Manuel d'utilisation / d'entretien du produit v3.0 MR7 du fabricant Fortinet
Aller à la page of 66
www.fortinet.com FortiO S v 3. 0 MR 7 User Authentication User Guide USER GUIDE.
FortiOS v3.0 MR7 User Au thentication User Guide 28 Aug 2008 01-30007-03 47-20080828 © Copyright 2008 Fortine t, Inc. All rights reserved. No part of this publication including text, examples , diagr.
Contents FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 3 Contents Introduction ............... ................................. .............................. .......... 5 About authentication .................. ............
FortiOS v3.0 MR7 User Authentication User Guide 4 01-30007-0347-200808 28 Contents Users/peers and user groups ................ ............................... .......... 31 Users/peers ........... ............. ................ ............. ........
Introduction About authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 5 Introduction This section introduces you to the authe ntication process from the user and the administr ato r s per sp ec tive , an d pr ov ides supplementary informa tio n about Fortinet publications.
FortiOS v3.0 MR7 User Authentication User Guide 6 01-30007-0347-200808 28 User ’s view of authentication Introduction User ’ s view of authentication The user sees a req uest for au thenticat ion when they try to access a protected resource.
Introduction FortiGate administrator ’s view of authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 7 FortiClient can store the user name and password for a VPN as part of the configuration for the VPN conn ection an d pass them to the FortiGate unit as needed.
FortiOS v3.0 MR7 User Authentication User Guide 8 01-30007-0347-200808 28 FortiGate administrator ’s view of authentication Introduction 3 Create use r groups. Add local/peer user members to each use r group as appropriate. Y ou can also add an authentication serv er to a user grou p.
Introduction FortiGate administrator ’s view of authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 9 Public Key Infrastructure (PKI) authentication A Public Key I.
FortiOS v3.0 MR7 User Authentication User Guide 10 01-30007-0347-200808 28 About this document Introduction Authentication timeout An authentica ted connect ion expires when it has been idle for a len gth of time that you specify .
Introduction FortiGate documentation FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 11 • In the examples, private IP addre sses ar e used for both private and public IP addresses.
FortiOS v3.0 MR7 User Authentication User Guide 12 01-30007-0347-200808 28 Related documentation Introduction • FortiGate Administration Guide Provides basic informati on about how to configure a Fo.
Introduction Related documentation FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 13 FortiManager documentation • FortiManager QuickS tar t Guide Explains how to install the FortiMana ger Console, set up the FortiManager Server , and configure basic settings.
FortiOS v3.0 MR7 User Authentication User Guide 14 01-30007-0347-200808 28 Customer service and technical support Introduction Fortinet Tools and Documentation CD All Fortinet document atio n is availab le from the Fo rtinet T ools and Do cument ation CD shipped with your Fortinet product.
Authentication servers RADIUS servers FortiOS v3.0 MR7 User Au thentica tion User Guide 01-30007-0347-2008082 8 15 Authentication servers FortiGate unit s support the use of authenti cation servers.
FortiOS v3.0 MR7 User Authentication User Guide 16 01-30007-0347-200808 28 RADIUS servers Authentication servers In order to supp ort vendor-sp ecific attributes (VSA), th e RADIUS server requires a dictionary to define what the VSAs are.
Authentication servers RADIUS servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 17 • Change the FortiGate unit de fault RADIUS port to 1645 using the CLI: config system.
FortiOS v3.0 MR7 User Authentication User Guide 18 01-30007-0347-200808 28 RADIUS servers Authentication servers T o config ure the Forti Gate unit for RADIUS a uthenticat ion - CLI config user radius.
Authentication servers LDAP servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 19 T o remove a RADIUS server from the For tiGate unit configuration - CLI config user radiu.
FortiOS v3.0 MR7 User Authentication User Guide 20 01-30007-0347-200808 28 LDAP servers Authentication servers FortiGate LDAP does no t support proprietar y functionality , such as notification of password expiration, which is available from some LDAP servers.
Authentication servers LDAP servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 21 The output is lengthy , but the information you need is in the first few lines: version: .
FortiOS v3.0 MR7 User Authentication User Guide 22 01-30007-0347-200808 28 LDAP servers Authentication servers Figure 3: Configur e Fo rtiGate u nit for LDAP authentication Name Enter the name that id entifies the LDAP server on the FortiGate unit. Server Name/IP Enter the domain name or IP ad dress of the LDAP server .
Authentication servers LDAP servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 23 T o configure the Fort iGate unit for LDAP authentic ation - CLI config user ldap edit &l.
FortiOS v3.0 MR7 User Authentication User Guide 24 01-30007-0347-200808 28 LDAP servers Authentication servers T o remove an LDAP server from the Fort iGate unit configuration - CLI config user ldap d.
Authentication servers T ACACS+ servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 25 T ACACS+ servers In recent years, remote netwo rk access has shifted from term inal access to LAN access.
FortiOS v3.0 MR7 User Authentication User Guide 26 01-30007-0347-200808 28 T ACACS+ servers Authentication servers Figure 6: T ACACS+ ser ver co nfiguration T o configure the FortiGate unit for T ACAC.
Authentication servers Directory Service servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 27 T o remove a T ACACS+ server from th e FortiGate unit configuration - CLI co.
FortiOS v3.0 MR7 User Authentication User Guide 28 01-30007-0347-200808 28 Directory Service servers Authentication servers T o view the list of Directory Service servers, go to User > Directory Service .
Authentication servers Directory Service servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 29 For more information about FSAE, see the FSAE T e chnical Note . T o configure the FortiGate unit for Directory Service authen tication - web-based manager 1 Go to User > Direct ory Service and select Create New .
FortiOS v3.0 MR7 User Authentication User Guide 30 01-30007-0347-200808 28 Directory Service servers Authentication servers T o remove a Director y Service se rver fr om the For tiGate unit conf iguration - web-based manag er 1 Go to User > Directory Service .
Authentication servers Directory Service servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 31 Figure 1 1: Example Dir ecto ry Service server list Create New Add a new Directory Service server .
FortiOS v3.0 MR7 User Authentication User Guide 32 01-30007-0347-200808 28 Directory Service servers Authentication servers.
Users/peers and user groups Users/peers FortiOS v3.0 MR7 User Au thentica tion User Guide 01-30007-0347-2008082 8 33 Users/peers and user group s FortiGate authentication controls system access by user group. First you configure users/peer s, then you create user group s and add users/peers to them.
FortiOS v3.0 MR7 User Authentication User Guide 34 01-30007-0347-200808 28 Users/peers Users/peers and user groups This section describes how to configure local users and peer users. For information ab ou t co nf igu ra tio n of auth e nt ica tion ser ve rs se e “Authentication servers” on p age 15 .
Users/peers and user groups Users/peers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 35 T o view a list of all local users, go to User > Local .
FortiOS v3.0 MR7 User Authentication User Guide 36 01-30007-0347-200808 28 Users/peers Users/peers and user groups config user local edit <user_name> set type ldap set ldap_server <server_nam.
Users/peers and user groups Users/peers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 37 • a peer user name • the text from the subject field of the ce rtificate of the auth enticating peer user , or the CA certificate used to authenti cate the peer user .
FortiOS v3.0 MR7 User Authentication User Guide 38 01-30007-0347-200808 28 Users/peers Users/peers and user groups T o create a peer user for PKI authenti cation - CLI config user peer edit <peer n.
Users/peers and user groups User group s FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 39 User group s A user group is a list of user/peer identitie s.
FortiOS v3.0 MR7 User Authentication User Guide 40 01-30007-0347-200808 28 User groups Users/peers and user groups For a Directory Service user group, the Directory Service server authen ticates users when they log o n to the ne twork. The FortiGate unit receives the user ’s name and IP address from the FSAE collector agent.
Users/peers and user groups User group s FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 41 For more informatio n about protection profiles, see the FortiGate Administration Guide .
FortiOS v3.0 MR7 User Authentication User Guide 42 01-30007-0347-200808 28 User groups Users/peers and user groups 3 Select OK. T o create a firewall use r group - CLI config user group edit <group_name> set group-type <grp_type> set member <user1> <user2> .
Users/peers and user groups User group s FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 43 Figure 19: User group configuratio n - Directory Service Configuring SSL VPN user groups For detailed instr uctions about how to configure SSL VPN web-only mode or tunnel mode operation, see the FortiGate SS L VPN User Guide .
FortiOS v3.0 MR7 User Authentication User Guide 44 01-30007-0347-200808 28 User groups Users/peers and user groups Configuring Peer user groups Peer user group s can only be configured using the CLI. Peers are di gital certificat e holders d efined us ing the config user peer command.
Users/peers and user groups User group s FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 45 T o remove a user group from the FortiGate unit config uration - web-based manager 1 Go to User > User Group . 2 Select the Delete icon beside the name of the user group that you want to remove.
FortiOS v3.0 MR7 User Authentication User Guide 46 01-30007-0347-200808 28 User groups Users/peers and user groups.
Configuring authenticated access Authentication timeout FortiOS v3.0 MR7 User Au thentica tion User Guide 01-30007-0347-2008082 8 47 Configuring authenticated access When you h ave configu red authentic ation serv ers, users, and user g roups, you are ready to configure firewall policies and cert ain types of VPNs to require user authenticatio n.
FortiOS v3.0 MR7 User Authentication User Guide 48 01-30007-0347-200808 28 Firewall policy authentication Configuring authentica ted access When user authentication is enable d on a firewall policy , the authentication challenge is normally issued for any of th e four protocols (dependent on th e connection protocol).
Configuring authenticated access Firewall policy authenticati on FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 49 The style of the authe ntication m ethod varies by the authentication protocol.
FortiOS v3.0 MR7 User Authentication User Guide 50 01-30007-0347-200808 28 Firewall policy authentication Configuring authentica ted access 7 One at a time, select user group names from the Available Gro ups list and select the right-pointing arrow bu tton to move them to the Allowed list.
Configuring authenticated access Firewall policy authenticati on FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 51 The FortiGate unit performs au thenticat ion only on request s to access HTTP , HTTPS, FTP , and T elnet. Once the user is authenticated, th e user can access other services if the firewall policy permits.
FortiOS v3.0 MR7 User Authentication User Guide 52 01-30007-0347-200808 28 VPN authentication Configuring authentica ted access VPN authentication All VPN configurations require users to authenticate.
Configuring authenticated access VPN authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 53 Server Certificate Select the signed server certificate to use for authentication purposes.
FortiOS v3.0 MR7 User Authentication User Guide 54 01-30007-0347-200808 28 VPN authentication Configuring authentica ted access T o configure authentication for an SSL VPN - CLI config vpn ssl setting.
Configuring authenticated access VPN authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 55 T o enable strong authentication for an SSL VPN 1 Go to VPN > SSL > Config . 2 Select Require Client Certific ate, and then select Apply .
FortiOS v3.0 MR7 User Authentication User Guide 56 01-30007-0347-200808 28 VPN authentication Configuring authentica ted access 4 Enter S tarting IP and Ending IP addresses . This defines the range of ad dresses assigned to VPN clients. 5 Select the user group that is to have acce ss to this VPN.
Configuring authenticated access VPN authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 57 2 Go to VPN > IPSec > Auto K ey (IKE), select Create Phase 1 and en te r th e following information.
FortiOS v3.0 MR7 User Authentication User Guide 58 01-30007-0347-200808 28 VPN authentication Configuring authentica ted access Configuring XAut h authentication Extended Authentication (XAuth) increases security by requiring additional user authentication in a sep arate exchan ge at the end o f the VPN Phase 1 negotiation.
Configuring authenticated access VPN authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 59 3 Select Advanced to reveal add itional parameters and en ter the following information. 4 Configure other VPN gate way parameters as needed.
FortiOS v3.0 MR7 User Authentication User Guide 60 01-30007-0347-200808 28 VPN authentication Configuring authentica ted access.
Index FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 731 61 Index A Active Directory - see Directory Service administrator authentication 7 ASCII 25 attributes RADIUS 15 authentic.
FortiOS v3.0 MR7 User Authentication User Guide 62 01-30007-0347-200807 31 Index FSAE collector agent 27 FSAE domain controller 27 redundant configuration 28 removing from FortiGate configuration 30 r.
Index FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 731 63 list order changing 50 firewall policy 50 local users configuring 34 creating 34 deleting from FortiGate con figuration.
FortiOS v3.0 MR7 User Authentication User Guide 64 01-30007-0347-200807 31 Index timeout authentication 10 tunnel mode SSL VPN IP range 52 types of user groups 39 types of users 33 Typographic convent.
www.fortinet.com.
www.fortinet.com.
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté Fortinet v3.0 MR7 c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du Fortinet v3.0 MR7 - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation Fortinet v3.0 MR7, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le Fortinet v3.0 MR7 va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le Fortinet v3.0 MR7, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du Fortinet v3.0 MR7.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le Fortinet v3.0 MR7. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei Fortinet v3.0 MR7 ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.