Support User Manuals

Fortinet v3.0 MR7 Network Card User Manual

Open as PDF

of 66

FortiOS v3.0 MR7 User Authentication User Guide

54 01-30007-0347-20080828

VPN authentication Configuring authenticated access

To configure authentication for an SSL VPN - CLI

config vpn ssl settings

set algorithm

set auth-timeout

set dns-server1

set dns-server2

set idle-timeout

set portal-heading

set reqclientcert

set route-source-interface

set servercert

set sslv2

set sslv3

set sslvpn-enable

set tunnel-endip

set tunnel-startip

set url-obscuration

set wins-server1

set wins-server2

end

The tunnel-endip and tunnel-startip keywords are required for tunnel-

mode access only. All other keywords are optional.

When you configure the timeout settings, if you set the authentication timeout

(auth-timeout) to 0, then the remote client does not have to re-authenticate

again unless they log out of the system. In order to fully take advantage of this

setting, the value for idle-timeout has to be set to 0 also, so the client does

not timeout if the maximum idle time is reached. If the idle-timeout is not set

to the infinite value, the system will log out if it reaches the limit set, regardless of

the auth-timeout setting.

Strong authentication is a form of computer security in which the identities of

networked users, clients, and servers are verified without transmitting passwords

over the internet. To verify a user’s identity, strong authentication combines

something the user knows (a user name and password) with something the user

has (a client-side certificate). Strong authentication can be configured for SSL

VPN user groups using X.509 (version 1 or 3) digital certificates.

Configuring strong authentication of SSL VPN users/user groups

You can use strong authentication to verify the identities of SSL VPN user group

members. The accounts for individual users and user groups containing those

users have to be created prior to configuring strong authentication, and a firewall

encryption policy has to be created to permit access by that user group.To enable

strong authentication for an SSL VPN user group:

• Obtain a signed group certificate from a CA and load the signed group

certificate into the web browser used by each user. Follow the browser

documentation to load the certificates.

• Install the root certificate and the CRL from the issuing CA on the FortiGate

unit.

• Configure strong authentication for the group of users having a copy of the

group certificate.

previous next