Remote User Authentication. Module Objectives By the end of this module participants will be able...
-
Upload
justin-simmons -
Category
Documents
-
view
217 -
download
0
Transcript of Remote User Authentication. Module Objectives By the end of this module participants will be able...
![Page 1: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/1.jpg)
Remote User Authentication
![Page 2: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/2.jpg)
Module Objectives
• By the end of this module participants will be able to:• Describe the methods available for authenticating
users that are contained in databases external to the FortiGate unit
• Configure LDAP Authentication
![Page 3: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/3.jpg)
Remote User Authentication
LDAPDirectoryServices TACACS+RADIUS
Remote Users
Digital certificates
Click here to read more about authentication methods
![Page 4: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/4.jpg)
Remote User Authentication
LDAPDirectoryServices TACACS+RADIUS
Remote Users
Digital certificates
Click here to read more about authentication methods
• The information used to authenticate users is stored on a remote server• The FortiGate unit sends the user’s
credentials to the remote server for validation
• Best for situations where multiple FortiGate units need to authenticate the same users
![Page 5: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/5.jpg)
Remote User Authentication
LDAPDirectoryServices TACACS+RADIUS
Digital certificates
![Page 6: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/6.jpg)
Remote User Authentication
LDAPDirectoryServices TACACS+RADIUS
Digital certificates
• The FortiGate unit must be configured to access the external servers used to authenticate the users• Administrators can create an account for the user locally and specify the server to verify the password or• Administrators can add the authentication server to a user group• All users in that server become members of
the group
![Page 7: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/7.jpg)
RADIUS Authentication
Kelly Miller
#p57ds%
?RADIUS
Kelly Miller
#p57ds%
![Page 8: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/8.jpg)
RADIUS Authentication
Kelly Miller
#p57ds%
RADIUS
Kelly Miller
#p57ds%
• The FortiGate unit sends the user name and password to the RADIUS server for verification• A RADIUS server can be added as a user group• All members will be able to
authenticate
![Page 9: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/9.jpg)
RADIUS Authentication
RADIUS
![Page 10: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/10.jpg)
RADIUS Authentication
RADIUS
• The IP address of the primary and secondary RADIUS servers along with their secret key must be identified on the FortiGate unit• A Fortinet Vendor-Specific Attributes (VSA) dictionary is provided to identify the RADIUS attributes used by the FortiGate unit
![Page 11: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/11.jpg)
RADIUS and SecureID Authentication
RSA ACE/Server? RADIUS
![Page 12: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/12.jpg)
RADIUS and SecureID Authentication
RSA ACE/ServerRADIUS• A RADIUS server and an RSA ACE/Server can be configured to work together to verify the password displayed on the SecureID token• The FortiGate unit must be configured to access the RADIUS server in addition to being configured as an Agent Host in the RSA ACE/Server• A user group for the SecureID users must be created on the FortiGate unit
![Page 13: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/13.jpg)
Dynamic Profiles
• Customer identifying information can be stored in the RADIUS server•When a user authenticates using RADIUS, the FortiGate unit can use a dynamic profile to extract the customer information and process traffic according to the dynamic profile firewall policy• RADIUS Start record is sent to the FortiGate device
• Allows different groups of users to have different levels of access• For example, parental controls
![Page 14: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/14.jpg)
Dynamic Profiles
Kelly Miller
#p57ds%
?RADIUS
Kelly Miller
#p57ds%Customer requestsconnection and is
forced to authenticate
![Page 15: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/15.jpg)
Dynamic Profiles
RADIUS
RADIUS server identifies the
customer
![Page 16: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/16.jpg)
Dynamic Profiles
RADIUS
Server sendsRADIUS Start recordto the FortiGate unit
![Page 17: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/17.jpg)
Dynamic Profiles
RADIUS
The FortiGate unitapplies the dynamicprofile firewall policy
using information fromthe RADIUS server
![Page 18: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/18.jpg)
Dynamic Profiles
RADIUSCustomer session
is filtered bythe profile group
![Page 19: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/19.jpg)
Dynamic Profiles
RADIUS
•On the RADIUS server, add a profile group name field to customer accounts that will be using dynamic profiles• This name will be added to the RADIUS
Start record sent by the server
• Configure the RADIUS server to send the Start record to the FortiGate unit
![Page 20: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/20.jpg)
Dynamic Profiles
RADIUS
![Page 21: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/21.jpg)
Dynamic Profiles
RADIUS
![Page 22: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/22.jpg)
Dynamic Profiles
RADIUS
![Page 23: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/23.jpg)
Dynamic Profiles
RADIUS
• To use dynamic profiles:• Configure the RADIUS server for dynamic
profiles• Configure an optional UTM profile group• Configure a dynamic profile firewall
policy• Identify the profile group or select All
Dynamic Profile Users
•Only one firewall policy can be configured for dynamic profiles in a VDOM
![Page 24: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/24.jpg)
LDAP
LDAP Authentication
Kelly Miller
#p57ds%
dc=com
dc=acme
ou=training
cn=Kelly Miller
Password: #p57ds%
?
Click here to read more about LDAP authentication
![Page 25: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/25.jpg)
LDAP
LDAP Authentication
Kelly Miller
#p57ds%
dc=com
dc=acme
ou=training
cn=Kelly Miller
Password: #p57ds%
Click here to read more about LDAP authentication
• The FortiGate unit can send the user name and password to the LDAP server for authentication• An LDAP server can be added as a user group• All members will be able to
authenticate
![Page 26: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/26.jpg)
LDAP
LDAP Authentication
![Page 27: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/27.jpg)
LDAP
LDAP Authentication
•Details of the LDAP server must be identified on the FortiGate unit• The DN of LDAP server must be identified during server configuration on a FortiGate unit
![Page 28: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/28.jpg)
TACACS+ Authentication
Kelly Miller
#p57ds%
?TACACS+
Kelly Miller
#p57ds%
![Page 29: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/29.jpg)
TACACS+ Authentication
Kelly Miller
#p57ds%
TACACS+
Kelly Miller
#p57ds%
• The FortiGate unit sends the user name and password to the TACACS+ server for verification• A TACACS+ server can be added as a user group• All members will be able to
authenticate
![Page 30: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/30.jpg)
TACACS+ Authentication
TACACS+
![Page 31: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/31.jpg)
TACACS+ Authentication
TACACS+
• The IP address of the TACACS+ servers along with its secret key must be identified on the FortiGate unit• Select the authentication protocols to be used by the TACACS+ server:• ASCII• PAP• CHAP• MS-CHAP
![Page 32: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/32.jpg)
Digital Certificate Authentication
CertificationAuthority
CA
+ User infoCertificateRequest
CertificateVerified
![Page 33: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/33.jpg)
Digital Certificate Authentication
CertificationAuthority
•Digital certificates issued by trusted certification authorities can be used for authentication• The certificate of the issuing authority must be installed on the FortiGate device to verify the digital signature on a user certificate • Confirms certificate was issued by a
trusted issuer
![Page 34: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/34.jpg)
Directory Services Authentication
WindowsActive Directory
Kelly Miller
$d12*h1
classroom
![Page 35: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/35.jpg)
Directory Services Authentication
WindowsActive Directory
Kelly Miller
$d12*h1
classroom
•User authenticates to Directory Services at logon• Windows Active Directory• Novel eDirectory
• Authentication information passed to FortiGate unit• User automatically gets access to
permitted resources without any further authentication operations
•Uses Fortinet Single Sign On
![Page 36: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/36.jpg)
Labs
• Lab - LDAP Authentication•Configuring LDAP•Testing LDAP authenticationClick here for step-by-step instructions on completing this lab
![Page 37: Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d825503460f94a685e5/html5/thumbnails/37.jpg)
Student Resources
Click here to view the list of resources used in this module