Set mac-addr-check enable set mac-addr-action allow MAC host checking is configured in the CLI using the folowing commands: MAC addresses can be tied to specific portals and can be either the entire MAC address or a subset of the address. This can ensure better security should a password be compromised. When a remote client attempts to log in to the portal, you can have the FortiGate unit check against the client’s MAC address to ensure that only a specific computer or device is connecting to the tunnel. Set password-expiry-warning enable set password-renewal enableįor more information, see the Authentication Guide. Configuration is enabled using the CLI commands: To authenticate users, you can use a plain text password on the local FortiGate unit, forward authentication requests to an external RADIUS, LDAP or TACACS+ server, or utilize PKI certificates.įor information about how to create RADIUS, LDAP, TACACS+ or PKI user accounts and certificates, see the Authentication Guide.įortiOS supports LDAP password renewal notification and updates through SSL VPN. The authentication process can use a password defined on the FortiGate unit or optionally use established external authentication mechanisms such as RADIUS or LDAP. Remote users must be authenticated before they can request services and/or access network resources through the web portal. Guest group and SSO group have been removed from config user group and config vpn ssl web user-group-bookmark. In the CLI, use the commands in config user group.In the web-based manager, go to U se r & Device > User Groups and select C r ea t e New.User names can be up to 64 characters long. In the CLI, use the commands in config user local.Īll users accessing the SSL tunnel must be in a firewall user group.In the web-based manager, go to U se r & Device > User Definition, and select C r ea t e New.You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules. The user group is associated with the web portal that the user sees after logging in. You may already have users defined for other authentication-based security policies. The first step for an SSL VPN tunnel is to add the users and user groups that will access the tunnel. User accounts and groups Configuring SSL VPN web portals Configuring encryption key algorithms Additional configuration options This section contains the following information: For tunnel-mode operation, add routing to ensure that client tunnel-mode packets reach the SSL VPN interface. (Configuring security policies on page 1) (Configuring SSL VPN web portals on page 2253) Create a web portal to define user access to network resources.Create user accounts and user groups for the remote clients.This chapter outlines these key steps as well as additional configurations for tighter security and monitoring. The first three in the points below are mandatory, while the others are optional. There are three or four key steps to configuring an SSL VPN tunnel. For real-world examples, see Setup examples on page 2283. The configurations and steps are high level, to show you the procedures needed, and where to locate the options in FortiOS. This chapter describes the components required, and how and where to configure them to set up the FortiGate unit as an SSL VPN server. Configuring SSL VPN involves a number of configurations within FortiOS that you need to complete to make it all come together.
0 Comments
Leave a Reply. |