remote user authentication. module objectives by the end of this module participants will be able...
TRANSCRIPT
Remote User Authentication
Module Objectives
• By the end of this module participants will be able to:• Describe the methods available for authenticating
users that are contained in databases external to the FortiGate unit
• Configure LDAP Authentication
Remote User Authentication
LDAPDirectoryServices TACACS+RADIUS
Remote Users
Digital certificates
Click here to read more about authentication methods
Remote User Authentication
LDAPDirectoryServices TACACS+RADIUS
Remote Users
Digital certificates
Click here to read more about authentication methods
• The information used to authenticate users is stored on a remote server• The FortiGate unit sends the user’s
credentials to the remote server for validation
• Best for situations where multiple FortiGate units need to authenticate the same users
Remote User Authentication
LDAPDirectoryServices TACACS+RADIUS
Digital certificates
Remote User Authentication
LDAPDirectoryServices TACACS+RADIUS
Digital certificates
• The FortiGate unit must be configured to access the external servers used to authenticate the users• Administrators can create an account for the user locally and specify the server to verify the password or• Administrators can add the authentication server to a user group• All users in that server become members of
the group
RADIUS Authentication
Kelly Miller
#p57ds%
?RADIUS
Kelly Miller
#p57ds%
RADIUS Authentication
Kelly Miller
#p57ds%
RADIUS
Kelly Miller
#p57ds%
• The FortiGate unit sends the user name and password to the RADIUS server for verification• A RADIUS server can be added as a user group• All members will be able to
authenticate
RADIUS Authentication
RADIUS
RADIUS Authentication
RADIUS
• The IP address of the primary and secondary RADIUS servers along with their secret key must be identified on the FortiGate unit• A Fortinet Vendor-Specific Attributes (VSA) dictionary is provided to identify the RADIUS attributes used by the FortiGate unit
RADIUS and SecureID Authentication
RSA ACE/Server? RADIUS
RADIUS and SecureID Authentication
RSA ACE/ServerRADIUS• A RADIUS server and an RSA ACE/Server can be configured to work together to verify the password displayed on the SecureID token• The FortiGate unit must be configured to access the RADIUS server in addition to being configured as an Agent Host in the RSA ACE/Server• A user group for the SecureID users must be created on the FortiGate unit
Dynamic Profiles
• Customer identifying information can be stored in the RADIUS server•When a user authenticates using RADIUS, the FortiGate unit can use a dynamic profile to extract the customer information and process traffic according to the dynamic profile firewall policy• RADIUS Start record is sent to the FortiGate device
• Allows different groups of users to have different levels of access• For example, parental controls
Dynamic Profiles
Kelly Miller
#p57ds%
?RADIUS
Kelly Miller
#p57ds%Customer requestsconnection and is
forced to authenticate
Dynamic Profiles
RADIUS
RADIUS server identifies the
customer
Dynamic Profiles
RADIUS
Server sendsRADIUS Start recordto the FortiGate unit
Dynamic Profiles
RADIUS
The FortiGate unitapplies the dynamicprofile firewall policy
using information fromthe RADIUS server
Dynamic Profiles
RADIUSCustomer session
is filtered bythe profile group
Dynamic Profiles
RADIUS
•On the RADIUS server, add a profile group name field to customer accounts that will be using dynamic profiles• This name will be added to the RADIUS
Start record sent by the server
• Configure the RADIUS server to send the Start record to the FortiGate unit
Dynamic Profiles
RADIUS
Dynamic Profiles
RADIUS
Dynamic Profiles
RADIUS
Dynamic Profiles
RADIUS
• To use dynamic profiles:• Configure the RADIUS server for dynamic
profiles• Configure an optional UTM profile group• Configure a dynamic profile firewall
policy• Identify the profile group or select All
Dynamic Profile Users
•Only one firewall policy can be configured for dynamic profiles in a VDOM
LDAP
LDAP Authentication
Kelly Miller
#p57ds%
dc=com
dc=acme
ou=training
cn=Kelly Miller
Password: #p57ds%
?
Click here to read more about LDAP authentication
LDAP
LDAP Authentication
Kelly Miller
#p57ds%
dc=com
dc=acme
ou=training
cn=Kelly Miller
Password: #p57ds%
Click here to read more about LDAP authentication
• The FortiGate unit can send the user name and password to the LDAP server for authentication• An LDAP server can be added as a user group• All members will be able to
authenticate
LDAP
LDAP Authentication
LDAP
LDAP Authentication
•Details of the LDAP server must be identified on the FortiGate unit• The DN of LDAP server must be identified during server configuration on a FortiGate unit
TACACS+ Authentication
Kelly Miller
#p57ds%
?TACACS+
Kelly Miller
#p57ds%
TACACS+ Authentication
Kelly Miller
#p57ds%
TACACS+
Kelly Miller
#p57ds%
• The FortiGate unit sends the user name and password to the TACACS+ server for verification• A TACACS+ server can be added as a user group• All members will be able to
authenticate
TACACS+ Authentication
TACACS+
TACACS+ Authentication
TACACS+
• The IP address of the TACACS+ servers along with its secret key must be identified on the FortiGate unit• Select the authentication protocols to be used by the TACACS+ server:• ASCII• PAP• CHAP• MS-CHAP
Digital Certificate Authentication
CertificationAuthority
CA
+ User infoCertificateRequest
CertificateVerified
Digital Certificate Authentication
CertificationAuthority
•Digital certificates issued by trusted certification authorities can be used for authentication• The certificate of the issuing authority must be installed on the FortiGate device to verify the digital signature on a user certificate • Confirms certificate was issued by a
trusted issuer
Directory Services Authentication
WindowsActive Directory
Kelly Miller
$d12*h1
classroom
Directory Services Authentication
WindowsActive Directory
Kelly Miller
$d12*h1
classroom
•User authenticates to Directory Services at logon• Windows Active Directory• Novel eDirectory
• Authentication information passed to FortiGate unit• User automatically gets access to
permitted resources without any further authentication operations
•Uses Fortinet Single Sign On
Labs
• Lab - LDAP Authentication•Configuring LDAP•Testing LDAP authenticationClick here for step-by-step instructions on completing this lab
Student Resources
Click here to view the list of resources used in this module