Remote authentication server groups – FortiAnalyzer – FortiOS 6.2.3

Remote authentication server groups

Remote authentication server groups can be used to extend wildcard administrator access. Normally, a wildcard administrator can only be created for a single server. If multiple servers of different types are grouped, a wildcard administrator can be applied to all of the servers in the group.

Multiple servers of the same type can be grouped to act as backups – if one server fails, the administrator can still be authenticated by another server in the group.

To use a server group to authenticate administrators, you must configure the group before configuring the administrator accounts that will use it.

Remote authentication server groups can only be managed using the CLI. For more information, see the FortiAnalyzer CLI Reference.

To create a new remote authentication server group:

  1. Open the admin group command shell:

config system admin group

  1. Create a new group, or edit an already create group: edit <group name>
  2. Add remote authentication servers to the group:

set member <server name> <server name> …

  1. Apply your changes: end

To edit the servers in a group:

  1. Enter the following CLI commands:

config system admin group edit <group name> set member <server name> <server name> …

end

Only the servers listed in the command will be in the group.

To remove all the servers from the group:

  1. Enter the following CLI commands:

config system admin group edit <group name> unset member

end

All of the servers in the group will be removed.

To delete a group:

  1. Enter the following CLI commands:

config system admin group delete <group name>

end

TACACS+ servers – FortiAnalyzer – FortiOS 6.2.3

TACACS+ servers

Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices via one or more centralized servers. It allows a client to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS+ server is 49.

If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server, the FortiAnalyzer unit contacts the TACACS+ server for authentication. If the TACACS+ server can authenticate the administrator, they are successfully authenticated with the FortiAnalyzer unit. If the TACACS+ server cannot authenticate the administrator, the connection is refused by the FortiAnalyzer unit.

To use a TACACS+ server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it.

To add a TACACS+ server:

  1. Go to System Settings > Admin > Remote Authentication Server.
  2. Select Create New > TACACS+ Server from the toolbar. The New TACACS+ Server pane opens.
  3. Configure the following settings, and then click OK to add the TACACS+ server.
Name Enter a name to identify the TACACS+ server.
Server Name/IP Enter the IP address or fully qualified domain name of the TACACS+ server.
Port Enter the port for TACACS+ traffic. The default port is 49.
Server Key Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length.
Authentication Type Select the authentication type the TACACS+ server requires. If you select the default ANY, FortiAnalyzer tries all authentication types.

RADIUS servers – FortiAnalyzer – FortiOS 6.2.3

RADIUS servers

Remote Authentication Dial-in User (RADIUS) is a user authentication and network-usage accounting system. When users connect to a server they type a user name and password. This information is passed to a RADIUS server, which authenticates the user and authorizes access to the network.

You can create or edit RADIUS server entries in the server list to support authentication of administrators. When an administrator account’s type is set to RADIUS, the FortiAnalyzer unit uses the RADIUS server to verify the administrator password at log on. The password is not stored on the FortiAnalyzer unit.

To use a RADIUS server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it.

To add a RADIUS server:

  1. Go to System Settings > Admin > Remote Authentication Server.
  2. Select Create New > RADIUS Server from the toolbar. The New RADIUS Server pane opens.
  3. Configure the following settings, and then click OK to add the RADIUS server.
Name Enter a name to identify the RADIUS server.
Server Name/IP Enter the IP address or fully qualified domain name of the RADIUS server.
Port Enter the port for RADIUS traffic. The default port is 1812. Some RADIUS servers use port 1645.
Server Secret Enter the RADIUS server secret. Click the eye icon to Show or Hide the server secret.
Test Connectivity Click Test Connectivity to test the connectivity with the RADIUS server. Shows success or failure.
Test User Credentials Click Test UserCredentials to test the user credentials. Shows success or failure.
Secondary Server Name/IP Enter the IP address or fully qualified domain name of the secondary RADIUS server.
Secondary Server Secret Enter the secondary RADIUS server secret.
Authentication Type Select the authentication type the RADIUS server requires. If you select the default ANY, FortiAnalyzer tries all authentication types.
Advanced Options  
nas-ip Specify the IP address for the Network Attached Storage (NAS).

LDAP servers – FortiAnalyzer – FortiOS 6.2.3

LDAP servers

Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a datarepresentation scheme, a set of defined operations, and a request/response network.

If you have configured LDAP support and an administrator is required to authenticate using an LDAP server, the FortiAnalyzer unit sends the administrator’s credentials to the LDAP server for authentication. If the LDAP server can authenticate the administrator, they are successfully authenticated with the FortiAnalyzer unit. If the LDAP server cannot authenticate the administrator, the FortiAnalyzer unit refuses the connection.

To use an LDAP server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it.

To add an LDAP server:

  1. Go to System Settings > Admin > Remote Authentication Server.
  2. Select Create New > LDAP Server from the toolbar. The New LDAP Server pane opens.
  3. Configure the following settings, and then click OK to add the LDAP server.
Name Enter a name to identify the LDAP server.
Server Name/IP Enter the IP address or fully qualified domain name of the LDAP server.
Port Enter the port for LDAP traffic. The default port is 389.
Common Name Identifier The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as UID.
Distinguished Name The distinguished name is used to look up entries on the LDAP server.

The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. Clicking the query distinguished name icon will query the LDAP server for the name and open the LDAP Distinguished Name Query window to display the results.

Bind Type Select the type of binding for LDAP authentication: Simple, Anonymous, or Regular.
User DN When the Bind Type is set to Regular, enter the user DN.
Password When the Bind Type is set to Regular, enter the password.
Secure Connection Select to use a secure LDAP server connection for authentication.
Protocol When Secure Connection is enabled, select either LDAPS or STARTTLS.
Certificate When Secure Connection is enabled, select the certificate from the dropdown list.
Administrative Domain Choose the ADOMs that this server will be linked to for reporting: All ADOMs (default), or Specify for specific ADOMs.
Advanced Options  
adom-attr Specify an attribute for the ADOM.
attributes Specify the attributes such as member, uniquemember, or memberuid.
connect-timeout Specify the connection timeout in millisecond.
filter Specify the filter in the format (objectclass=*)
group Specify the name of the LDAP group.
memberof-attr Specify the value for this attribute. This value must match the attribute of the group in LDAP Server. All users part of the LDAP group with the attribute matching the memberof-attr will inherit the administrative permissions specified for this group.
profile-attr Specify the attribute for this profile.
secondary-server Specify a secondary server.
tertiary-server Specify a tertiary server.

Public Key Infrastructure – FortiAnalyzer – FortiOS 6.2.3

Public Key Infrastructure

Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators only need a valid X.509 certificate for successful authentication; no username or password is necessary.

To use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. You will also need the following certificates:

  • an X.509 certificate for the FortiManager administrator (administrator certificate)
  • an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA Certificate)

To get the CA certificate:

  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > Certificate Authorities > Local CAs.
  3. Select the certificate and select Export in the toolbar to save the com CA certificate to your management computer. The saved CA certificate’s filename is ca_fortinet.com.crt.

To get the administrator certificate:

  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > End Entities > Users.
  3. Select the certificate and select Export in the toolbar to save the administrator certificate to your management computer. The saved CA certificate’s filename is com.p12. This PCKS#12 file is password protected. You must enter a password on export.

To import the administrator certificate into your browser:

  1. In Mozilla Firefox, go to Options > Advanced > Certificates > View Certificates > Import.
  2. Select the file com.p12 and enter the password used in the previous step.

To import the CA certificate into the FortiAnalyzer:

  1. Log into your FortiAnalyzer.
  2. Go to System Settings > Certificates > CA Certificates.
  3. Click Import, and browse for the com.crt file you saved to your management computer, or drag and drop the file onto the dialog box. The certificate is displayed as CA_Cert_1.

To create a new PKI administrator account:

  1. Go to System Settings > Admin > Administrator.
  2. Click Create New. The New Administrator dialog box opens.

See Creating administrators on page 224 for more information.

  1. Select PKI for the Admin Type.
  2. Enter a comment in the Subject field for the PKI administrator.
  3. Select the CA certificate from the dropdown list in the CA
  4. Click OK to create the new administrator account.

Deleting administrator profiles – FortiAnalyzer – FortiOS 6.2.3

Deleting administrator profiles

To delete a profile or profiles, you must be logged in to an account with sufficient privileges, or as a super user administrator. The predefined profiles cannot be deleted.

To delete a profile or profiles:

  1. Go to System Settings > Admin > Profile.
  2. Select the profile or profiles you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Select OK in the confirmation box to delete the profile or profiles.

Cloning administrator profiles – FortiAnalyzer – FortiOS 6.2.3

Cloning administrator profiles

To clone an administrator profile, you must be logged in to an account with sufficient privileges, or as a super user administrator.

To edit an administrator:

  1. Go to System Settings > Admin > Profile.
  2. Right-click on a profile and select Clone from the menu, or select the profile then click Clone in the toolbar. The Clone Profile pane opens.
  3. Edit the settings as required, and then select OK to apply the changes.

Editing administrator profiles – FortiAnalyzer – FortiOS 6.2.3

Editing administrator profiles

To edit an administrator profile, you must be logged in to an account with sufficient privileges, or as a super user administrator. The profile’s name cannot be edited. The Super_User profile cannot be edited, and the predefined profiles cannot be deleted.

To edit an administrator:

  1. Go to System Settings > Admin > Profile.
  2. Double-click on a profile, right-click on a profile and then select Edit from the menu, or select the profile then click Edit in the toolbar. The Edit Profile pane opens.
  3. Edit the settings as required, and then select OK to apply the changes.