Authentication. Authentication in FortiOS. Single Sign-On (SSO)



Similar documents
User Authentication. FortiOS Handbook v3 for FortiOS 4.0 MR3

FortiOS Handbook - Authentication VERSION 5.2.6

FortiOS Handbook Authentication for FortiOS 5.0

FortiAuthenticator TM User Identity Management and Single Sign-On

Administration Guide. FortiAuthenticator 1.3

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

FortiAuthenticator. User Authentication and Identity Management. Last Updated: 17 th April Copyright Fortinet Inc. All rights reserved.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

FortiAuthenticator - What's New Guide VERSION 4.0

Cisco Secure Access Control Server 4.2 for Windows

A Guide to New Features in Propalms OneGate 4.0

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

7.1. Remote Access Connection

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

How To Configure Fortigate For Free Software (For A Free Download) For A Password Protected Network (For Free) For An Ipad Or Ipad (For An Ipa) For Free (For Ipad) For Your Computer Or Ip

Configuration Guide BES12. Version 12.2

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

FortiAuthenticator v2.0 MR1 Release Notes

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Sophos UTM. Remote Access via IPsec. Configuring UTM and Client

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

This chapter describes how to set up and manage VPN service in Mac OS X Server.

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Configuration Guide BES12. Version 12.3

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

NETASQ MIGRATING FROM V8 TO V9

FortiOS Handbook - PCI DSS Compliance VERSION 5.4.0

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

Please report errors or omissions in this or any Fortinet technical document to

Chapter 3 Authenticating Users

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

NETASQ ACTIVE DIRECTORY INTEGRATION

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Chapter 7 Managing Users, Authentication, and Certificates

FortiGate RADIUS Single Sign-On (RSSO) with Windows Server 2008 Network Policy Server (NPS) VERSION 5.2.3

Keeping your VPN protected

Mobile Admin Security

pfsense Captive Portal: Part One

Administration Guide. FortiAuthenticator 1.2

Configuration Guide BES12. Version 12.1

Remote Access Security

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Barracuda SSL VPN Administrator s Guide

802.1X Authentication

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

SSL VPN Portal Options

DIGIPASS Authentication for GajShield GS Series

Endpoint Security VPN for Mac

FortiOS Handbook SSL VPN for FortiOS 5.0

Establishing two-factor authentication with Check Point and HOTPin authentication server from Celestix Networks

VMware Identity Manager Administration

ClickShare Network Integration

Single Sign-On in SonicOS Enhanced 4.0

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

FortiAuthenticator - Two-Factor Authentication Agent for Windows VERSION 1.0

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Barracuda Networks Technical Documentation. Barracuda SSL VPN. Administrator s Guide. Version 2.x RECLAIM YOUR NETWORK

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Fortigate Features & Demo

Mobile Configuration Profiles for ios Devices Technical Note

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Configuring Global Protect SSL VPN with a user-defined port

BlackBerry Enterprise Service 10. Version: Configuration Guide

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Bluesocket virtual Wireless Local Area Network (vwlan) FAQ

Deploying RSA ClearTrust with the FirePass controller

CTS2134 Introduction to Networking. Module Network Security

User Management: Configuring Authentication Servers

ZyWALL OTPv2 Support Notes

Single Sign-On. Document Scope. Single Sign-On

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Configuring RADIUS Authentication for Device Administration

Configuring Sponsor Authentication

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

RSA SecurID Ready Implementation Guide

SingTel VPN as a Service. Quick Start Guide

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Scenario: IPsec Remote-Access VPN Configuration

TFS ApplicationControl White Paper

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

Advanced Administration

Fireware XTM v is a maintenance release for XTM 21, XTM 22, and XTM 23 wired and wireless devices.

Network Security 1 Module 4 Trust and Identity Technology

Microsoft TMG Replacement. How FORTINET integrated secuity platforms Help Protect the Perimeter in a Microsoft Infrastructure Environment

DIGIPASS Authentication for SonicWALL SSL-VPN

Transcription:

Authentication FortiOS authentication identifies users through a variety of methods and, based on identity, allows or denies network access while applying any required additional security measures. Authentication in FortiOS Authentication is an important part of your network security, as it allows you to identify network users, ensuring that your network is only accessed by authorized users, and allowing different users to have access to different data and services. FortiOS authentication controls access to various resources for wired and wireless networks, as well as being used for both IPsec and SSL VPNs. FortiOS authentication integrates with the following technologies: Windows AD and other domain services using Single Sign-On (SSO) LDAP, RADIUS, and TACACS+ servers FortiAuthenticator units Certificates FortiToken, FortiToken Mobile, and third-party two-factor authentication technologies, such as RSA SecurID Local Users Mobile Unlimited FortiGate Local User Database Filtered Home FortiAuthenticator Windows AD LDAP, RADIUS, or TACACS+ FortiOS user authentication is based on user definitions and user groups, which are added to identity-based security policies, SSL VPN portals, or IPsec VPN configurations. Creating users and user groups determines where to store the user credentials and which authentication method to use. Single Sign-On (SSO) Single Sign-On (SSO) allows logged in users to access resources through the FortiGate unit without being asked again for their credentials. There are several ways in which FortiOS supports SSO: Fortinet Single Sign-On (FSSO) provides single sign-on capabilities to Windows AD, Citrix, or Novell edirectory users with the help of agent software installed on these networks. In a Windows AD network, FSSO can also provide NT LAN Manager (NTLM) authentication service to the FortiGate unit. FortiOS can provide SSO capability for Windows AD networks without agent software by directly polling the Windows AD domain controllers. FORTINET - Inside FortiOS/Authentication/201401 1 http://www.fortinet.com/aboutus/legal.html

RADIUS Single Sign-On (RSSO) allows FortiOS to authenticate users transparently if they have already authenticated on a RADIUS server. FortiOS can integrate with a FortiAuthenticator server to provide SSO authentication. Authentication challenge Authentication challenges require a user to enter their credentials to access network resources through the FortiGate unit, regardless of whether they have already been authenticated on the network. FortiOS supports the following types of authentication challenges: password authentication, certificate authentication, and two-factor authentication. Authentication occurs using HTTP, HTTPS, or FTP. FortiOS can also redirect HTTP authentication challenges to a secure HTTPS channel. The types of connections that typically require an authentication challenge include: Identity-based security policies IPsec VPNs SSL VPNs Any connections involving specific FortiGate features, such as web filter overrides or access to administrative functions FortiOS authentication challenges apply to wireless and wired networks in the same way, as authentication for both network types is applied in the security policy that controls the network traffic. Identity-based security policies Identity-based security policies are required for FortiOS to distinguish between different groups of users and to implement access levels simply according to the user s identity. These security policies contain authentication rules that match users or user groups with access privileges. When an identity-based security policy is used, any user attempting to connect through a FortiGate unit must be authenticated before they are allowed access. Once the user credentials have been entered, FortiOS searches for an authentication rule in the policy that matches the user's identity. If the user's credentials are accepted, the authentication rule is used to determine the following: available services (HTTP, FTP, etc.), access schedule, security features, traffic shaping, logging, and whether or not the user must read and accept a customizable network usage policy or disclaimer. IPsec VPN FortiOS supports several methods to authenticate IPsec VPN users: Preshared keys: remote users must obtain the preshared key for an IPsec VPN, which they then enter into their VPN client configuration. When the client attempts to connect, FortiOS checks the key to make sure it matches. If the keys do not match, the VPN tunnel is not established. RSA certificates: certificates are used in a similar manner to preshared keys. FortiOS checks to make sure that the correct certificate is being used during a connection attempt and will refuse the connection if the certificate does not match. Extended authentication (XAUTH): after authentication by preshared key or certificate, remote users enter a username and password to connect to the VPN. Only users who belong to the user group specified in the XAUTH configuration are allowed access. IPsec users authenticated from a RADIUS server can also have their IPsec tunnel virtual IP address assigned from their RADIUS record. SSL VPN FortiOS supports the creation of multiple SSL VPN portals, each providing access to a unique combination of network resources and services. Different user groups can be added to each portal and only members of the user groups added to a given portal have access to the services provided by that portal. FORTINET - Inside FortiOS/Authentication/201401 2 http://www.fortinet.com/aboutus/legal.html

When an SSL VPN user logs in, their credentials are matched with a user group and the user is allowed access only to the portal that includes their user group. SSL VPN users authenticated from a RADIUS server can have their SSL VPN virtual IP address assigned by FortiOS from IP information recorded in the RADIUS record. Local user database User accounts can be stored directly on the FortiGate unit, to manage user credentials without relying on other resources. This information is only used to authenticate users connecting to that specific FortiGate unit. External authentication servers FortiGate units can integrate with the following types of external servers: LDAP, RADIUS, and TACACS+. If multiple servers are used, they can be ranked as primary, secondary, or tertiary. This way, the secondary server will only be contacted if the primary is unreachable, while the tertiary server is only contacted if the primary and secondary servers are both unreachable. LDAP Lightweight Directory Access Protocol (LDAP) servers provide organization-wide access to member credentials. FortiOS can integrate with multiple LDAP servers and can support any LDAP server port, common name identifier, distinguished name, and one of three bind types: simple, anonymous, and regular. Communication with the LDAP server can be unencrypted or can use LDAP over SSL (LDAPS) certificates or STARTTLS protocol for secure communications. RADIUS Remote Authentication Dial In User Service (RADIUS) servers provide authentication, accounting, billing, and user tracking. FortiOS can integrate with multiple RADIUS servers each with its own RADIUS port, primary and secondary server IP address, and server secret key. FortiOS supports PAP, CHAP, and MS-CHAP v1 and v2 authentication schemes. Also supported are various RADIUS attributes such as Microsoft Vendor-specific attributes (NAS IP/Called Station ID), the Framed-IP-Address attribute for assigning SSL VPN client IP addresses, Acct-Input-* / Acct-Output-* attributes for accounting, and H3C compatibility, which allows authentication to be supported with two RADIUS attributes. Wireless devices can also be authenticated based on their MAC address. TACACS+ Terminal Access Controller Access-Control System Plus (TACACS+) servers provide similar functionality to RADIUS servers, but TACACS+ separates authentication and authorization into two operations and uses TCP for communication rather than UDP. FortiOS supports TACACS+ authentication using ASCII, PAP, CHAP, or MSCHAP and can integrate with multiple TACACS+ servers. FortiAuthenticator FortiAuthenticator is an user identity management solution that delivers authentication via RADIUS server and LDAP, secured by strong two-factor authentication methods for multiple FortiGate and third-party devices. FortiAuthenticator provides central management of users, integration with third party LDAP/AD, and management of FortiTokens, together with user self-registration and password reset. The RADIUS server delivers 802.1X EAP (PEAP, TLS, TTLS) for wired and wireless authentication. FortiAuthenticator can also replace the FSSO Collector Agent on a Windows AD network and deliver additional identity detection methods including captive portal, intranet widgets, SSO Mobility Agent, and RADIUS Accounting. Certificate-based authentication An RSA X.509 server certificate is a small file issued by a Certificate Authority (CA) that is installed on a computer or FortiGate unit to authenticate itself to other devices on the network. When one party on a network presents the certificate as authentication, the other party can validate that the certificate was issued by the CA. Certificates provide the authentication basis for SSL-based secure communications, such as SSL VPN and HTTPS and can also provide peer authentication for IPsec VPNs. Certificates are stored in the FortiOS certificates database, into which both CA and server certificates can be imported. FORTINET - Inside FortiOS/Authentication/201401 3 http://www.fortinet.com/aboutus/legal.html

FortiOS also supports creating a certificate signing request (CSR) for submission to a CA, as well as online submission using SCEP. Certificate revocation lists (CRLs) can also be updated from online servers using HTTP, LDAP, SCEP, or local file import. Public-key infrastructure (PKI) user accounts can be added to FortiOS to identify the users certificates by using a text string in a certificate; for example, an email address. The CA certificate must be specified and be available on the FortiGate unit to verify the user's certificate. A special type of user group can be created, which contains PKI users. An IPsec VPN can be configured to allow access to any member of the specified user group who has a valid certificate. Two-factor authentication Two-factor authentication, which can be used for connections to both identity-based policies and VPNs, requires a user to provide an additional means of authentication. In addition to their credentials, users must provide either a certificate that is installed on the user s computer, or a randomly generated multi-digit number, often called a token. Users can receive tokens using a one-time password (OTP) system or by having it sent to them via email or SMS text messaging. FortiToken and FortiToken Mobile FortiToken generates a unique, time-based token used in two-factor authentication. There are two types of tokens: hard tokens, which require the use of FortiToken hardware, or soft tokens, which are created using the FortiToken Mobile application, available for Android and ios. The serial number for FortiToken hardware units must be registered on the FortiGate unit and verified with FortiGuard servers before it can be used. If a token is lost or stolen, an administrator can either disable or delete it to prevent unauthorized use. 902103 FortiToken mobile devices generate tokens using a serial number that can be found on the FortiGate unit. This number can either be entered manually or used to create a QR code. The application is protected by a PIN in case the mobile device is lost or stolen. F RTINET 902103 When using FortiToken, the login prompt first displays the usual username and password fields. Upon successful entry of that information, an additional field appears for entering the six-digit token. Captive portal Once a user has entered their credentials to access the Internet, a captive portal can be used to bring them to a web page containing your acceptable use policy or other information. No matter what URL the user initially requested, the portal page is returned. Only after authenticating and agreeing to usage terms can the user access other web resources. Monitoring users FortiOS includes the usernames of authenticated users in logs and reports, which can be searched by username. Reports available from FortiOS and FortiAnalyzer can identify the activities of individual users. Banned user quarantine data will also show the usernames of authenticated users, and their quarantine status can be recorded or changed. FORTINET - Inside FortiOS/Authentication/201401 4 http://www.fortinet.com/aboutus/legal.html

Guest accounts Temporary guest accounts can be created on a FortiGate unit that provide users with credentials to temporarily log onto the network for a set duration. To allow guest accounts to be made, a guest user group must be created. This user group defines how the user ID and password will be created. After this is done, new accounts can easily be generated and a separate admin account can be created solely for the purpose of creating guest accounts, reducing the administrator workload for large events or offices that have frequent visitors requiring temporary Internet or network access. Authentication-based routing FortiOS supports authentication-based routing, which associates a user group with one or more routes. This allows all traffic from the user group to be routed to a specified gateway, which can be useful when distinguishing users from different organizations that need to be routed to different Internet gateways. FORTINET - Inside FortiOS/Authentication/201401 5 http://www.fortinet.com/aboutus/legal.html

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information