Fortinet black logo

Administration Guide

Home FortiPolicy 7.2.1 Administration Guide
7.2.1
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0

Authentication

Authentication

Go to Configuration > Setup > Authentication to configure the following:

LDAP authentication

Go to the LDAP section of the Configuration > Setup > Authentication page to configure an LDAP server.

To configure an LDAP server:

  1. Enter an IP address or fully qualified domain name for the LDAP server.

  2. Enter the port number that the LDAP server will use.

  3. Enter a user name and password to access the LDAP server.

  4. Click TEST CONNECTION to verify that the LDAP server can be accessed.

    Be sure to test the connection before saving the configuration.

  5. Click SAVE to save the configuration.

    After configuring the LDAP server, go to Configuration > Users > Users to add a user, the userʼs FortiPolicy user role, and the userʼs user domain name for each user to be authenticated by LDAP.

RADIUS authentication

To integrate FortiPolicy with your RADIUS server, you need to configure your RADIUS users with the supported FortiPolicy roles: GlobalAdministrator, PolicyProvisioner, and Auditor.

Note

You need to configure the user role for RADIUS two-factor authentication.

To configure a RADIUS server:

  1. Enable or disable web access.

  2. Enable or disable shell access

  3. Enter the IP address or fully qualified domain name for the RADIUS server.

  4. Enter the shared secret for the RADIUS server.

  5. Enter the authentication port (UDP) number.

  6. Enter the number of times that FortiPolicy will retry connecting to the RADIUS server.

  7. Select the RADIUS role attribute that will provide the FortiPolicy role in the authentication response from the RADIUS server

  8. Enter the user name and password to access the RADIUS server.

  9. Click TEST CONNECTION to verify that FortiPolicy can access the RADIUS server.

  10. Click SAVE.

    Unlike LDAP, you do not need to create an entry in the FortiPolicy repository for RADIUS authentication and authorization.

Note

Authentication and authorization for RADIUS users uses both a password and a QR code (time-based one-time password). By default, a new token is generated every 30 seconds. To compensate for a potential time-skew between the client and the server, FortiPolicy allows an extra token before and after the current time. This allows for a time-skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of three permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will allow a time-skew of up to 4 minutes between client and server if necessary.
Tooltip

You might need to install Google Authenticator and then scan the QR code per user to obtain the one-time password. Google Authenticator implements a one-time password for various platforms. It can be used in conjunction with FreeRADIUS to provide two-factor authentication using a library called Pluggable Authentication Module (PAM) for Linux user-password authentication. For more information on PAM, refer to http://www.linux-pam.org.

SSH public keys

You can import SSH keys to access the FortiPolicy console using the CLI. Multiple keys can be added for different users.

The keys are imported for users who want to SSH into FortiPolicy. The FortiPolicy console supplies the password for access to the virtual machine. Using a single common password to log in is not adequately secure. To best protect the FortiPolicy console, FortiPolicy uses both the SSH key and one-time password (OTP) for two-factor authentication, which is time-based (using short-lived OTPs that change every 30 seconds).

An SSH key must have a user name assigned at all times. ECDSA key types are not supported.

To import SSH keys:

  1. Click Add Another Key.

    Enter the public key.

  2. If you want to add more public keys for multiple users, click Add Another Key.

  3. Click SAVE to save the public keys.

Tooltip

Click the trash can icon at the end of a row to delete the SSH key configuration.
Previous
Next

Authentication

Go to Configuration > Setup > Authentication to configure the following:

LDAP authentication

Go to the LDAP section of the Configuration > Setup > Authentication page to configure an LDAP server.

To configure an LDAP server:

  1. Enter an IP address or fully qualified domain name for the LDAP server.

  2. Enter the port number that the LDAP server will use.

  3. Enter a user name and password to access the LDAP server.

  4. Click TEST CONNECTION to verify that the LDAP server can be accessed.

    Be sure to test the connection before saving the configuration.

  5. Click SAVE to save the configuration.

    After configuring the LDAP server, go to Configuration > Users > Users to add a user, the userʼs FortiPolicy user role, and the userʼs user domain name for each user to be authenticated by LDAP.

RADIUS authentication

To integrate FortiPolicy with your RADIUS server, you need to configure your RADIUS users with the supported FortiPolicy roles: GlobalAdministrator, PolicyProvisioner, and Auditor.

Note

You need to configure the user role for RADIUS two-factor authentication.

To configure a RADIUS server:

  1. Enable or disable web access.

  2. Enable or disable shell access

  3. Enter the IP address or fully qualified domain name for the RADIUS server.

  4. Enter the shared secret for the RADIUS server.

  5. Enter the authentication port (UDP) number.

  6. Enter the number of times that FortiPolicy will retry connecting to the RADIUS server.

  7. Select the RADIUS role attribute that will provide the FortiPolicy role in the authentication response from the RADIUS server

  8. Enter the user name and password to access the RADIUS server.

  9. Click TEST CONNECTION to verify that FortiPolicy can access the RADIUS server.

  10. Click SAVE.

    Unlike LDAP, you do not need to create an entry in the FortiPolicy repository for RADIUS authentication and authorization.

Note

Authentication and authorization for RADIUS users uses both a password and a QR code (time-based one-time password). By default, a new token is generated every 30 seconds. To compensate for a potential time-skew between the client and the server, FortiPolicy allows an extra token before and after the current time. This allows for a time-skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of three permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will allow a time-skew of up to 4 minutes between client and server if necessary.
Tooltip

You might need to install Google Authenticator and then scan the QR code per user to obtain the one-time password. Google Authenticator implements a one-time password for various platforms. It can be used in conjunction with FreeRADIUS to provide two-factor authentication using a library called Pluggable Authentication Module (PAM) for Linux user-password authentication. For more information on PAM, refer to http://www.linux-pam.org.

SSH public keys

You can import SSH keys to access the FortiPolicy console using the CLI. Multiple keys can be added for different users.

The keys are imported for users who want to SSH into FortiPolicy. The FortiPolicy console supplies the password for access to the virtual machine. Using a single common password to log in is not adequately secure. To best protect the FortiPolicy console, FortiPolicy uses both the SSH key and one-time password (OTP) for two-factor authentication, which is time-based (using short-lived OTPs that change every 30 seconds).

An SSH key must have a user name assigned at all times. ECDSA key types are not supported.

To import SSH keys:

  1. Click Add Another Key.

    Enter the public key.

  2. If you want to add more public keys for multiple users, click Add Another Key.

  3. Click SAVE to save the public keys.

Tooltip

Click the trash can icon at the end of a row to delete the SSH key configuration.
Previous
Next