FortiProxy authentication includes authentication and authorization. Authentication validates users and resolves the question of who the user is. Authentication uses user names and credential information to validate users. Authorization determines the privileges the user has. Authorization is done by the policy matching the user with the userʼs membership in local or remote user groups. When you specify FortiProxy groups and users in a FortiProxy policy, the FortiProxy unit relies on the user’s authorization data to enforce which user groups can access a network resource or apply different UTM features and which user groups cannot.
A user in the network is linked to one kind of account and one person or device. In deployment, the users are mostly managed in a tree hierarchy using groups. Users belong to some groups, some groups belong to other groups (nested groups), and so on. The user’s group data is the user’s authorization data (also known as user membership).
From the view of the FortiProxy unit, there are two kind of users:
- A local user has credentials that are kept on the FortiProxy unit in the “local-usr-db,” located in the authentication scheme’s user-database configuration.
- A remote user has credentials and (optionally) authorization data located on any kind of server in the user-database setting. Usually, remote users use the LDAP as the query protocol and a Windows Active Directory server. Remote users are widely used in FortiProxy deployments because the server centrally manages users in a corporation network deployment. In this manual, users are usually an LDAP server’s remote users.
config user group
set member "tony_ldap" << LDAP server setting
set server-name "tony_ldap"
set group-name "cn=grp1,cn=users,dc=tony,dc=ca" << LDAP group name
Another type of remote user uses a RADIUS server, which does not provide additional authorization data.
The FortiProxy group definition is different from a user’s group information. The FortiProxy group definition defines the authorization data. For example, if the
tony_ldap_grp FortiProxy group is configured in the policy, the policy expects the user in the LDAP server
tony_ldap to have the group of “