Fortinet black logo

Best Practices

Home FortiGate / FortiOS 7.0.0 Best Practices

Identity and access management

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
6.0.0
Copy Link
Copy Doc ID 7c8e21ef-1be2-11ec-8c53-00505692583a:640979
Download PDF

Identity and access management

Secure authentication is paramount in the implementation of an effective security policy. Many of the most damaging security breaches are due to compromised user accounts. By identifying and authenticating users, a significantly more granular control can be implemented to ensure that the right users are accessing the right network resources.

FortiGate supports identifying users in many different ways, including but not limited to:

  • Local: The username and password are stored on the FortiGate.

  • Remote: The username and password are stored on a remote server, such as LDAPS or TACACS+, that the FortiGate queries.

  • PKI/peer: Users that authenticate using a client certificate.

Caution

When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials.

Authentication can be configured for:

  • Administrative access

  • Firewall authentication and SSO

  • VPN

  • Wireless security

  • 802.1X port security

The most effective authentication includes more than one of the following:

  • Something that the user knows: a username and password

  • Something that the user has: a certificate, a one time password (OTP) in the form of a token or code either sent to the user over email or SMS, or generated by a hardware token or authenticator app.

  • Something specific to the user: biometric data, such as a fingerprint

Single sign-on (SSO) can be used to reduce user fatigue by allowing users to only authenticate one time to gain access to all permitted resources.

FortiClient provides a solution to user and device identification, and can function as an SSO agent. It is also part of the Zero Trust Network Access (ZTNA) solution, allowing security posture checks along with authentication.

Note that, when implementing MFA on the FortiGate, a FortiToken can only be registered to one FortiGate at a time. If you use a remote authentication server for MFA, then each FortiGate points to the server. FortiAuthenticator and FortiToken Cloud are remote authentication servers that can manage the FortiTokens for multiple FortiGates at the same time. This allows you to use one token per user across multiple FortiGates.

Previous
Next

Identity and access management

Secure authentication is paramount in the implementation of an effective security policy. Many of the most damaging security breaches are due to compromised user accounts. By identifying and authenticating users, a significantly more granular control can be implemented to ensure that the right users are accessing the right network resources.

FortiGate supports identifying users in many different ways, including but not limited to:

  • Local: The username and password are stored on the FortiGate.

  • Remote: The username and password are stored on a remote server, such as LDAPS or TACACS+, that the FortiGate queries.

  • PKI/peer: Users that authenticate using a client certificate.

Caution

When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials.

Authentication can be configured for:

  • Administrative access

  • Firewall authentication and SSO

  • VPN

  • Wireless security

  • 802.1X port security

The most effective authentication includes more than one of the following:

  • Something that the user knows: a username and password

  • Something that the user has: a certificate, a one time password (OTP) in the form of a token or code either sent to the user over email or SMS, or generated by a hardware token or authenticator app.

  • Something specific to the user: biometric data, such as a fingerprint

Single sign-on (SSO) can be used to reduce user fatigue by allowing users to only authenticate one time to gain access to all permitted resources.

FortiClient provides a solution to user and device identification, and can function as an SSO agent. It is also part of the Zero Trust Network Access (ZTNA) solution, allowing security posture checks along with authentication.

Note that, when implementing MFA on the FortiGate, a FortiToken can only be registered to one FortiGate at a time. If you use a remote authentication server for MFA, then each FortiGate points to the server. FortiAuthenticator and FortiToken Cloud are remote authentication servers that can manage the FortiTokens for multiple FortiGates at the same time. This allows you to use one token per user across multiple FortiGates.

Previous
Next