Filter
Top Products
Users/peers and user groups Users/peers
FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828 33
Users/peers and user groups
FortiGate authentication controls system access by user group. First you
configure users/peers, then you create user groups and add users/peers to them.
• Configure local user accounts. For each user, you can choose whether the
password is verified by the FortiGate unit, by a RADIUS server, by an LDAP
server, or by a TACACS+ server. See “Creating local users” on page 34.
• Configure your FortiGate unit to authenticate users by using your RADIUS,
LDAP, or TACACS+ servers. See “Configuring the FortiGate unit to use a
RADIUS server” on page 16, “Configuring the FortiGate unit to use an LDAP
server” on page 21, and “Configuring the FortiGate unit to use a TACACS+
authentication server” on page 25.
• Configure access to the FortiGate unit if you use a Directory Service server for
authentication. See “Configuring the FortiGate unit to use a Directory Service
server” on page 28.
• Configure for certificate-based authentication for administrative access
(HTTPS web-based manager), IPSec, SSL-VPN, and web-based firewall
authentication.
For each network resource that requires authentication, you specify which user
groups are permitted access to the network. There are three types of user groups:
Firewall, Directory Service, and SSL VPN. See “Configuring user groups” on
page 41 and “Configuring Directory Service user groups” on page 42.
This section describes:
• Users/peers
• User groups
Users/peers
A user is a user/peer account configured on the FortiGate unit and/or on a remote
or external authentication server. Users can access resources that require
authentication only if they are members of an allowed user group.
Table 2: How the FortiGate unit authenticates different types of users
User type Authentication
Local user with password
stored on the FortiGate unit
The user name and password must match a user account
stored on the FortiGate unit.
Local user with password
stored on an authentication
server
The user name must match a user account stored on the
FortiGate unit and the user name and password must
match a user account stored on the authentication server
associated with that user.