Setting up user accounts
You can create user accounts in System Settings > Admin, and associate different profiles to the user accounts, so that different users have different operation permissions (for example, read-only, read-and-write) to the features in FortiWeb Manager.
You can setting up LDAP and RADIUS servers to authenticate users with accounts stored on remote servers, rather than with accounts on the FortiWeb Manager itself.
If you want to use ports other than 443 to access FortiWeb Manager's GUI, you can change the port in Admin Settings.
Configuring profiles
Create a user account permission profile, so that you can assign permissions to an user account.
To create a profile:
- Go to System Settings > Admin > Profile.
- Click Create.
- Enter a name for the profile.
- Enter comments if any.
- Select operation permission for each feature.
Configuring user accounts
Create user accounts to access FortiWeb Manager's GUI, API and CLI.
To create user accounts:
- Go to System Settings > Admin > Administrators.
- Click Create.
- For the Profile parameter, select a profile you have created in System Settings > Admin > Profile to grant permissions for this account. For the Admin Type parameter, Select the type of authentication the administrator will use when logging into the FortiWeb Manager unit. See Configuring Authentication Server for more information.
Configuring authentication server
FortiWeb Manager supports multiple query types that you can use to authenticate users with accounts stored on remote servers, rather than with accounts on the FortiWeb Manager itself.
LDAP servers
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data representation scheme, a set of defined operations, and a request/response network.
If you have configured LDAP support and an administrator is required to authenticate using an LDAP server, the FortiWeb Manager unit sends the administrator’s credentials to the LDAP server for authentication. If the LDAP server can authenticate the administrator, they are successfully authenticated with the FortiWeb Manager unit. If the LDAP server cannot authenticate the administrator, the FortiWeb Manager unit refuses the connection.
To add an LDAP server:
- Go to System Settings > Admin > Authentication Server.
- Select Create > LDAP Server from the toolbar. The New LDAP Server pane opens.
- Configure the following settings, and then click OK to add the LDAP server.
Name
Enter a name to identify the LDAP server.
Server Name/IP
Enter the IP address or fully qualified domain name of the LDAP server.
Port
Enter the port for LDAP traffic. The default port is 389.
Common Name Identifier
The common name identifier for the LDAP server. Most LDAP servers use
cn
. However, some servers use other common name identifiers such asUID
.Distinguished Name
The distinguished name is used to look up entries on the LDAP server.
The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. Clicking the query distinguished name icon will query the LDAP server for the name and open the LDAP Distinguished Name Query window to display the results.
Bind Type
Select the type of binding for LDAP authentication: Simple, Anonymous, or Regular.
User DN
When the Bind Type is set to Regular, enter the user DN.
Password
When the Bind Type is set to Regular, enter the password.
filter
Specify the filter in the format
(objectclass=*)
Secure Connection
Select to use a secure LDAP server connection for authentication.
RADIUS servers
Remote Authentication Dial-in User (RADIUS) is a user authentication and network-usage accounting system. When users connect to a server they type a user name and password. This information is passed to a RADIUS server, which authenticates the user and authorizes access to the network.
You can create or edit RADIUS server entries in the server list to support authentication of administrators. When an administrator account’s type is set to RADIUS, the FortiWeb Manager unit uses the RADIUS server to verify the administrator password at log on. The password is not stored on the FortiWeb Manager unit.
To add a RADIUS server:
- Go to System Settings > Admin > Authentication Server.
- Select Create > RADIUS Server from the toolbar. The New RADIUS Server pane opens.
- Configure the following settings, and then click OK to add the RADIUS server.
Name |
Enter a name to identify the RADIUS server. |
Server Name/IP |
Enter the IP address or fully qualified domain name of the RADIUS server. |
Port |
Enter the port for RADIUS traffic. The default port is 1812. Some RADIUS servers use port 1645. |
Server Secret |
Enter the RADIUS server secret. |
Secondary Server Name/IP |
Enter the IP address or fully qualified domain name of the secondary RADIUS server. |
Secondary Server Secret |
Enter the secondary RADIUS server secret. |
Authentication Type |
Select the authentication type the RADIUS server requires. If you select the default ANY, FortiWeb Manager tries all authentication types. |
Configuring HTTPS ports
The default HTTPS port for accessing FortiWeb Manager's GUI is 443. If you want to use ports other than 443, you can change the port number in System Settings > Admin > Admin Settings.
If you change the port number here, you need to go to Device Manager, edit each of the devices, replace the old port number in the Allow Origin field with the new one. |
You can also set the Idle Timeout. By default, the GUI disconnects administrative sessions if no activity occurs for 30 minutes. This prevents someone from using the GUI if the management computer is left unattended.