FortiGate administrator’s view of authentication
Authentication is based on user groups. The FortiGate administrator configures authentication for security policies and VPN tunnels by specifying the user groups whose members can use the resource. Some planning is required to determine how many different user groups need to be created. Individual user accounts can belong to multiple groups, making allocation of user privileges very flexible.
A member of a user group can be:
• a user whose username and password are stored on the FortiGate unit
• a user whose name is stored on the FortiGate unit and whose password is stored on a remote or external authentication server
• a remote or external authentication server with a database that contains the username and password of each person who is permitted access
The general process of setting up authentication is as follows:
1. If remote or external authentication is needed, configure the required servers.
2. Configure local and peer (PKI) user identities. For each local user, you can choose whether the FortiGate unit or a remote authentication server verifies the password. Peer members can be included in user groups for use in security policies.
3. Create user groups.
4. Add local/peer user members to each user group as appropriate. You can also add an authentication server to a user group. In this case, all users in the server’s database can authenticate. You can only configure peer user groups through the CLI.
5. Configure security policies and VPN tunnels that require authenticated access.
For authentication troubleshooting, see the specific chapter for the topic or for general issues see
“Troubleshooting”.