate with the Active Directory or Novell eDirectory at logon. FSSO provides authentication information to the FortiGate unit so that users automatically get access to permitted resources. See Introduction to agent-based FSSO on page 553.

 

NTLM

The NT LAN Manager (NTLM) protocol is used when the MS Windows Active Directory (AD) domain controller can not be contacted. NTLM is a browser-based method of authentication.

The FSSO software is installed on each AD server and the FortiGate unit is configured to communicate with each FSSO client. When a user successfully logs into their Windows PC (and is authenticated by the AD Server), the FSSO client communicates the user’s name, IP address, and group login information to the FortiGate unit. The FortiGate unit sets up a temporary access policy for the user, so when they attempt access through the firewall they do not need to re-authenticate. This model works well in environments where the FSSO client can be installed on all AD servers.

In system configurations where it is not possible to install FSSO clients on all AD servers, the FortiGate unit must be able to query the AD servers to find out if a user has been properly authenticated. This is achieved using the NTLM messaging features of Active Directory and Internet Explorer.

Even when NTLM authentication is used, the user is not asked again for their username and password. Internet Explorer stores the user’s credentials and the FortiGate unit uses NTLM messaging to validate them in the Windows AD environment.

Note that if the authentication reaches the timeout period, the NTLM message exchange restarts. For more information on NTLM, see NTLM authentication on page 508 and FSSO NTLM authentication support on page 559.

 

Certificates

Certificates can be used as part of a policy. All users being authenticated against the policy are required to have the proper certificate. See Certificate-based authentication on page 522

 

RADIUS SSO

RADIUS Single Sign-On (RSSO) is a remote authentication method that does not require any local users to be configured, and relies on RADIUS Start records to provide the FortiGate unit with authentication information.

That information identifies the user and user group, which is then matched using a security policy. See SSO using RADIUS accounting records on page 596.

Introduction to authentication

Identifying users and other computers—authentication—is a key part of network security. This section describes some basic elements and concepts of authentication.

The following topics are included in this section:

• What is authentication?
• Methods of authentication
• Types of authentication
• User’s view of authentication
• FortiGate administrator’s view of authentication

 

What is authentication?

Businesses need to authenticate people who have access to company resources. In the physical world this may be a swipe card to enter the building, or a code to enter a locked door. If a person has this swipe card or code, they have been authenticated as someone allowed in that building or room.

Authentication is the act of confirming the identity of a person or other entity. In the context of a private computer network, the identities of users or host computers must be established to ensure that only authorized parties can access the network. The FortiGate unit enables controlled network access and applies authentication to users of security policies and VPN clients.

 

Methods of authentication

FortiGate unit authentication is divided into three basic types: password authentication for people, certificate authentication for hosts or endpoints, and two-factor authentication for additional security beyond just passwords. An exception to this is that FortiGate units in an HA cluster and FortiManager units use password authentication.

Password authentication verifies individual user identities, but access to network resources is based on membership in user groups. For example, a security policy can be configured to permit access only to the members of one or more user groups. Any user who attempts to access the network through that policy is then authenticated through a request for their username and password.

Methods of authentication include:

• Local password authentication
• Server-based password authentication
• Certificate-based authentication
• Two-factor authentication

 

Local password authentication

The simplest authentication is based on user accounts stored locally on the FortiGate unit. For each account, a username and password is stored. The account also has a disable option so that you can suspend the account without deleting it.

Local user accounts work well for a single-FortiGate installation. If your network has multiple FortiGate units that will use the same accounts, the use of an external authentication server can simplify account configuration and maintenance.

You can create local user accounts in the web-based manager under User & Device > User >User Definition. This page is also used to create accounts where an external authentication server stores and verifies the password.

 

Server–based password authentication

Using external authentication servers is desirable when multiple FortiGate units need to authenticate the same users, or where the FortiGate unit is added to a network that already contains an authentication server. FortiOS supports the use of LDAP, RADIUS, TACACS+, AD or POP3 servers for authentication.

When you use an external authentication server to authenticate users, the FortiGate unit sends the user’s entered credentials to the external server. The password is encrypted. The server’s response indicates whether the supplied credentials are valid or not.

You must configure the FortiGate unit to access the external authentication servers that you want to use. The configuration includes the parameters that authenticate the FortiGate unit to the authentication server.

You can use external authentication servers in two ways:

• Create user accounts on the FortiGate unit, but instead of storing each user’s password, specify the server used to authenticate that user. As with accounts that store the password locally, you add these users to appropriate user groups.
• Add the authentication server to user groups. Any user who has an account on the server can be authenticated and have the access privileges of the FortiGate user group. Optionally, when an LDAP server is a FortiGate user group member, you can limit access to users who belong to specific groups defined on the LDAP server.

Whats New in FortiOS 5.4

RADIUS Framed-IP into accounting packets (234003 189828)

RADIUS attributes, including NAS-IP-Address, Called-Station-ID, Framed-IP-Address, and Event-Timestamp, are supported.

 

Include RADIUS attribute CLASS in all accounting requests (290577)

RADIUS attribute CLASS in accounting requests for firewall, WiFi, and proxy authentication is now supported. RADIUS attribute CLASS is returned in Access-Accept message and it is added to all accounting requests.

 

Certificate–related changes (263368)

Fortinet_factory certificate has been re-signed with an expiration date of 2038 and it is used instead of fortinet_factory2, which has been removed.

 

Improvements and changes to per-VDOM certificates (276403 267362)

The CA and local certificate configuration is now available per-VDOM. When an admin uploads a certificate to a VDOM, it will only be accessible inside that VDOM. When an admin uploads a certificate to global, it will be accessible to all VDOMs and global.

There are factory default certificates such as Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, and Fortinet_Factory, these certificates are moved to per-VDOM and automatically generated when a new VDOM is created.

The Fortinet_Firmware certificate has been removed and all the attributes that use Fortinet_Firmware now use

Fortinet_Factory.