Fortinet black logo

Handbook

Authentication groups

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:747815
Download PDF

Authentication groups

You need to add authentication groups to support authentication and secure tunneling between WAN optimization peers.

To perform authentication, WAN optimization peers use a certificate or a pre-shared key added to an authentication group so they can identify each other before forming a WAN optimization tunnel. Both peers must have an authentication group with the same name and settings. You add the authentication group to a peer-to-peer or active rule on the client-side FortiGate unit. When the server-side FortiGate unit receives a tunnel start request from the client-side FortiGate unit that includes an authentication group, the server-side FortiGate unit finds an authentication group in its configuration with the same name. If both authentication groups have the same certificate or pre-shared key, the peers can authenticate and set up the tunnel.

Authentication groups are also required for secure tunneling.

To add authentication groups, go to WAN Opt. & Cache > Authentication Groups.

To add an authentication group - GUI:

Use the following steps to add any kind of authentication group. It is assumed that if you are using a local certificate to authenticate, it is already added to the FortiGate unit

  1. Go to WAN Opt. & Cache > Authentication Groups.
  2. Select Create New.
  3. Add a Name for the authentication group.
    You will select this name when you add the authentication group to a WAN optimization rule.
  4. Select the Authentication Method.
    Select Certificate if you want to use a certificate to authenticate and encrypt WAN optimization tunnels. You must select a local certificate that has been added to this FortiGate unit. (To add a local certificate, go to System > Certificates.) Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and certificate.
    Select Pre-shared key if you want to use a pre-shared key or password to authenticate and encrypt WAN optimization tunnels. You must add the Password (or pre-shared key) used by the authentication group. Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and password. The password must contain at least 6 printable characters and should be known only by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.
  5. Configure Peer Acceptance for the authentication group.
    Select Accept Any Peer if you do not know the peer host IDs or IP addresses of the peers that will use this authentication group. This setting is most often used with FortiGate units that do not have static IP addresses, for example units that use DHCP.
    Select Accept Defined Peers if you want to authenticate with peers added to the peer list only.
    Select Specify Peer and select one of the peers added to the peer list to authenticate with the selected peer only.
  6. Select OK.
  7. Add the authentication group to a WAN optimization rule to apply the authentication settings in the authentication group to the rule.
To add an authentication group that uses a certificate- CLI:

Enter the following command to add an authentication group that uses a certificate and can authenticate all peers added to the FortiGate unit configuration.

In this example, the authentication group is named auth_grp_1 and uses a certificate named Example_Cert.

config wanopt auth-group

edit auth_grp_1

set auth-method cert

set cert Example_Cert

set peer-accept defined

end

To add an authentication group that uses a pre-shared key - CLI:

Enter the following command to add an authentication group that uses a pre-shared key and can authenticate only the peer added to the authentication group.

In this example, the authentication group is named auth_peer, the peer that the group can authenticate is named Server_net, and the authentication group uses 123456 as the pre-shared key. In practice you should use a more secure pre-shared key.

config wanopt auth-group

edit auth_peer

set auth-method psk

set psk 123456

set peer-accept one

set peer Server_net

end

To add an authentication group that accepts WAN optimization connections from any peer - GUI

Add an authentication group that accepts any peer for situations where you do not have the Peer Host IDs or IP Addresses of the peers that you want to perform WAN optimization with. This setting is most often used for WAN optimization with FortiGate units that do not have static IP addresses, for example units that use DHCP. An authentication group that accepts any peer is less secure than an authentication group that accepts defined peers or a single peer.

The example below sets the authentication method to Pre-shared key. You must add the same password to all FortiGate units using this authentication group.

  1. Go to WAN Opt. & Cache > Authentication Groups.
  2. Select Create New to add a new authentication group.
  3. Configure the authentication group:
Name Specify any name.
Authentication Method Pre-shared key
Password Enter a pre-shared key.
Peer Acceptance Accept Any Peer
To add an authentication group that accepts WAN optimization connections from any peer - CLI:

In this example, the authentication group is named auth_grp_1. It uses a certificate named WAN_Cert and accepts any peer.

config wanopt auth-group

edit auth_grp_1

set auth-method cert

set cert WAN_Cert

set peer-accept any

end

Authentication groups

You need to add authentication groups to support authentication and secure tunneling between WAN optimization peers.

To perform authentication, WAN optimization peers use a certificate or a pre-shared key added to an authentication group so they can identify each other before forming a WAN optimization tunnel. Both peers must have an authentication group with the same name and settings. You add the authentication group to a peer-to-peer or active rule on the client-side FortiGate unit. When the server-side FortiGate unit receives a tunnel start request from the client-side FortiGate unit that includes an authentication group, the server-side FortiGate unit finds an authentication group in its configuration with the same name. If both authentication groups have the same certificate or pre-shared key, the peers can authenticate and set up the tunnel.

Authentication groups are also required for secure tunneling.

To add authentication groups, go to WAN Opt. & Cache > Authentication Groups.

To add an authentication group - GUI:

Use the following steps to add any kind of authentication group. It is assumed that if you are using a local certificate to authenticate, it is already added to the FortiGate unit

  1. Go to WAN Opt. & Cache > Authentication Groups.
  2. Select Create New.
  3. Add a Name for the authentication group.
    You will select this name when you add the authentication group to a WAN optimization rule.
  4. Select the Authentication Method.
    Select Certificate if you want to use a certificate to authenticate and encrypt WAN optimization tunnels. You must select a local certificate that has been added to this FortiGate unit. (To add a local certificate, go to System > Certificates.) Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and certificate.
    Select Pre-shared key if you want to use a pre-shared key or password to authenticate and encrypt WAN optimization tunnels. You must add the Password (or pre-shared key) used by the authentication group. Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and password. The password must contain at least 6 printable characters and should be known only by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.
  5. Configure Peer Acceptance for the authentication group.
    Select Accept Any Peer if you do not know the peer host IDs or IP addresses of the peers that will use this authentication group. This setting is most often used with FortiGate units that do not have static IP addresses, for example units that use DHCP.
    Select Accept Defined Peers if you want to authenticate with peers added to the peer list only.
    Select Specify Peer and select one of the peers added to the peer list to authenticate with the selected peer only.
  6. Select OK.
  7. Add the authentication group to a WAN optimization rule to apply the authentication settings in the authentication group to the rule.
To add an authentication group that uses a certificate- CLI:

Enter the following command to add an authentication group that uses a certificate and can authenticate all peers added to the FortiGate unit configuration.

In this example, the authentication group is named auth_grp_1 and uses a certificate named Example_Cert.

config wanopt auth-group

edit auth_grp_1

set auth-method cert

set cert Example_Cert

set peer-accept defined

end

To add an authentication group that uses a pre-shared key - CLI:

Enter the following command to add an authentication group that uses a pre-shared key and can authenticate only the peer added to the authentication group.

In this example, the authentication group is named auth_peer, the peer that the group can authenticate is named Server_net, and the authentication group uses 123456 as the pre-shared key. In practice you should use a more secure pre-shared key.

config wanopt auth-group

edit auth_peer

set auth-method psk

set psk 123456

set peer-accept one

set peer Server_net

end

To add an authentication group that accepts WAN optimization connections from any peer - GUI

Add an authentication group that accepts any peer for situations where you do not have the Peer Host IDs or IP Addresses of the peers that you want to perform WAN optimization with. This setting is most often used for WAN optimization with FortiGate units that do not have static IP addresses, for example units that use DHCP. An authentication group that accepts any peer is less secure than an authentication group that accepts defined peers or a single peer.

The example below sets the authentication method to Pre-shared key. You must add the same password to all FortiGate units using this authentication group.

  1. Go to WAN Opt. & Cache > Authentication Groups.
  2. Select Create New to add a new authentication group.
  3. Configure the authentication group:
Name Specify any name.
Authentication Method Pre-shared key
Password Enter a pre-shared key.
Peer Acceptance Accept Any Peer
To add an authentication group that accepts WAN optimization connections from any peer - CLI:

In this example, the authentication group is named auth_grp_1. It uses a certificate named WAN_Cert and accepts any peer.

config wanopt auth-group

edit auth_grp_1

set auth-method cert

set cert WAN_Cert

set peer-accept any

end