Fortinet white logo
Fortinet white logo

Overview

Overview

FortiProxy authentication includes authentication and authorization. Authentication validates users and resolves the question of who the user is. Authentication uses user names and credential information to validate users. Authorization determines the privileges the user has. Authorization is done by the policy matching the user with the userʼs membership in local or remote user groups. When you specify FortiProxy groups and users in a FortiProxy policy, the FortiProxy unit relies on the user’s authorization data to enforce which user groups can access a network resource or apply different UTM features and which user groups cannot.

Users and Groups

A user in the network is linked to one kind of account and one person or device. In deployment, the users are mostly managed in a tree hierarchy using groups. Users belong to some groups, some groups belong to other groups (nested groups), and so on. The user’s group data is the user’s authorization data (also known as user membership).

From the view of the FortiProxy unit, there are two kind of users:

  • A local user has credentials that are kept on the FortiProxy unit in the “local-usr-db,” located in the authentication scheme’s user-database configuration.
  • A remote user has credentials and (optionally) authorization data located on any kind of server in the user-database setting. Usually, remote users use the LDAP as the query protocol and a Windows Active Directory server. Remote users are widely used in FortiProxy deployments because the server centrally manages users in a corporation network deployment. In this manual, users are usually an LDAP server’s remote users.
To configure a user group in the CLI:

config user group

edit "tony_ldap_grp"

set member "tony_ldap" << LDAP server setting

config match

edit 1

set server-name "tony_ldap"

set group-name "cn=grp1,cn=users,dc=tony,dc=ca" << LDAP group name

next

end

next

end

Another type of remote user uses a RADIUS server, which does not provide additional authorization data.

The FortiProxy group definition is different from a user’s group information. The FortiProxy group definition defines the authorization data. For example, if the tony_ldap_grp FortiProxy group is configured in the policy, the policy expects the user in the LDAP server tony_ldap to have the group of “cn=grp1,cn=users,dc=tony,dc=ca”.

Overview

Overview

FortiProxy authentication includes authentication and authorization. Authentication validates users and resolves the question of who the user is. Authentication uses user names and credential information to validate users. Authorization determines the privileges the user has. Authorization is done by the policy matching the user with the userʼs membership in local or remote user groups. When you specify FortiProxy groups and users in a FortiProxy policy, the FortiProxy unit relies on the user’s authorization data to enforce which user groups can access a network resource or apply different UTM features and which user groups cannot.

Users and Groups

A user in the network is linked to one kind of account and one person or device. In deployment, the users are mostly managed in a tree hierarchy using groups. Users belong to some groups, some groups belong to other groups (nested groups), and so on. The user’s group data is the user’s authorization data (also known as user membership).

From the view of the FortiProxy unit, there are two kind of users:

  • A local user has credentials that are kept on the FortiProxy unit in the “local-usr-db,” located in the authentication scheme’s user-database configuration.
  • A remote user has credentials and (optionally) authorization data located on any kind of server in the user-database setting. Usually, remote users use the LDAP as the query protocol and a Windows Active Directory server. Remote users are widely used in FortiProxy deployments because the server centrally manages users in a corporation network deployment. In this manual, users are usually an LDAP server’s remote users.
To configure a user group in the CLI:

config user group

edit "tony_ldap_grp"

set member "tony_ldap" << LDAP server setting

config match

edit 1

set server-name "tony_ldap"

set group-name "cn=grp1,cn=users,dc=tony,dc=ca" << LDAP group name

next

end

next

end

Another type of remote user uses a RADIUS server, which does not provide additional authorization data.

The FortiProxy group definition is different from a user’s group information. The FortiProxy group definition defines the authorization data. For example, if the tony_ldap_grp FortiProxy group is configured in the policy, the policy expects the user in the LDAP server tony_ldap to have the group of “cn=grp1,cn=users,dc=tony,dc=ca”.