Fortigate Tutorial 4 – Authentication
The Fortigate aplience support different types of authentication.
Let’s discuss them here:
Fortigate support all servers that are LDAP compliant. It supports up to LDAPv3
Also LDAP over SSL/TLS is supported. One downside of using LDAP is that the Fortinet firewall does not supply any information on why the user authentication failed. For the reason you must check the Server itself.
2. Local Users
You can define local users on the Fortigate itself, by defining a user name and a password for the user.
Radius is also supported on the Fortigate. For this you just define a RADIUS server and define the shared key between the RADIUS server and the FG.
The Fortigate support 4 different types of authentication the users to the RADIUS server:
If none of those is selected, then the default is in the following order: PAP, MS-CHAP v2, CHAP and the last one is MS-CHAP.
The Fortigate can login users based on the PKI protocol. Certificates are used in this case.
5. Novell eDirecotry & Microsoft Active Directory
An awesome feature is the integration with Active Directory, as this is transparent to the users.
You just have to install a FSAE/FSSO applience on the Domain Controller(Microsoft) and the FG will automaticly catch any logins to the Active Directory.
The FSAE/FSSO is composed of 2 different things:
a. Domain Controller Agent – this application must be installed on every Domain Controller that you have in your Microsoft Domain
b. Collector Agent – this application must be installed on AT LEAST one Domain Controller that you have in your Microsoft Domain.
The Domain Controller Agent gets users login info.
The Collector Agent send the information gather by the Controller Agents to the Fortigate.
One important thing that mostly new Fortigate Network Engineers forget is that FSAE/FSSO needs read-access to each clients computer registry over TCP port 139 and TCP port 445 must be opened. This is needed so the FSAE/FSSO application knows when an user logs off.
So do you forget to allows this in the users PC windows firewall!
Yes, Fortigate supports TACACS too 😉 . Isn’t this firewall really great?!
The same principal applies as the RADIUS server, but it supports the following:
a. Auto(here the default is enabled, PAP->MS-CHAP->CHAP)
c. PAP only
d. CHAP only
e. MS-CHAP only
Hope this help you to better understand the Fortigate. Below is a pick on where you can define all of these: