Fortinet black logo

FortiWeb Manager Administration Guide

Home FortiWeb 7.0.0 FortiWeb Manager Administration Guide

Setting up user accounts

7.0.0
7.4.0
7.2.0
7.0.0
6.3.0
6.2.3
Copy Link
Copy Doc ID 2c0f00e6-8fac-11ec-9fd1-fa163e15d75b:774683
Download PDF

Setting up user accounts

You can create user accounts in System Settings > Admin, and associate different profiles to the user accounts, so that different users have different operation permissions (for example, read-only, read-and-write) to the features in FortiWeb Manager.

You can setting up LDAP and RADIUS servers to authenticate users with accounts stored on remote servers, rather than with accounts on the FortiWeb Manager itself.

If you want to use ports other than 443 to access FortiWeb Manager's GUI, you can change the port in Admin Settings.

Configuring profiles

Create a user account permission profile, so that you can assign permissions to an user account.

To create a profile:

  1. Go to System Settings > Admin > Profile.
  2. Click Create.
  3. Enter a name for the profile.
  4. Enter comments if any.
  5. Select operation permission for each feature.

Configuring user accounts

Create user accounts to access FortiWeb Manager's GUI, API and CLI.

To create user accounts:

  1. Go to System Settings > Admin > Administrators.
  2. Click Create.
  3. For the Profile parameter, select a profile you have created in System Settings > Admin > Profile to grant permissions for this account. For the Admin Type parameter, Select the type of authentication the administrator will use when logging into the FortiWeb Manager unit. See Configuring Authentication Server for more information.

Configuring authentication server

FortiWeb Manager supports multiple query types that you can use to authenticate users with accounts stored on remote servers, rather than with accounts on the FortiWeb Manager itself.

LDAP servers

Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data representation scheme, a set of defined operations, and a request/response network.

If you have configured LDAP support and an administrator is required to authenticate using an LDAP server, the FortiWeb Manager unit sends the administrator’s credentials to the LDAP server for authentication. If the LDAP server can authenticate the administrator, they are successfully authenticated with the FortiWeb Manager unit. If the LDAP server cannot authenticate the administrator, the FortiWeb Manager unit refuses the connection.

To add an LDAP server:

  1. Go to System Settings > Admin > Authentication Server.
  2. Select Create > LDAP Server from the toolbar. The New LDAP Server pane opens.
  3. Configure the following settings, and then click OK to add the LDAP server.

    Name

    Enter a name to identify the LDAP server.

    Server Name/IP

    Enter the IP address or fully qualified domain name of the LDAP server.

    Port

    Enter the port for LDAP traffic. The default port is 389.

    Common Name Identifier

    The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as UID.

    Distinguished Name

    The distinguished name is used to look up entries on the LDAP server.

    The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. Clicking the query distinguished name icon will query the LDAP server for the name and open the LDAP Distinguished Name Query window to display the results.

    Bind Type

    Select the type of binding for LDAP authentication: Simple, Anonymous, or Regular.

    User DN

    When the Bind Type is set to Regular, enter the user DN.

    Password

    When the Bind Type is set to Regular, enter the password.

    filter

    Specify the filter in the format (objectclass=*)

    Secure Connection

    Select to use a secure LDAP server connection for authentication.

RADIUS servers

Remote Authentication Dial-in User (RADIUS) is a user authentication and network-usage accounting system. When users connect to a server they type a user name and password. This information is passed to a RADIUS server, which authenticates the user and authorizes access to the network.

You can create or edit RADIUS server entries in the server list to support authentication of administrators. When an administrator account’s type is set to RADIUS, the FortiWeb Manager unit uses the RADIUS server to verify the administrator password at log on. The password is not stored on the FortiWeb Manager unit.

To add a RADIUS server:

  1. Go to System Settings > Admin > Authentication Server.
  2. Select Create > RADIUS Server from the toolbar. The New RADIUS Server pane opens.
  3. Configure the following settings, and then click OK to add the RADIUS server.

    4. Name

    Enter a name to identify the RADIUS server.

    Server Name/IP

    Enter the IP address or fully qualified domain name of the RADIUS server.

    Port

    Enter the port for RADIUS traffic. The default port is 1812. Some RADIUS servers use port 1645.

    Server Secret

    Enter the RADIUS server secret.

    Secondary Server Name/IP

    Enter the IP address or fully qualified domain name of the secondary RADIUS server.

    Secondary Server Secret

    Enter the secondary RADIUS server secret.

    Authentication Type

    Select the authentication type the RADIUS server requires. If you select the default ANY, FortiWeb Manager tries all authentication types.

Configuring HTTPS ports

The default HTTPS port for accessing FortiWeb Manager's GUI is 443. If you want to use ports other than 443, you can change the port number in System Settings > Admin > Admin Settings.

note icon If you change the port number here, you need to go to Device Manager, edit each of the devices, replace the old port number in the Allow Origin field with the new one.

You can also set the Idle Timeout. By default, the GUI disconnects administrative sessions if no activity occurs for 30 minutes. This prevents someone from using the GUI if the management computer is left unattended.

Previous
Next

Setting up user accounts

You can create user accounts in System Settings > Admin, and associate different profiles to the user accounts, so that different users have different operation permissions (for example, read-only, read-and-write) to the features in FortiWeb Manager.

You can setting up LDAP and RADIUS servers to authenticate users with accounts stored on remote servers, rather than with accounts on the FortiWeb Manager itself.

If you want to use ports other than 443 to access FortiWeb Manager's GUI, you can change the port in Admin Settings.

Configuring profiles

Create a user account permission profile, so that you can assign permissions to an user account.

To create a profile:

  1. Go to System Settings > Admin > Profile.
  2. Click Create.
  3. Enter a name for the profile.
  4. Enter comments if any.
  5. Select operation permission for each feature.

Configuring user accounts

Create user accounts to access FortiWeb Manager's GUI, API and CLI.

To create user accounts:

  1. Go to System Settings > Admin > Administrators.
  2. Click Create.
  3. For the Profile parameter, select a profile you have created in System Settings > Admin > Profile to grant permissions for this account. For the Admin Type parameter, Select the type of authentication the administrator will use when logging into the FortiWeb Manager unit. See Configuring Authentication Server for more information.

Configuring authentication server

FortiWeb Manager supports multiple query types that you can use to authenticate users with accounts stored on remote servers, rather than with accounts on the FortiWeb Manager itself.

LDAP servers

Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data representation scheme, a set of defined operations, and a request/response network.

If you have configured LDAP support and an administrator is required to authenticate using an LDAP server, the FortiWeb Manager unit sends the administrator’s credentials to the LDAP server for authentication. If the LDAP server can authenticate the administrator, they are successfully authenticated with the FortiWeb Manager unit. If the LDAP server cannot authenticate the administrator, the FortiWeb Manager unit refuses the connection.

To add an LDAP server:

  1. Go to System Settings > Admin > Authentication Server.
  2. Select Create > LDAP Server from the toolbar. The New LDAP Server pane opens.
  3. Configure the following settings, and then click OK to add the LDAP server.

    Name

    Enter a name to identify the LDAP server.

    Server Name/IP

    Enter the IP address or fully qualified domain name of the LDAP server.

    Port

    Enter the port for LDAP traffic. The default port is 389.

    Common Name Identifier

    The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as UID.

    Distinguished Name

    The distinguished name is used to look up entries on the LDAP server.

    The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. Clicking the query distinguished name icon will query the LDAP server for the name and open the LDAP Distinguished Name Query window to display the results.

    Bind Type

    Select the type of binding for LDAP authentication: Simple, Anonymous, or Regular.

    User DN

    When the Bind Type is set to Regular, enter the user DN.

    Password

    When the Bind Type is set to Regular, enter the password.

    filter

    Specify the filter in the format (objectclass=*)

    Secure Connection

    Select to use a secure LDAP server connection for authentication.

RADIUS servers

Remote Authentication Dial-in User (RADIUS) is a user authentication and network-usage accounting system. When users connect to a server they type a user name and password. This information is passed to a RADIUS server, which authenticates the user and authorizes access to the network.

You can create or edit RADIUS server entries in the server list to support authentication of administrators. When an administrator account’s type is set to RADIUS, the FortiWeb Manager unit uses the RADIUS server to verify the administrator password at log on. The password is not stored on the FortiWeb Manager unit.

To add a RADIUS server:

  1. Go to System Settings > Admin > Authentication Server.
  2. Select Create > RADIUS Server from the toolbar. The New RADIUS Server pane opens.
  3. Configure the following settings, and then click OK to add the RADIUS server.

    4. Name

    Enter a name to identify the RADIUS server.

    Server Name/IP

    Enter the IP address or fully qualified domain name of the RADIUS server.

    Port

    Enter the port for RADIUS traffic. The default port is 1812. Some RADIUS servers use port 1645.

    Server Secret

    Enter the RADIUS server secret.

    Secondary Server Name/IP

    Enter the IP address or fully qualified domain name of the secondary RADIUS server.

    Secondary Server Secret

    Enter the secondary RADIUS server secret.

    Authentication Type

    Select the authentication type the RADIUS server requires. If you select the default ANY, FortiWeb Manager tries all authentication types.

Configuring HTTPS ports

The default HTTPS port for accessing FortiWeb Manager's GUI is 443. If you want to use ports other than 443, you can change the port number in System Settings > Admin > Admin Settings.

note icon If you change the port number here, you need to go to Device Manager, edit each of the devices, replace the old port number in the Allow Origin field with the new one.

You can also set the Idle Timeout. By default, the GUI disconnects administrative sessions if no activity occurs for 30 minutes. This prevents someone from using the GUI if the management computer is left unattended.

Previous
Next