Fortigate Tutorial 4 – Authentication

 

The Fortigate aplience support different types of authentication.

Let’s discuss them here:

1. LDAP

Fortigate support all servers that are LDAP compliant. It supports up to LDAPv3

Also LDAP over SSL/TLS is supported. One downside of using LDAP is that the Fortinet firewall does not  supply any information on why the user authentication failed. For the reason you must check the Server itself.

2. Local Users

You can define local users on the Fortigate itself, by defining a user name and a password for the user.

3. RADIUS

Radius is also supported on the Fortigate. For this you just define a RADIUS server and define the shared key between the RADIUS server and the FG.

The Fortigate support 4 different types of authentication the users to the RADIUS server:

a. MS-CHAP2

b. MS-CHAP

c. CHAP

d. PAP

If none of those is selected, then the default is in the following order: PAP, MS-CHAP v2, CHAP and the last one is MS-CHAP.

4. PKI

The Fortigate can login users based on the PKI protocol. Certificates are used in this case.

5. Novell eDirecotry & Microsoft Active Directory

An awesome feature is the integration with Active Directory, as this is transparent to the users.

You just have to install a FSAE/FSSO applience on the Domain Controller(Microsoft) and the FG will automaticly catch any logins to the Active Directory.

The FSAE/FSSO  is composed of 2 different things:

a. Domain Controller Agent – this application must be installed on every Domain Controller that you have in your Microsoft Domain

b. Collector Agent – this application must be installed on AT LEAST one Domain Controller that you have in your Microsoft Domain.

The Domain Controller Agent gets users login info.

The Collector Agent send the information gather by the Controller Agents to the Fortigate.

 

One important thing that mostly new Fortigate Network Engineers forget is that FSAE/FSSO needs read-access to each clients computer registry over TCP port 139 and TCP port 445 must be opened. This is needed so the FSAE/FSSO application knows when an user logs off.

So do you forget to allows this in the users PC windows firewall!

 

6. TACACS

Yes, Fortigate supports TACACS too 😉 . Isn’t this firewall really great?!

The same principal applies as the RADIUS server, but it supports the following:

a. Auto(here the default is enabled, PAP->MS-CHAP->CHAP)

b. ASCII

c. PAP only

d. CHAP only

e. MS-CHAP only

 

Hope this help you to better understand the Fortigate. Below is a pick on where you can define all of these:

[singlepic id=4 w=320 h=240 float=]

 

 

Share: