Authentication groups
You need to add authentication groups to support authentication and secure tunneling between WAN optimization peers.
To perform authentication, WAN optimization peers use a certificate or a pre-shared key added to an authentication group so they can identify each other before forming a WAN optimization tunnel. Both peers must have an authentication group with the same name and settings. You add the authentication group to a peer-to-peer or active rule on the client-side FortiGate unit. When the server-side FortiGate unit receives a tunnel start request from the client-side FortiGate unit that includes an authentication group, the server-side FortiGate unit finds an authentication group in its configuration with the same name. If both authentication groups have the same certificate or pre-shared key, the peers can authenticate and set up the tunnel.
Authentication groups are also required for secure tunneling.
To add authentication groups, go to WAN Opt. & Cache > Authentication Groups.
To add an authentication group - GUI:
Use the following steps to add any kind of authentication group. It is assumed that if you are using a local certificate to authenticate, it is already added to the FortiGate unit
- Go to WAN Opt. & Cache > Authentication Groups.
- Select Create New.
- Add a Name for the authentication group.
You will select this name when you add the authentication group to a WAN optimization rule. - Select the Authentication Method.
Select Certificate if you want to use a certificate to authenticate and encrypt WAN optimization tunnels. You must select a local certificate that has been added to this FortiGate unit. (To add a local certificate, go to System > Certificates.) Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and certificate.
Select Pre-shared key if you want to use a pre-shared key or password to authenticate and encrypt WAN optimization tunnels. You must add the Password (or pre-shared key) used by the authentication group. Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and password. The password must contain at least 6 printable characters and should be known only by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. - Configure Peer Acceptance for the authentication group.
Select Accept Any Peer if you do not know the peer host IDs or IP addresses of the peers that will use this authentication group. This setting is most often used with FortiGate units that do not have static IP addresses, for example units that use DHCP.
Select Accept Defined Peers if you want to authenticate with peers added to the peer list only.
Select Specify Peer and select one of the peers added to the peer list to authenticate with the selected peer only. - Select OK.
- Add the authentication group to a WAN optimization rule to apply the authentication settings in the authentication group to the rule.
To add an authentication group that uses a certificate- CLI:
Enter the following command to add an authentication group that uses a certificate and can authenticate all peers added to the FortiGate unit configuration.
In this example, the authentication group is named auth_grp_1
and uses a certificate named Example_Cert
.
config wanopt auth-group
edit auth_grp_1
set auth-method cert
set cert Example_Cert
set peer-accept defined
end
To add an authentication group that uses a pre-shared key - CLI:
Enter the following command to add an authentication group that uses a pre-shared key and can authenticate only the peer added to the authentication group.
In this example, the authentication group is named auth_peer
, the peer that the group can authenticate is named Server_net
, and the authentication group uses 123456
as the pre-shared key. In practice you should use a more secure pre-shared key.
config wanopt auth-group
edit auth_peer
set auth-method psk
set psk 123456
set peer-accept one
set peer Server_net
end
To add an authentication group that accepts WAN optimization connections from any peer - GUI
Add an authentication group that accepts any peer for situations where you do not have the Peer Host IDs or IP Addresses of the peers that you want to perform WAN optimization with. This setting is most often used for WAN optimization with FortiGate units that do not have static IP addresses, for example units that use DHCP. An authentication group that accepts any peer is less secure than an authentication group that accepts defined peers or a single peer.
The example below sets the authentication method to Pre-shared key. You must add the same password to all FortiGate units using this authentication group.
- Go to WAN Opt. & Cache > Authentication Groups.
- Select Create New to add a new authentication group.
- Configure the authentication group:
Name | Specify any name. |
Authentication Method | Pre-shared key |
Password | Enter a pre-shared key. |
Peer Acceptance | Accept Any Peer |
To add an authentication group that accepts WAN optimization connections from any peer - CLI:
In this example, the authentication group is named auth_grp_1
. It uses a certificate named WAN_Cert
and accepts any peer.
config wanopt auth-group
edit auth_grp_1
set auth-method cert
set cert WAN_Cert
set peer-accept any
end