fortiauthenticator admin 12

8/16/2019 Fortiauthenticator Admin 12

http://slidepdf.com/reader/full/fortiauthenticator-admin-12 1/46

Administration Guide

FortiAuthenticator 1.2



FortiAuthenticator Administration Guide

11 January 2012

23-120-144822-20120111

© Copyright 2012 Fortinet, Inc. All rights reserved. Contents and terms are subject tochange by Fortinet without prior notice. Reproduction or transmission of this publicationis encouraged.

Trademarks

The names of actual companies and products mentioned herein may be the trademarksof their respective owners.

Visit these links for more information and documentation for your Fortinet products:

Fortinet Knowledge Base - http://kb.fortinet.com

Technical Documentation - http://docs.fortinet.com

Training Services - http://campus.training.fortinet.com

Technical Support - http://support.fortinet.com

You can report errors or omissions in this or any Fortinet technical document [email protected] .

http://kb.fortinet.com/

http://docs.fortinet.com/

http://campus.training.fortinet.com/

http://support.fortinet.com/

mailto:[email protected]

mailto:[email protected]

http://support.fortinet.com/

http://campus.training.fortinet.com/


http://kb.fortinet.com/



Contents

FortiAuthenticator Administration Guide 23-120-144822-20120111 3


ContentsIntroduction 7Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Setup and System 9Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

FortiAuthenticator VM setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10FortiAuthenticator-VM image installation and initial setup . . . . . . . . . . 10

Administrative access - VM and hardware. . . . . . . . . . . . . . . . . . . . . 10Web-based manager access . . . . . . . . . . . . . . . . . . . . . . . . . 11Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Adding a FortiAuthenticator unit to your network . . . . . . . . . . . . . . . . . . . 11

System maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Upgrading the firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Backing up the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Search button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Log entry order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Log Type Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Exporting the log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

High Availability (HA) Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Administrative access to the HA cluster . . . . . . . . . . . . . . . . . . . . . . 16

Configuring email relay servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17FortiAuthenticator settings. . . . . . . . . . . . . . . . . . . . . . . . . . . 17FortiGate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Authentication users and servers 19What to configure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

One-factor or two-factor authentication . . . . . . . . . . . . . . . . . . . . . . 20

Authentication type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Built-in LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Remote LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21





Contents

Administration Guide for FortiAuthenticator 1.2 4 23-120-144822-20120111


Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21User self-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Adding a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Configuring two-factor authentication for a user . . . . . . . . . . . . . . . 22Configuring the user’s password recovery options . . . . . . . . . . . . . . 23Setting a password policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

User groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Adding FortiToken devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24FortiAuthenticator and FortiTokens . . . . . . . . . . . . . . . . . . . . . . . . 24Monitoring FortiToken devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 25FortiToken device maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Adding FortiGate units as NAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Configuring built-in LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27LDAP directory tree overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Creating the LDAP directory tree . . . . . . . . . . . . . . . . . . . . . . . . . 28Editing the root node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Adding nodes to the LDAP hierarchy . . . . . . . . . . . . . . . . . . . . . 29 Adding user accounts to the LDAP tree . . . . . . . . . . . . . . . . . . . . 29Moving LDAP branches in the directory tree . . . . . . . . . . . . . . . . . 30Removing entries from the directory tree . . . . . . . . . . . . . . . . . . . 30

Configuring a FortiGate unit for FortiAuthenticator LDAP . . . . . . . . . . . . . 30

Configuring Remote LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Adding a remote LDAP server . . . . . . . . . . . . . . . . . . . . . . . . . 31 Adding Remote LDAP users . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Monitoring users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Users monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Fortinet Single Sign On (FSSO) 35Communicating with FortiGate units . . . . . . . . . . . . . . . . . . . . . . . . 35Communicating with Domain Controllers . . . . . . . . . . . . . . . . . . . . . 37Monitoring FSSO units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Monitoring SSO users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Monitoring domain controllers . . . . . . . . . . . . . . . . . . . . . . . . . 37Monitoring FortiGate units . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Certificate Management 39Certificate Authorities (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Certificate Revocation List (CRL) . . . . . . . . . . . . . . . . . . . . . . . . . 41

Locally created CRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Configuring Online Certificate Status Protocol . . . . . . . . . . . . . . . . 42

Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43





Contents



Index 45





Contents

Administration Guide for FortiAuthenticator 1.26 23-120-144822-20120111






Introduction Before you begin

FortiAuthenticator v3: Administration Guide 23-120-144822-20120111 7


IntroductionWelcome and thank you for selecting Fortinet products for your network protection.

This chapter contains the following topics:

• Before you begin

• How this guide is organized

Before you beginBefore you begin using this guide, please ensure that:

• You have administrative access to the web-based manager and/or CLI.

• The FortiAuthenticator unit is integrated into your network.

• The operation mode has been configured.

• The system time, DNS settings, administrator password, and network interfaces havebeen configured.

• Any third-party software or servers have been configured using their documentation.While using the instructions in this guide, note that administrators are assumed to besuper_admin administrators unless otherwise specified. Some restrictions will apply toother administrators.

How this guide is organizedThis FortiAuthenticator Handbook chapter contains the following sections:

Setup and System describes initial setup for standalone and HA clusterFortiAuthenticator configurations.

Authentication users and servers describes how to configure built-in and remoteauthentication servers and manage user groups.Fortinet Single Sign On (FSSO) describes how to use the FortiAuthenticator unit in asingle sign on (SSO) environment.

Certificate Management describes how to manage X.509 certificates and how to set upthe FortiAuthenticator unit to act as an Certificate Authority.

Registering your Fortinet productBefore you begin configuring and customizing features, take a moment to register yourFortinet product at the Fortinet Technical Support web site, https://support.fortinet.com .Many Fortinet customer services, such as firmware updates, technical support, and

FortiGuard Antivirus and other FortiGuard services, require product registration.


https://support.fortinet.com/





Registering your Fortinet product Introduction







Setup and System



Setup and System A FortiAuthenticator unit is an Authentication server that includes a RADIUS server andan LDAP server. Authentication servers are an important part of an enterprise network,providing access to protected network assets and tracking users’ activities to comply

with security policies. A FortiAuthenticator unit is not a firewall; it requires a FortiGate unit to provide firewall-related services. Multiple FortiGate units can use a single FortiAuthenticator unit forFortinet Single Sign On (FSSO) and other types of remote authentication, two-factorauthentication, and FortiToken device management. This centralizes authentication andFortiToken maintenance.

FortiAuthenticator provides an easy-to-configure remote authentication option forFortiGate users. Additionally, it can replace the FSSO Agent on a Windows AD network.

FortiAuthenticator is a server and should be isolated on a network interface separatefrom other hosts to facilitate server-related firewall protection. Failure to protect theFortiAuthenticator may result in compromised authentication databases.

Figure 1: FortiAuthenticator on a multiple FortiGate unit network

The following topics are included in this section:

• Initial setup

• Adding a FortiAuthenticator unit to your network• System maintenance

• Troubleshooting

For tiGate unit

r ti

F o r t i A u t h e n t i c a t o r

Client Networ k

Client Networ k

For tiGate un

it





Initial setup Setup and System



Initial setupFor information about installing the FortiAuthenticator unit and accessing the CLI or web-based manager, refer to the Quick Start Guide provided with your unit. The followingsection provides information about setting up the Virtual Machine (VM) version of theproduct.

FortiAuthenticator VM setupBefore using FortiAuthenticator-VM, you need to install the VMware application to hostthe FortiAuthenticator-VM device. The installation instructions for FortiAuthenticator-VMassume you are familiar with VMware products and terminology.

System requirementsThe minimum system requirements for a computer running the FortiAuthenticator VMimage include:

• Installed latest version of VMware Player, Fusion, or Workstation

• 512 MB of RAM minimum

• one virtual NICs minimum, to a maximum of four virtual NICs• minimum of 3 GB free space

FortiAuthenticator-VM image installation and initial setupThe following procedure describes setup on VMware Fusion.

To set up the FortiAuthenticator VM image

1 Download the VM image ZIP file to the local computer where VMware is installed.

2 Extract the files from the zip file into a folder.

3 In VMware Fusion, go to File > Open .

4 Navigate to the expanded VM image folder, select the FortiAuthenticator-VM.vmx fileand select Open .

VMware will install and start FortiAuthenticator-VM. This process can take a minute ortwo to complete.

5 At the FortiAuthenticator login prompt, enter admin and press Enter.

6 At the password prompt, press Enter.

By default, there is no password.

7 At the CLI prompt enter the following commands:set port1-ip 192.168.1.99/24set default-gw 192.168.1.2

Substitute your own desired FortiAuthenticator IP address and default gateway.

You can now connect to the web-based manager at the address you set for port1-ip .

Administrative access - VM and hardware Administrative access is enabled by default on port 1. Using the web-based manager,you can enable administrative access on other ports if necessary.

Adding administrative access to an interface

1 Go to System > Network > Interfaces . Select the desired interface to edit.





Setup and System Adding a FortiAuthenticator unit to your network



2 In Admin access , select the types of access to allow.

3 Select OK.

Web-based manager accessTo use the web-based manager, point your browser to the port1 IP address, default192.168.1.99. For example,http://192.168.1.99

Enter admin as the User Name and leave the Password field blank.

For secure access, you can enter https instead of http in the URL.

TelnetCLI access is available using telnet to the port1 interface IP address, default192.168.1.99. Use the telnet -K option so that telnet does not attempt to log on usingyour user ID. For example:$ telnet -K 192.168.1.99

At the FortiAuthenticator login prompt, enter admin . When prompted for password, justpress Enter. By default there is no password. When you are finished, use the exit command to end the telnet session.

SSHSSH provides secure access to the CLI. Connect to the port1 interface IP address,default 192.168.1.99. Specify the user name admin or SSH will attempt to log on withyour user name. For example:$ ssh [email protected]

At the password prompt, just press Enter. By default there is no password. When you arefinished, use the exit command to end the session.

Adding a FortiAuthenticator unit to your networkBefore the initial setup of FortiAuthenticator, there are some requirements for yournetwork. You must have:

• You must have security policies that allow traffic between the client network and thesubnet of the FortiAuthenticator

• You must ensure that the following ports are open in the security policies between theFortiAuthenticator and NAS devices that will be authenticating: port 8000 (FSSO),ports 389 and 636 (LDAP), and 1812 (RADIUS) in addition to management protocolssuch as HTTP, HTTPS, telnet, SSH, Ping, and other protocols you may choose toallow.

To initially setup FortiAuthenticator on your network

1 Log on to the web-based manager.Use admin for the username. There is no password.

2 Go to System > Network > DNS . Enter your primary and secondary name servers.

3 Go to System > Dashboard > Status .

4 In System Information , and select Change in the System Time field.

5 Select your time zone from the list.





System maintenance Setup and System



6 Either enable NTP or set the date/time manually.

Enter a new time and date by either typing it manually, selecting Today or Now, orselect the calendar or clock icons for a more visual method of setting the date andtime.

7 Select OK.

8 If the FortiAuthenticator is connected to additional subnets, configure additionalFortiAuthenticator interfaces as required.

• Go to System > Network > Interfaces to set the IP address and subnet mask foreach interface.

• Go to System > Network > Default Gateway to set the gateway for each interfaceas required.

System maintenanceSystem maintenance tasks are limited to changing the firmware, and backing up orrestoring the configuration file.

This section includes:

• Upgrading the firmware

• Backing up the configuration

• Logging

• CLI commands

Upgrading the firmwarePeriodically, Fortinet issues firmware upgrades that fix known issues, add new featuresand functionality, and generally improve your FortiAuthenticator experience.

To upgrade the firmware, you must first register your FortiAuthenticator with Fortinet. See“Registering your Fortinet product” on page 7 .

To upgrade FortiAuthenticator firmware

1 Download the latest firmware to your local computer from the Fortinet TechnicalSupport web site, https://support.fortinet.com.

2 On FortiAuthenticator, go to System > Maintenance > Firmware .

3 Select Browse , and locate the new firmware image on your local computer.

4 Select OK .

When you select OK , the new firmware image will upload from your local computer to theFortiAuthenticator, which will then reboot. You will experience a short period of timeduring this reboot when the FortiAuthenticator is offline and unavailable forauthentication.

If you will be using FortiToken devices, Fortinet strongly recommends using NTP —FortiToken authentication codes require an accurate system clock.







Setup and System System maintenance



Backing up the configuration

You can back up the configuration of the FortiAuthenticator to your local computer. Thebackup file is encrypted to prevent tampering. This configuration file backup includesboth the CLI and web-based manager configuration of the FortiAuthenticator. Thebacked up information includes users, user groups, FortiToken device list, NAS devicelist, LDAP directory tree, FSSO settings, remote LDAP, and certificates.

To back up your configuration

1 Go to System > Maintenance > Config .

2 Under Backup , select the Click here link and save the file on your computer.

To restore your configuration

1 Go to System > Maintenance > Config .

2 Browse to the location of the backup file on your computer, and select Restore .

You will be prompted to confirm the restore action.

3 Select OK .

The FortiAuthenticator unit will reboot.

Logging Accounting is an important part of FortiAuthenticator as with any authentication server.Logging provides a record of the events that have taken place on the FortiAuthenticator.

To access logs, go to Logging > Log Access > Logs . The Logs page has controls to help

you search your logs for the information you need. This includes:• Search button

• Log entry order

• Log Type Reference

Search buttonYou can enter a string to search for in the log entries. The string must appear in theMessage portion of the log entry to result in a match for the search. To prevent each termin a phrase from being matched separately, multiple keywords must be in quotes and bean exact match.

After the search is complete next to the Search button the number of positive matches

will be displayed, with the total number of log entries in brackets following. Select thetotal number of log entries to return to the full list. Subsequent searches will search all logentries and not just the previous search’s matches.

When you restore the configuration from a backup file, any information changed sincethe backup will be lost. Any active sessions will be ended and must be restarted. Youwill have to log back in when the system reboots.





System maintenance Setup and System



Log entry order You can change the order used to display the log entries. To sort the log entries by aparticular column, such as Timestamp, select the title for that column. The log entries willnow be displayed based on data in that column in ascending order. Ascending ordescending is displayed with an arrow next to the column title — up arrow for ascending,and down arrow for descending.

Log Type ReferenceThere are Admin Configuration, Authentication, System, and User Portal events. Each ofthese have multiple log message types for each major event. To see the various types oflog messages, go to Logging > Log Access > Logs and select Log Type Reference .

On this page, you can search for the exact text of a specific log message. The search willreturn any matches in any columns.

Exporting the logYou can select Download Raw Log to export the FortiAuthenticator log as a text filenamed fac.log.

CLI commandsThe FortiAuthenticator has CLI commands that are accessed using the console, SSH, orTelnet. Their purpose is to initially configure the unit, perform a factory reset, or reset thevalues if the web-based manager is not accessible for some reason.

help Display list of valid CLI commands. You can alsoenter ? for help.

set port1-ip<addr_ipv4mask>

Enter the IPv4 address and netmask for the port1interface. Netmask is expected in the /xx format,for example 192.168.0.1/24.

Once this port is configured, you can use the

web-based manager to configure the remainingports.

set default-gw <addr_ipv4> Enter the IPv4 address of the default gateway forthis interface. This is the default route for thisinterface.

set date <YYYY-MM-DD> Enter the current date. Valid format is four digityear, 2 digit month, and 2 digit day. For exampleset date 2011-08-12 sets the date to August 12th,2011.

set time <HH:MM:SS> Enter the current time. Valid format is two digitseach for hours, minutes, and seconds. 24-hourclock is used. For example 15:10:00 is 3:10pm.

set tz <timezone_index> Enter the current time zone using the time zoneindex. To see a list of index numbers and theircorresponding time zones, enter set tz ? .

unset <setting> Restore default value. For each set commandlisted above, there is an unset command, forexample unset port1-ip .





Setup and System High Availability (HA) Operation



High Availability (HA) OperationTwo FortiAuthenticator units can operate as a cluster to provide even higher reliability.One unit is active and the other is on standby. If the active unit fails, the standby unitbecomes active. The cluster is configured as a single authentication server on yourFortiGate units.

Authentication requests made during a failover from one unit to another are lost, butsubsequent requests complete normally. The failover process takes about 30 seconds.

To configure FortiAuthenticator HA

1 On each unit, go to System > Maintenance > High Availability and enter:

show Display current settings of port1 IP, netmask,default gateway, and time zone.

exit Terminate the CLI session.

reboot Perform a hard restart the FortiAuthenticator unit. All sessions will be terminated. The unit will go

offline and there will be a delay while it restarts.factory-reset Enter this command to reset the

FortiAuthenticator settings to factory defaultsettings. This includes clearing the user database.

This procedure deletes all changes that you havemade to the FortiAuthenticator configuration andreverts the system to its original configuration,including resetting interface addresses.

shutdown Turn off the FortiAuthenticator.

status Display basic system status information includingfirmware version, build number, serial number of

the unit, and system time.

Enable HA Enable

Interface

Select a network interface to use for communication betweenthe two cluster members. This interface must not already havean IP address assigned and it cannot be used forauthentication services.

Cluster memberIP address

Enter the IP address this unit uses for HA-relatedcommunication with the other FortiAuthenticator unit. The twounits must have different addresses. Usually, you shouldassign addresses on the same private subnet.

Admin access Select the types of administrative access to allow.

Priority Set to Low on one unit and High on the other. Normally, theunit with High priority is the master unit.

Password Enter a string to be used as a shared key for IPsec encryption.This must be the same on both units.





Configuring email relay servers Setup and System



2 When one unit has become the master, connect to the web-based manager again andcomplete your configuration. You are configuring the Master unit. The configurationwill automatically be copied to the slave unit.

Refer to the other chapters of this manual for more information. Configuring thecluster is the same as configuring a single FortiAuthenticator unit.

Administrative access to the HA cluster Administrative access is available through any of the network interfaces using theirassigned IP addresses or through the HA interface using the Cluster member IP address ,assigned on the System > Maintenance > High Availability page. In all cases,administrative access is available only if it is enabled on the interface.

Administrative access through any of the network interface IP addresses connects onlyto the master unit. The only administrative access to the slave unit is through the HAinterface using the slave unit’s Cluster member IP address .

Configuration changes made on the master unit are automatically pushed to the slaveunit. The slave unit does not permit configuration changes, but you might want to accessthe unit to change HA settings or for firmware upgrade, shutdown, reboot, ortroubleshooting.

Configuring email relay serversThe FortiAuthenticator unit sends email for several purposes, such as password resetrequests, new user approvals, user self-registration, and two-factor authentication. Bydefault, the FortiAuthenticator unit uses its built-in SMTP server. For situations wheredirect SMTP access is not possible, the unit can be configured to use an external mailrelay.

To add an external SMTP server

1 Go to System > E-mails > SMTP Servers and select Create New .

2 Enter the following:Name Enter a name to identify this mail server on the

FortiAuthenticator unit.

Server Name/IP Enter the IP address or FQDN of the mail server.

Sender e-mail address Enter the email address to put in the From field on emailmessages from the FortiAuthenticator unit.

Secure connection

For a secure connection to the mail server, selectSTARTTLS and select the CA certificate that validates theserver’s certificate. For information about importing theCA certificate, see “To import a CA certificate” onpage 41 .

Enable authenticationSelect if the email server requires you to authenticatewhen sending email. Enter the Account username andPassword .





Setup and System Troubleshooting



3 Optionally, select Test Connection to send a test email message. Specify a recipientand select Send . Confirm that the recipient received the message.

4 Select OK.

To set the default email server

1 Go to System > E-mails > SMTP Servers.

2 Select the check box of the server that you want to make the default.

3 Select Set as Default .

TroubleshootingTroubleshooting includes useful tips and commands to help deal with issues that mayoccur. For additional help, always contact customer support.

If you have issues when attempting authentication on FortiGate using theFortiAuthenticator, there are some FortiAuthenticator settings and FortiGate settings tocheck.

In addition to these settings you can use log entries, monitors, and debugginginformation to determine more information about your authentication problems. For helpwith FortiAuthenticator logging, see “Logging” on page 13 . For help with FortiGatetroubleshooting, see the FortiOS Handbook Troubleshooting and User Authentication

guides .

FortiAuthenticator settingsWhen checking FortiAuthenticator settings, you should ensure

• there is a NAS entry for the FortiGate unit. See “Adding FortiGate units as NAS” onpage 25 ,

• the user trying to authenticate has a valid active account that is not disabled, and thatthe username and password are spelled as expected,

• the user account allows RADIUS authentication if RADIUS is enabled on the FortiGateunit,

• the FortiGate unit can communicate with the FortiAuthenticator unit,

• the user account exists

• as a local user on the FortiAuthenticator if using (RADIUS authentication),

• in the local LDAP directory (if using local LDAP authentication),

• in the remote LDAP directory (if using RADIUS authentication with remote LDAPpassword validation).

• the user is a member in the expected user groups and these user groups are allowedto communicate on the NAS (FortiGate unit, for example),

• If authentication fails with the log error “bad password” try resetting the password. Ifthis fails, verify that the pre-shared secret is identical on both FortiAuthenticator andthe NAS.

The recipient’s email system might treat the test email message as spam.


http://docs.fortinet.com/fgt40mr3.html







Troubleshooting Setup and System



FortiGate settingsWhen checking FortiGate authentication settings, you should ensure

• the user has membership in the required user groups, and identity-based securitypolicies,

• there is a valid entry for the FortiAuthenticator as a remote RADIUS or LDAP server,

• the user is configured explicitly or as a wildcard user.





Authentication users and servers What to configure



Authentication users and serversFortiAuthenticator provides an easy-to-configure authentication server for your users.Multiple FortiGate units can use a single FortiAuthenticator unit for remote authenticationand FortiToken device management.

Figure 2: FortiAuthenticator on a multiple FortiGate unit network

The following topics are included in this section:

• What to configure

• Adding Users

• Adding FortiToken devices

• Adding FortiGate units as NAS

• Configuring built-in LDAP

• Configuring Remote LDAP

• Monitoring users

What to configureYou need to decide which elements of FortiAuthenticator configuration you need.

• Determine whether you want two-factor authentication and what form that will take.• Determine the type of authentication you will use: RADIUS, built-in LDAP, or Remote

LDAP. You will need to use at least one of these types.

• Determine which FortiGate units will use the FortiAuthenticator unit. TheFortiAuthenticator unit must be configured on each FortiGate unit as an authenticationserver, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit mustbe configured on the FortiAuthenticator unit as a NAS.

For tiGate unit

r ti


Client Networ k

Client Networ k

For tiGate unit





What to configure Authentication users and servers



One-factor or two-factor authentication

The standard logon requires the user to know the password. This is one-factorauthentication. Two-factor authentication adds the requirement for another piece ofinformation for logon. Generally the two factors are something you know (password) andsomething you have (certificate, token). This increases the difficulty for an unauthorizedperson to impersonate a legitimate user.

The FortiAuthenticator unit has multiple ways of providing the second factor —something you know — to the user. Digial certificates are covered in a later chapter. Theother methods rely on a six-digit PIN which changes regularly and is known only to theFortiAuthenticator unit and the user. This PIN can be delivered to the user in multipleways:

• a FortiToken device registered with the FortiAuthenticator and the user’s account

• an email account specified in the user account

• a cell phone number with SMS service specified in the user account

Authentication typeThe FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports theuse of external LDAP, which can include Windows AD servers.

The built-in servers are best used where there is no existing authentication infrastructure.You build a user account database on the FortiAuthenticator unit. The database caninclude additional user information such as street address and phone numbers thatcannot be stored in a FortiGate unit’s user authentication database. You can use eitherLDAP or RADIUS protocol.

The external server options are intended to integrate FortiGate authentication intonetworks that already have an authentication infrastructure. The Fortinet Single Sign-On(FSSO) option works on Microsoft Windows networks, enabling users alreadyauthenticated by a Windows AD server to access network resources. The Remote LDAPoption adds your FortiGate units to an existing LDAP structure. Optionally, you can addtwo-factor authentication to Remote LDAP.

RADIUSIf you use RADIUS, you must enable RADIUS in each user account. FortiGate units mustbe registered as NAS in Authentication > NAS . See “Adding FortiGate units as NAS” onpage 25 . On each FortiGate unit that will use RADIUS protocol, the FortiAuthenticatorunit must be configured as a RADIUS server in User > Remote > RADIUS .

Built-in LDAPIf you use built-in LDAP, you will need to configure the LDAP directory tree. You add usersfrom the user database to the appropriate nodes in the LDAP hierarchy. See “Creating theLDAP directory tree” on page 28 . On each FortiGate unit that will use LDAP protocol, theFortiAuthenticator unit must be configured as an LDAP server in User > Remote > LDAP .

Two-factor authentication does not work with FortiOS explicit proxies.





Authentication users and servers Adding Users



Remote LDAPRemote LDAP must be enabled in each user account. FortiGate units must be registeredas NAS in Authentication > NAS . See “Adding FortiGate units as NAS” on page 25 .FortiGate units must communicate with the FortiAuthenticator unit using RADIUSprotocol, with the FortiAuthenticator unit entered as a RADIUS server in User > Remote >RADIUS .

User accounts that use two-factor authentication must be imported into theFortiAuthenticator database. You can do this in the server configuration in AuthenticationUsers > Remote .

Adding UsersFortiAuthenticator’s user database is similar to the local users database on FortiGateunits, but it has the added benefit of being able to associate additional information witheach user, as you would expect of RADIUS and LDAP servers. This information includes:whether the user is an administrator, uses RADIUS authentication, uses two-factorauthentication, and personal information such as full name, address, password recoveryoptions, and of course which groups the user belongs to.

The RADIUS server on FortiAuthenticator is configured using default settings. For a userto authenticate using RADIUS, the option Allow RADIUS Authentication must be selectedfor that user’s entry, and the authenticating client must be added to the NAS list. See“Adding FortiGate units as NAS” on page 25 .

Administrators Administrator accounts on FortiAuthenticator are standard user accounts that are flaggedas administrators.

Once flagged as an administrator, a user account’s administrator privileges can be set toeither full access or customized to select their administrator rights for different parts ofFortiAuthenticator. There are log events for administrator configuration activities.

Administrators can also be configured to authenticate to the local system using two-factor authentication.

User self-registrationOptionally, you can enable users to request registration through the FortiAuthenticatorweb page. The administrator will receive the request as an email message.

To enable self-registration

1 Go to Authentication > General > Settings.

2 Under User Self-registration , select Enable and enter the Admin’s e-mail address .

3 Select OK .

How the user requests registration1 Browse to the IP address of the FortiAuthenticator unit.

Security policies must be in place on the FortiGate unit to allow these sessions to beestablished.

2 Select Register .

The User Registration page opens.

3 Fill in the required fields. Optionally, fill in the Additional Information fields. Select OK .





Adding Users Authentication users and servers



To approve a self-registration request

1 Select the link in the “Approval Required for ...” email message.

The New User Approval page opens in the web browser.

2 Review the information and select either Approve or Deny , as appropriate.

If the request is approved, the FortiAuthenticator unit sends the user an email

message stating that the account has been activated.

Adding a user accountWhen creating a user account, there are two ways to handle the password:

• The administrator assigns a password immediately and communicate it to the user.

• The FortiAuthenticator unit creates a random password and emails it to the user.

1 Go to Authentication > Users > Local and select Create New .

2 Enter the Username.

3 Do one of the following:

• In Password creation , select Specify a password. Enter the Password and then

enter it again in Password confirmation. Select OK .or

• In Password creation , select Set and e-mail a random password. Enter theE-mail address for this user and then enter it again in Confirm email address . SelectOK . The email address supplied in this step is not retained in the database.

4 Edit the new user account to select authentication options or to enter more detailedinformation about the user.

Configuring two-factor authentication for a user Edit the user’s account entry to configure two-factor authentication. If the authenticationcode will be provided through email or SMS, add the email address or mobile informationto the User Information section first. If a FortiToken device will be used, enter theFortiToken device in Authentication > FortiTokens first.

To configure an account for two-factor authentication

1 Go to Authentication > Users > Local .

2 Select and edit the chosen user.

3 Select Two-factor authentication .

4 Do one of the following:

• Select FortiToken and then select the FortiToken device serial number from the list.

• Select Email and enter the user’s email address.

• Select SMS and enter the user’s mobile information.

5 Select OK .

By default, two factor authentication must be completed within 60 seconds after theauthentication code is sent by email or SMS. To change this timeout, go to

Authentication > General > Settings and modify Email/SMS Token Timeout .





Authentication users and servers Adding Users



Configuring the user’s password recovery optionsTo replace a lost or forgotten password, the FortiAuthenticator unit can send the user apassword recovery link by email or in the browser in response to a pre-arranged securityquestion. The user then sets a new password.

To configure password recovery by security question

1 Go to Authentication > Users > Local .


3 Expand Password Recovery options.

4 Select Security Question , and select Edit .

5 Choose one of the questions in the list. If you choose to write your own question, acustom question field will be displayed where you can enter your question.

6 Enter the answer for your question.

7 Select OK .

To configure password recovery by email

1 Go to Authentication > Users > Local .2 Select and edit the chosen user.

3 Expand User Information , and then enter the user’s E-mail address .

4 Expand Password Recovery Options .

5 Select Email .

6 Optionally, select Manage alternative emails and enter up to three additional emailaddresses for this user.

In the event of password recovery, an email message is sent to all configured emailaddresses — both the user information email address and the alternative emailaddresses.

7 Select OK.

How the user recovers from a lost password

1 Browse to the IP address of the FortiAuthenticator.

Security policies must be in place on the FortiGate unit to allow these sessions to beestablished.

2 Select Forgot my password .

3 Select either Username or Email as your method of identification.

4 Enter either your username or email address as selected in the previous step, andthen select Next .

This information is used to select the user account. If your information does not match

a user account, password recovery cannot be completed.5 Do one of the following:

• Select Send a secure link to your account email and select Next . Open the emailand select the password recovery link.

• Select Answer the provided security question and select Next . Enter the correctanswer to the question and select Next .

The recovery options available depend on the settings in the user account.





Adding FortiToken devices Authentication users and servers



6 On the Reset Password page, enter and confirm a new password and then selectNext .

The user can now authenticate using the new password.

Setting a password policyYou can require a minimum length and complexity for user passwords. Also you canrequire users to change their passwords periodically.

To set password complexity requirements

1 Go to Authentication > General > Settings .

2 Set Minimum length for passwords. The default is 8.

If you enter 0, there is no minimum length, but the password cannot be empty.

3 Optionally, select Check for password complexity . You can then enable requirementsfor minimum numbers of upper-case letters, lower-case letters, numeric characters,and special (non-alphanumeric) characters.

4 Select OK .

To set a password change policy 1 Go to Authentication > General > Settings .

2 Set the Maximum password age . The default is 90 days.

3 Optionally, select Enforce password history and set the Number of passwords to remember . New passwords must not match any of the remembered passwords.

For example, if three passwords are remembered, users cannot reuse any of theirthree previous passwords.

User groupsYou can assign users to user groups in Authentication > User Groups > Local . This is verysimilar to the firewall user group feature on FortiGate units.

Adding FortiToken devices A FortiToken device is a disconnected one-time password (OTP) generator. It is a smallphysical device with a button that when pressed displays a six digit authentication code.This code is entered with a user’s username and password as two-factor authentication.The code displayed changes every 60 seconds. When not in use, the LCD screen is shutdown to extend the battery life.

The device has a small hole in one end. This is intended for a lanyard to be inserted sothe device can be worn around the neck, or easily stored with other electronic devices.

FortiAuthenticator and FortiTokensWith FortiOS, FortiToken serial numbers must be entered to the FortiGate unit, whichthen contacts FortiGuard servers to verify the information before activating them.

Do not put the FortiToken on a key ring as the metal ring and other metal objects can

damage it. The FortiToken is an electronic device like a cell phone and should be treatedwith similar care.





Authentication users and servers Adding FortiGate units as NAS



FortiAuthenticator acts as a repository for all FortiToken devices used on your network —it is a single point of registration and synchronization for easier installation andmaintenance.

To add FortiToken devices

1 Go to Authentication > FortiTokens > FortiTokens.

2 Do one of the following:• Select Create New and enter the FortiToken device serial number. If there are multiple

numbers to enter, select the + icon to switch to a resizable multiple-line entry box.

• Select Import to load a file containing the list of serial numbers for the tokens.(FortiToken devices have a barcode on them that can help you read serial numbers tocreate the import file.)

3 Select OK .

Monitoring FortiToken devicesTo monitor the total number of FortiToken devices registered on the FortiAuthenticatorunit, as well as the number of disabled FortiTokens, go to System > Dashboard > Status and view the User Inventory widget.

You can also view the list of FortiTokens, their status, if their clocks are drifting, and whichuser they are assigned to by going to Authentication > FortiTokens > FortiTokens .

FortiToken device maintenanceGo to Authentication > FortiTokens > FortiTokens and select Edit for the device. Do any ofthe following:

• Disable a device when it is reported lost or stolen.• Re-enable a device when it is recovered.

• Synchronize the FortiAuthenticator and the FortiToken device when the device clockhas drifted. Synchronizing ensures that the device provides the token code that theFortiGate unit expects, as the codes are time-based. Fortinet recommendssynchronizing all new FortiTokens.

• Select History to view all commands applied to this FortiToken.

Adding FortiGate units as NAS A NAS is a network access server (NAS) that can authenticate using theFortiAuthenticator unit. A FortiGate unit is an example of a NAS. A NAS is a gateway thatprotects parts of the network, and requires authentication to gain access to what itprotects. A NAS is commonly used with Authentication, Authorization, and Accounting(AAA) servers. Every device that will use the FortiAuthenticator unit for authenticationmust have a NAS entry.

Every time there is a change to the list of NAS entries two log messages are generated —one for the NAS change, and one to state that the RADIUS server was restarted to applythe NAS change.

To register FortiToken devices, you must have a valid FortiGuard connection. Otherwiseany FortiToken devices you enter will remain at Inactive status.





Adding FortiGate units as NAS Authentication users and servers



When a user is configured on FortiAuthenticator, there is an option to authenticate theuser using the RADIUS database. There is a RADIUS server already configured andrunning on the FortiAuthenticator server. It is set up using default values. For a computeror other external device to access the RADIUS server on the FortiAuthenticator, thatdevice must have a NAS entry.

FortiAuthenticator allows both RADIUS and remote LDAP authentication for NAS entries.

If you want to use a remote LDAP server, you must configure it first so that you can beselect it in the NAS configuration. You can configure the built-in LDAP server before orafter creating NAS entries.

To configure a NAS

1 Go to Authentication > NAS > NAS .

2 Select Create New and enter the following information:

3 If RADIUS or Remote LDAP authentication will be used, select NAS is a RADIUS client and enter the following information:

4 If FSSO will be used, select NAS is an FSSO client .

Refer to the “Fortinet Single Sign On (FSSO)” chapter for information aboutconfiguring authentication with FSSO.

5 Select OK .

Name A name to identify the NAS device on the FortiAuthenticator unit.

NAS name/IP The FQDN or IP address of the NAS unit.

Description Optional information about the NAS.

Secret The RADIUS passphrase that the FortiGate unit willuse.

Two-factor Authentication

Select one of the following:

• Mandatory — all users subject to two-factorauthentication

• Optional — depends on setting in user account

• None — all users authenticated only by password

Validate passwords using

an external LDAP server

Select if Remote LDAP authentication will be used.

Select the configured Remote LDAP server from thelist. If the server is not listed, create it. See “ConfiguringRemote LDAP” on page 31 .

Authenticate: Limits who can authenticate.

All local users No limit.

Users from selectedlocal groups only

Authenticate only members of specificFortiAuthenticator user groups. Add the required usergroups to the Selected local groups list.

Users using a remoteLDAP server

Authenticate only users of the selected Remote LDAP server .

Use Radius accountingrecords received fromthis NAS as a source ofFSSO user activity

This is required only if you are using an external

RADIUS server to notify the FortiAuthenticator unit oflogon events for use by FSSO. Otherwise, leave thisunselected.

This feature will be described in later documentation.





Authentication users and servers Configuring built-in LDAP



Configuring built-in LDAPLightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintainauthentication data that may include departments, people, groups of people, passwords,email addresses, and printers. LDAP consists of a data-representation scheme, a set ofdefined operations, and a request/response network.

In the LDAP protocol there are a number of operations a client can request such assearch, compare, and add or delete an entry. Binding is the operation where the LDAPserver authenticates the user. If the user is successfully authenticated, binding allows theuser access to the LDAP server based on that user’s permissions.


• LDAP directory tree overview

• Creating the LDAP directory tree

• Removing entries from the directory tree

LDAP directory tree overview

The LDAP tree defines the hierarchical organization of user account entries in the LDAPdatabase. The FortiGate unit requesting authentication must then be configured toaddress its request to the right part of the hierarchy.

Often an LDAP server’s hierarchy reflects the hierarchy of the organization it serves. Theroot represents the organization itself, usually defined as Domain Component (DC), aDNS domain, such as example.com . (As the name contains a dot, it is written as twoparts separated by a comma: dc=example,dc=com .) Additional levels of hierarchy canbe added as needed. These include:

• c (country)

• ou (organizational unit, such as a division)

• o (organization, such as a department)

The user account entries relevant to user authentication will have element names such asUID (user ID) or CN (common name, the user’s name). They can each be placed at theirappropriate place in the hierarchy.

Complex LDAP hierarchies are more common in large organizations where users indifferent locations and departments have different access rights. For basic authenticatedaccess to your office network or the Internet, a much simpler LDAP hierarchy isadequate.

The following is a simple example of an LDAP hierarchy in which the all user account((CN) entries reside at the Organization Unit (OU) level, just below DC.





Configuring built-in LDAP Authentication users and servers



Figure 3: LDAP object directory

When requesting authentication, an LDAP client, such as a FortiGate unit, must specifythe part of the hierarchy where the user account record can be found. This is called theDistinguished Name (DN). In the example above, DN isou=People,dc=example,dc=com .

The authentication request must also specify the particular user account entry. Althoughthis is often called the Common Name (CN), the identifier you use is not necessarily CN.On a computer network, it is appropriate to use UID, the person’s user ID, as that is theinformation that they will provide at logon.

Creating the LDAP directory treeThe following sections provide a brief explanation of each part of the LDAP attributedirectory, what is commonly used to represent, and how to configure it onFortiAuthenticator.

Editing the root nodeThe root node is the top level of the LDAP directory. There can be only one. All groups,OUs, and users branch off from the root node. Choose the distinguished name (DN) thatmakes sense for your organization’s root node.

There are three common forms of DN entries.

The most common consists of one or more domain component (dc) elements making upthe DN. Each part of the domain has its own dc entry. This comes directly from the DNSentry for the organization. For example.com, the dn entry is “dc=example,dc=com” .

Another popular method is to use the company’s Internet presence as the DN. This

method uses the domain name as the DN. For example.com, the dn entry would be“o=example.com” .

An older method is to use the company name with a country entry. For Example Inc.operating in the United States, the DN would be o=”Example, Inc.”,c=US . Thismakes less sense with international companies.

When an object name includes a space, as in “Test Users”, you have to enclosethe text with double-quotes. For example:

cn="Test Users",cn=Builtin,dc=get,dc=local .

When you configure FortiGate units to use the FortiAuthenticator unit as anLDAP server, you will specify the distinguished name that you created here. Thisidentifies the correct LDAP structure to reference.





Authentication users and servers Configuring built-in LDAP



To rename the root node

1 Go to Authentication > LDAP > Directory Tree .

2 Double-click “dc=example,dc=com” to edit the entry.

3 In Distinguished Name (DN) , enter a new name.

Example: “dc=fortinet,dc=com” .

4 Select OK.

Adding nodes to the LDAP hierarchyYou can add a subordinate node at any level in the hierarchy as needed.

To add a node


2 Select the green “ +” next to the DN entry where the node will be added.3 In Class , select the identifier to use.

For example, to add the ou=People node from the earlier example, selectOrganizational Unit (ou) .

4 Select the [Please Select] dropdown and then select Create New . Enter the name ofthe node, People for example, and select OK.

5 If needed, repeat steps 2 through 4 to add other nodes.

Adding user accounts to the LDAP treeYou must add user account entries at the appropriate place in the LDAP tree. These usersmust already be defined in the FortiAuthenticator user database. See “Adding a useraccount” on page 22 .

To add a user account to the LDAP tree


2 Expand nodes as needed to find the required node, then select the node’s green “+”symbol.

In the earlier example, you would do this on the ou=People node.

3 In Class , select User (uid) .

In User (Uid) , the list of available users is displayed. You can choose to display themalphabetically by user group or by user.

4 Select users in the Available Users list and move them to the Chosen Users list.

5 Select OK.

You can verify your users were added by expanding the node to see their UIDs listedbelow it.

If your domain name has multiple parts to it, such asshiny.widgets.example.com, each part of the domain should be entered as partof the DN: dc=shiny,dc=widgets,dc=example,dc=com , for example.





Configuring built-in LDAP Authentication users and servers



Moving LDAP branches in the directory tree At times you may want to rearrange the hierarchy of the LDAP structure. For example adepartment may be moved from one country to another.

To move an LDAP branch


2 Select Expand All .

3 Select the branch to move by selecting it and holding down the mouse button.

4 Drag the branch to the location you want it, and release the mouse button. When it isa valid location, an arrow will appear to the left of the current branch to indicate wherethe new branch will be inserted — it will be inserted below the entry with the arrow.

Removing entries from the directory tree Adding entries to the directory tree involves placing the attribute at the proper place.However, when removing entries it is possible to remove multiple branches at once.

To remove an entry from the LDAP directory


2 Select Expand All , and select the entry to remove.

3 Select the red X for the entry.

You will be prompted to confirm your deletion. Part of the prompt displays themessage of all the entries that will be removed with this deletion. Ensure this is thelevel that you intend to delete.

4 Select Yes, I’m sure .

If the deletion was successful there will be a green check next to the successfulmessage above the LDAP directory and the entry will be removed from the tree.

Configuring a FortiGate unit for FortiAuthenticator LDAPWhen you have defined the FortiAuthenticator LDAP tree, you can configure FortiGateunits to access the FortiAuthenticator as an LDAP server and authenticate users.

To configure the FortiGate unit for LDAP authentication1 On the FortiGate unit, go to User > Remote > LDAP and select Create New .

2 Enter the following information and select OK:

While it is easy to move a branch in the LDAP tree, all systems that use this informationwill need to be updated to the new structure or they will not be able to authenticateusers.

Take care not to remove more branches than you intend. Remember that all systemsusing this information will need to be updated to the new structure or they will not beable to authenticate users.

Name Enter a name to identify the FortiAuthenticator LDAPserver on the FortiGate unit.

Server Name / IP Enter the FQDN or IP address of the FortiAuthenticatorunit.





Authentication users and servers Configuring Remote LDAP



3 Add the LDAP server to a user group. Specify that user group in identity-basedsecurity policies where you require authentication.

Configuring Remote LDAPIf you already have an LDAP server or servers configured on your network,FortiAuthenticator can connect to them for remote authentication much like FortiOSremote authentication.

Adding a remote LDAP server If your organization has existing LDAP servers, you may choose to continue using themwith FortiAuthenticator by configuring them as Remote LDAP servers.

When entering the Remote LDAP server information, if any information is missing or in thewrong format, error messages will highlight the problem for you.

To create a new remote LDAP server entry

1 Go to Authentication > Remote > LDAP .

2 Select Create New .

Server Port Leave at default (389).

Common Name Identifier Enter uid , the user ID.

Distinguished Name

Enter the LDAP node where the user account entriescan be found. For example,ou=People,dc=example,dc=com

You can also use the Query button to explore the LDAPtree and select the node.

Bind Type

The FortiGate unit can be configured to use one ofthree types of binding:

• anonymous - bind using anonymous user search

• regular - bind using username/password and thensearch

• simple - bind using a simple passwordauthentication without a search

You can use simple authentication if the user recordsall fall under one distinguished name (DN). If the users

are under more than one DN, use the anonymous orregular type, which can search the entire LDAPdatabase for the required username.

If your LDAP server requires authentication to performsearches, use the regular type and provide values forusername and password.

Secure Connection

If you select Secure Connection , you must selectLDAPS or STARTTLS protocol and the CA securitycertificate that verifies the FortiAuthenticator unit’sidentity.





Configuring Remote LDAP Authentication users and servers



3 Enter the following information.

4 If you want to have a secure connection between the FortiAuthenticator unit and theremote LDAP server, select Enable under Secure Connection and enter the following:

5 Select OK.

You can now add remote LDAP users.

Adding Remote LDAP usersRemote LDAP users do not have to be part of the FortiAuthenticator user database onFortiAuthenticator, unless you want to apply two-factor authentication to them.

To add Remote LDAP users

1 Go to Authentication > Users > Remote and select Import.

2 Select the Remote LDAP Server to import from and select Import Users .

3 Optionally, enter a Filter string to reduce the number of entries returned, and thenselect Apply .

For example, uid=j* returns only user IDs beginning with “j”.

4 Select the entries you want to import and then select OK .

To add two-factor authentication to a Remote LDAP user

1 Go to Authentication > Users > Remote .


Name Enter the name for the remote LDAP server onFortiAuthenticator.

Server name/IP Enter the IP address or FQDN for this remote server.

Common nameidentifier

The identifier used for the top of the LDAP directory tree as itapplies to FortiAuthenticator users. This may be the top of thetree, or only a smaller branch of it.

cn is the default, and is used by most LDAP servers.

Base distinguishedname

Enter the base distinguished name for the server using thecorrect X.500 or LDAP format. The maximum length of the DNis 512 characters.

You can also select the Browse button to view and select theDN on the LDAP server.

Bind Type

The Bind Type determines how the authentication informationis sent to the server. Select the bind type required by theremote LDAP server.

• Simple — bind using the user’s password which is sent tothe server in plaintext without a search.

• Regular — bind using the user’s DN and password andthen search

If the user records fall under one directory, you can use Simple bind type. But Regular is required to allow a search for a useracross multiple domains.

Protocol Select LDAPS or STARTLS as the LDAP server requires.

CA Certificate Select the CA certificate that verifies the server certificate.





Authentication users and servers Monitoring users



3 Under Two-factor authentication , do one of the following:

• Select FortiToken and then select the FortiToken device serial number from the list.

• Select Email and enter the user’s email address.

• Select SMS and enter the user’s mobile information.

4 Select OK .

Monitoring usersThere are two methods for monitoring or tracking users that are logged on — on thedashboard, and with the Users monitor.

Dashboard

On the dashboard there are two user related widgets.The Authentication Activity widget is a graph that tracks the number of logons over time.It can display all logons, failed only, successful logons only, or a combination of all three.Multiple occurrences of this widget can be displayed on the dashboard, and configuredindividually.

The User Inventory widget displays the total number of configured users, groups, andFortiTokens. It also tracks the number of disabled users and FortiTokens.

Users monitor To see the users monitor, go to Authentication > SSO Monitor > SSO Users .

The users monitor displays a list of currently logged on FSSO users and their information.

A FortiToken device already allocated to a local account cannot be allocated toan LDAP user as well — it must be a different FortiToken device.





Monitoring users Authentication users and servers







Fortinet Single Sign On (FSSO)



Fortinet Single Sign On (FSSO)FortiAuthenticator provides easy to configure remote authentication options for FortiGateusers, such as FSSO. Multiple FortiGate units can use a single FortiAuthenticator forFSSO.

The Fortinet Single Sign On (FSSO) agent connects FortiGate Fortinet securityappliances your corporate authentication servers, such as Microsoft Active Directory andNovell E-Directory, allowing security policies on the FortiGate unit to be based on userinformation residing on the corporate authentication servers. FSSO, a componentinstalled on the authentication server or a standalone server, provides user authenticationinformation to the FortiGate unit so users can automatically gain access to the permittedresources with a single sign on. Older versions were called Fortinet Server AuthenticationExtension (FSAE).

FortiAuthenticator acts as the FSSO Agent, or Controller Agent. It can only be configuredin polling mode, not DCAgent mode.

Figure 4: FSSO topology with FortiAuthenticator


• Communicating with FortiGate units

• Communicating with Domain Controllers

• Monitoring FSSO units

Communicating with FortiGate unitsIn an FSSO topology, the FortiGate units provide the firewall which acts as theauthentication trigger. The FortiAuthenticator communicates logon information from thedomain controllers to the FortiGate units by polling the controllers. The FortiGate unitsthen authenticate the user and allow access to the network resources as requested.

The FortiAuthenticator is easier to configure than a third party server, contains both anLDAP and RADIUS server, and performs additional functions when compared to thenormal FSSO Collector agent.

The following procedure assumes the FortiGate already has a NAS entry on theFortiAuthenticator. See “Adding FortiGate units as NAS” on page 25 .

For tiGate unit

r i


Client Networ k

Client Networ k

For tiGate unit

polling logon e ven ts

c l i e n t l o g o n s

W i n d o w s A D D o m a i n

C o n t r o l l e r s








To configure FortiAuthenticator to communicate with FortiGate units

1 Go to Authentication > SSO > General .

2 Select Enable Authentication and configure:

3 On the FortiGate unit, go to User > Remote > LDAP and select Create New .

4 Enter the following information, and select OK .

5 Go to User > Single Sign-On > FSSO Agent .6 Enter the following information, and select OK .

Secret key Set to fortinet123 . This is the passwordthat will be used when configuring the FSSO

Agent on the FortiGate unit.

Log Level Select one of Debug , Info , Warning , or Error asthe minimum severity level of event to log.

FortiGate listening portLeave at 8000 unless your network requiresyou to change this.

Ensure this port is allowed through the firewall.

User Login Expiry (in minutes)The length of time users can remain logged inbefore the system logs them off automatically.

The default is 300 minutes (5 hours).

Name Enter a unique name to identify theFortiAuthenticator

Server Name/IP Enter the FortiAuthenticator unit IP address.

Server port

Leave this at the default (389). FortiAuthenticatoruses default values for LDAP and RADIUSservers.

Ensure port 389 is open on the firewall.

Common Name Identifier Set this to match your LDAP directory tree. Thedefault identifier is cn.

Distinguished Name

This is the top level of your LDAP tree, or thebranch of your tree that will be authenticatedusing this FortiGate unit.

Once you have entered a distinguished name,use the browse button to ensure you have aconnection to the FortiAuthenticator. If not,check your information.

Bind Type Select the method that will be used toauthenticate using the LDAP server.

Secure Connection Leave unchecked.

Name Enter a name to identify the FortiAuthenticator asan FSSO.

FSSO Agent IP/Name Enter the FortiAuthenticator unit IP address.








Communicating with Domain Controllers As the FSSO Controller agent, FortiAuthenticator polls the Windows AD DomainControllers for logon event information. Each Domain Controller that will be polled mustbe configured on the FortiAuthenticator.

You can disable a Domain Controller entry without removing its configuration. This isuseful when testing, troubleshooting, or moving controllers within your network.

To add a domain controller to FortiAuthenticator1 Go to Authentication > SSO > Domain Controllers .

2 Select Create New , enter the following information, and then select OK.

3 Repeat step 2 for each Domain Controller FortiAuthenticator will be polling.

Monitoring FSSO units

FortiAuthenticator can monitor the units that make up FSSO. This is useful to ensurethere is a connection to the different components when troubleshooting.

Monitoring SSO usersFor this, go to Authentication > SSO Monitor > SSO Users .

Monitoring domain controllersWhen FSSO domain controllers are registered with the FortiAuthenticator unit, they aredisplayed in the monitor upon a successful connection. For this, go to Authentication >SSO Monitor > Domain Controllers .

Port

This entry must match the FortiGate ListeningPort in the FortiAuthenticator SSO configuration.The default value is 8000. Ensure this port is openon the firewall.

Password This entry must match the Secret Key entered onthe FortiAuthenticator SSO configuration.

LDAP Server Enable LDAP server, and select theFortiAuthenticator LDAP server from the list.

NetBIOS Name Enter the name of the Domain Controller as it appears inNetBIOS.

Display Name This is a unique name to easily identify this Domain Controller.

Network Address Enter the network IPv4 address of this controller.

Account

Enter the account name used to access logon events. Thisaccount should have administrator rights. To use a non-administrator account, see the FSSOchapter of the FortiOSHandbook User Authentication guide.

Password Enter the password for the Account selected above.


http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-authentication-40-mr3.pdf










Monitoring FortiGate unitsWhen a FortiGate unit is registered with the FortiAuthenticator unit, it is displayed in themonitor upon a successful connection. For this, go to Authentication > SSO Monitor >FortiGates .





Certificate Management Certificate Authorities (CA)



Certificate ManagementThis section describes how FortiAuthenticator allows you to manage certificatesincluding acting as a Certificate Authority.

FortiAuthenticator can act as a Certificate Authority (CA) for the creation and signing of

X.509 certificates such as server certificates for HTTPS and SSH, and client certificatesfor HTTPS, SSL, and IPSEC VPN.

Any changes made to certificates generate log entries that can be viewed at Logging >Log Access > Logs . See “Logging” on page 13 .

This chapter includes:

• Certificate Authorities (CA)

• Users

Certificate Authorities (CA) A certificate authority (CA) is used to sign other server and client certificates. Theauthority comes from a well-known trusted authority trusting the CA. You must have a CAcertificate on your FortiAuthenticator before you can generate a user certificate.

Different CAs can be used for different domains or certificates. For example if yourorganization is international you may have a CA for each country, or smaller organizationsmight have a different CA for each department. The benefits of multiple CAs includeredundancy in case there are problems with one of the well-known trusted authorities,

Once you have created a CA certificate, you can export it to your local computer.


• Certificates

• Certificate Revocation List (CRL)

CertificatesDo not press Enter while entering the information until you have completed entering theinformation, otherwise you will create the certificate with incomplete information.

Subject Alternative Names (SAN) allow you to protect multiple host names with a singleSSL certificate. SAN is part of the X.509 certificate standard. An example of where SANsare used is to protect multiple domain names such as www.example.com andwww.example.net. This contrasts a wildcard certificate that can only protect all first-levelsubdomains on one domain, such as *.example.com.

The certificate information including subject, issuer, status, and CA type are displayed onthe Certificate Management > Certificate Authorities > Certificates page.

If you have many certificates, you can use the search feature to find one or more specific

certificates. The search will return certificates that match either subject or issuer.

To create a CA certificate

1 Go to Certificate Management > Certificate Authorities > Certificates .






Certificate Authorities (CA) Certificate Management



3 Enter the following information and select OK .

Certificate type

Select one of the following types of CA certificates:

• Root CA certificate — a self-signed CA certificate

• Intermediate CA certificate — a CA certificate thatrefers to a different root CA as the authority.

• Intermediate CA certificate signing request (CSR)

The fields displayed change based on your certificatetype.

Certificate Authority

Select one of the available certificate authorities (CAs)configured on the FortiAuthenticator from the drop-downlist.

This field is displayed only when Intermediate CAcertificate is selected.

Subject information

Subject input method

Select to enter either a Fully distinguished name (DN) or

Field-by-Field . Default value is Field-by-Field .The fields displayed for subject information change basedon your subject input method.

Subject DN

Enter the full DN of the subject. For example c=CA,o=Fortinet, cn=John Smith . Valid DN attributes areC, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

This field is only displayed when fully distinguished name(DN) subject input method is selected.

Name (CN)Company (O)Department (OU)City (L)State/Province (ST)

Enter each value in the field provided.

These fields need to match the information user who will

be using the certificate — the fields will be assembled intoa distinguished name for the certificate.

Country (C) Select your country from the drop-down list. Each countryincludes its two-letter code.

Subject Alternative Name

EmailEnter the email address of a user to map to this certificate.

This field is not available if certificate type is CSR.

User Principal Name

(UPN)

Enter the user principal name used to find the user’saccount in Microsoft Active Directory. This will map thecertificate to this specific user. The UPN is unique for the

Windows Server domain. This is a form of one-to-onemapping.






Certificate Management Certificate Authorities (CA)



To import a CA certificate

1 Go to Certificate Management > Certificate Authorities > Certificates .

2 Select Import .3 Enter the following information and select OK .

Certificate Revocation List (CRL) A Certificate Revocation List (CRL) is a file that contains a list of revoked certificates, their

serial numbers, and their revocation dates. A CRL file also contains the name of theissuer of the CRL, the effective date, and the next update date. By default, the shortestvalidity period of a CRL is one hour.

Some potential reasons for certificates to be revoked include:

• a CA server was hacked and its certificates are no longer trustworthy,

• a single certificate was compromised and is no longer trustworthy, or

• in some cases when certificates expire they are added to the list to ensure they arenot used past their lifetime.

Additional Options

Validity Period

Select how long before this certificate expires.

Select either a set number of days and enter the totalnumber of days before this certificate expires (such as3650 days for a life of 10 years), or set an expiry date by

entering the expiry date in YYYY-MM-DD format, selectingToday , or use the Calendar icon to help you select a date.


Key Type The key type is set to RSA.

Key Size Select the key size as one of 1024, 2048, or 4096 Bitslong.

Hash Algorithm Select the hash algorithm used as one of SHA-1 or SHA-256.

Type Select the type of CA certificate to import: PKCS12Certificate or Certificate and Private Key.

PKCS12 certificatefile

Select the certificate file from your local computer toupload to the FortiAuthenticator. This field is visible only ifPKCS12 type is selected.

Certificate fileSelect the certificate file from your local computer toupload to the FortiAuthenticator. This field is visible only ifyou selected Certificate and Private Key type.

Private key file Select the private key file from your local computer toupload to the FortiAuthenticator. This field is visible only ifyou selected Certificate and Private Key type.

Passphrase Enter the passphrase associated with this certificate.

Serial numberradix

Select the radix of the serial number as either decimal orhex.

Initial serialnumber

Enter the starting serial number for the CA certificate.





Certificate Authorities (CA) Certificate Management



To import a Certificate Revocation List (CRL)

1 Download the most recent CRL from a CRL Distribution Point (CDP). One or moreCDPs are usually listed in a certificate under the Details tab.

2 Go to Certificate Management > Certificate Authorities > CRL .

3 Select Import .

4 Select a CRL file from your local computer, and select OK .When successful, the CRL will be displayed in the CRL list on the FortiAuthenticator. Youcan select it to see the details.

Locally created CRLWhen you import a CRL, it is from another authority. If you are creating your own CAcertificates, then you can also create your own CRL to go with them.

As a CA, you sign user certificates. If for any reason you need to revoke one of thosecertificates, it will go on a local CRL. When this happens you need to export the CRL toall your certificate users so they are aware of the revoked certificate.

To create a local CRL

1 Create a local CA certificate. See “Certificate Authorities (CA)” on page 39 .

2 Create one or more user certificates. See “Users” on page 43 .

3 Go to Certificate Management > Users > Certificates .

4 Select one or more certificates and select Revoke .

You will be prompted for the reason for the revocation as one of:

• Unspecified

• Key has been compromised

• CA has been compromised

• Changes in affiliation

• Superseded• Operation ceased

• On hold

Some of these reasons are security related (such as key or CA compromised) whereothers are more business related — change in affiliation could just be an employeeleaving the company, or operation ceased could be a project that was cancelled.

5 Select OK.

The certificates selected will be removed from the User Certificate list, and a CRL will becreated with those certificates as entries in the list.

If there is already a CRL for the CA that signed the user certificates, they will be added tothe current CRL.

If at a later date one or more CAs are deleted, their corresponding CRLs will be deletedas well, along with any user certificates they signed.

Configuring Online Certificate Status Protocol As well as manual CRL, FortiAuthenticator also supports Online Certificate StatusProtocol (OCSP), defined in RFC2560. To use OCSP, point the NAS at TCP port 2560 onthe FortiAuthenticator IP address.





Certificate Management Users



For example, configuring OCSP in FortiGate CLI for a FortiAuthenticator with an IPaddress of 172.20.120.16, looks like thisconfig vpn certificate ocsp

set cert "REMOTE_Cert_1"set url "http://172.20.120.16:2560"

end

UsersUser certificates are required for mutual authentication on many HTTPS, SSL, and IPSec

VPN network resources. You can create a user certificate on FortiAuthenticator or importand sign a Certificate Signing Request (CSR). User certificates, client certificates, or localcomputer certificates are the same type of certificate.

To create a user certificate

1 Go to Certificate Management > Users > Certificates .


3 Enter the following information and select OK.

The Certificate Authority used must be valid and current. If it is not you will have tocreate or import a CA certificate before continuing. See “Certificate Authorities (CA)” onpage 39 .

Certificate Signing Options

Certificate Authority Select one of the available certificate authorities (CAs)configured on the FortiAuthenticator from the drop-down list.The CA must be current.

Subject information

Subject inputmethod

Select to enter either a Fully distinguished name (DN) or Field-by-Field. Default value is Field-by-Field.

Subject DN

Enter the full DN of the subject. For example C=CA,O=Fortinet, CN=John Smith . Valid DN attributes are C,ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

This field is only displayed when fully distinguished name (DN)subject input method is selected.

Name (CN)Company (O)Department (OU)City (L)State/Province(ST)

Enter each value in the field provided.

Country (C) Select your country from the drop-down list. Each countryincludes its two-letter code.





Users Certificate Management



4 Confirm the certificate information is correct by selecting the certificate entry.

This will bring up the text of the certificate including the version, serial number, issuer,subject, effective and expiration dates, and the extensions.

5 Once the information is confirmed, you can export the certificate to the user’scomputer and import it into the proper application there, such as browser orFortiClient.

Subject Alternative Name

Email Enter the email address of a user to map to this certificate.

User PrincipalName (UPN)

Enter the user principal name used to find the user’s accountin Microsoft Active Directory. This will map the certificate tothis specific user. The UPN is unique for the Windows Server

domain. This is a form of one-to-one mapping. Additional Options

Validity Period

Select how long before this certificate expires.

Select either a set number of days and enter the total numberof days before this certificate expires (such as 3650 days for alife of 10 years), or set an expiry date by entering the expirydate in YYYY-MM-DD format, selecting Today, or use theCalendar icon to help you select a date.

Key Type The key type is set to RSA.

Key Size Select the key size as one of 1024, 2048, or 4096 Bits long.

Hash Algorithm Select the hash algorithm used as one of SHA-1 or SHA-256.

If any of this information is out of date or incorrect, you will not be able to use thiscertificate.If this is the case, delete the certificate and re-enter the information.





Index


http://docs.fortinet.com/ • Feedback

Index A Authentication Activity widget , 33

Authentication, Authorization, and Accounting (AAA), 9, 25

Ccertificate authority (CA) , 39Certificate Revocation List (CRL) , 41Certificate Signing Request (CSR) , 43common name, LDAP servers , 27Controller Agent , 35CRL Distribution Point (CDP) , 42

Ddashboard

Authentication Activity widget , 33User Inventory widget , 33

default password , 7distinguished names

LDAP servers , 28domain component, LDAP servers , 27Domain Controllers , 37

Eexplicit proxy , 20

Ffirewall

open ports , 11ports , 11

firmware updates , 7FortiGuard , 25FortiGuard Antivirus , 7Fortinet Server Authentication Extension (FSAE) , 35Fortinet Single Sign On (FSSO) , 35

Agent , 35Domain Controllers , 37ports , 11

FortiToken , 24clock drift , 25monitoring , 25NTP , 12registering , 25synchronization , 25

Hhierarchy

LDAP servers , 27

LLDAP servers

common name , 27distinguished names , 28domain component , 27hierarchy , 27

Lightweight Directory Access Protocol (LDAP) , 27ports , 11remote server , 26

Logging , 13NAS , 26

MMicrosoft Active Directory , 40, 44mode, operation , 7monitor

users , 33Monitoring , 33

Nnetwork access server (NAS) , 25NTP , 12

Oone-time password (OTP) , 24Online Certificate Status Protocol (OCSP) , 42operation mode , 7

P

passwordadministrator , 7ports , 11product registration , 7proxy , 20

RRADIUS

NAS , 25ports , 11server , 21

remote LDAP , 26

SSubject Alternative Names (SAN) , 39

Ttechnical support , 7troubleshooting , 17two-factor authentication

FortiToken , 24


http://docs.fortinet.com/surveyredirect.html

http://docs.fortinet.com/surveyredirect.html




Index

UUser Inventory widget , 33User Principal Name (UPN) , 40, 44users , 21

monitor , 33monitor, dashboard , 33NAS , 21RADIUS authentication , 21

WWindows AD Domain Controllers , 37Windows Server , 40, 44

fortiauthenticator admin 12

Documents