Authentication
FortiAuthenticator provides an easy to configure authentication server for your users. Multiple FortiGate units can use a single FortiAuthenticator unit for remote authentication and FortiToken device management.
FortiAuthenticatorin a multiple FortiGate unit network
This chapter includes the following topics:
l What to configure l User account policies l User management l FortiToken devices and mobile apps l Self-service portal l Remote authentication servers l RADIUS service l LDAP service l FortiAuthenticator Agents
What to configure
You need to decide which elements of FortiAuthenticator configuration you need.
- Determine the type of authentication you will use: password-based or token-based. Optionally, you can enable both types. This is called two-factor authentication.
What to configure
- Determine the type of authentication server you will use: RADIUS, built-in LDAP, or Remote LDAP. You will need to use at least one of these server types.
- Determine which FortiGate units or third party devices will use the FortiAuthenticator unit. The FortiAuthenticator unit must be configured on each FortiGate unit as an authentication server, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit or third party device must be configured on the FortiAuthenticator unit as an authentication client.
Password-based authentication
User accounts can be created on the FortiAuthenticator device in multiple ways:
l Administrator creates a user and specifies their username and password. l Administrator creates a username and a random password is automatically emailed to the user. l Users are created by importing either a CSV file or from an external LDAP server.
Users can self-register for password-based authentication. This reduces the workload for the system administrator. Users can choose their own passwords or have a randomly generated password provided in the browser or sent to them via email or SMS. Self-registration can be instant, or it can require administrator approval. See Self-registration on page 76.
Once created, users are automatically part of the RADIUS Authentication system and can be authenticated remotely.
See User management on page 57 for more information about user accounts.
Two-factor authentication
Two-factor authentication increases security by requiring multiple pieces of information on top of the username and password. There are generally two factors:
- something the user knows, usually a password, l something the user has, such as a FortiToken device.
Requiring the two factors increases the difficulty for an unauthorized person to impersonate a legitimate user.
To enable two-factor authentication, configure both password-based and token-based authentication in the user’s account.
FortiAuthenticator token-based authentication requires the user to enter a numeric token at login. Two types of numerical tokens are supported:
- Time based: TOTP (RFC 6238)
The token passcode is generated using a combination of the time and a secret key which is known only by the token and the FortiAuthenticator device. The token password changes at regular time intervals, and the FortiAuthenticator unit is able to validate the entered passcode using the time and the secret seed information for that token.
Passcodes can only be used a single time (one time passcodes) to prevent replay attacks. Fortinet has the following time based tokens:
- FortiToken 200 l FortiToken Mobile, running on a compatible smartphone l Event based: HMAC-based One Time Password (HTOP) (RFC 4226) What to configure
The token passcode is generated using an event trigger and a secret key. Event tokens are supported using a valid email account and a mobile phone number with SMS service.
FortiToken devices, FortiToken Mobile apps, email addresses, and phone numbers must be configured in the user’s account.
Only the administrator can configure token-based authentication. See Configuring token based authentication on page 62.
Authentication servers
The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the use of remote RADIUS and LDAP (which can include Windows AD servers).
The built-in servers are best used where there is no existing authentication infrastructure, or when a separate set of credentials is required. You build a user account database on the FortiAuthenticator unit. The database can include additional user information such as street addresses and phone numbers that cannot be stored in a FortiGate unit’s user authentication database. To authenticate, either LDAP or RADIUS can be used. The remote LDAP option adds your FortiGate units to an existing LDAP structure. Optionally, you can add two-factor authentication to remote LDAP.
RADIUS
If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must be registered as RADIUS authentication clients in Authentication > RADIUS Service > Clients. See RADIUS service on page 91. On each FortiGate unit that will use the RADIUS protocol, the FortiAuthenticator unit must be configured as a RADIUS server in User & Device > Authentication > RADIUS Server.
Built-in LDAP
If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users from the user database to the appropriate nodes in the LDAP hierarchy. See Creating the directory tree on page 96. On each FortiGate unit that will use LDAP protocol, the FortiAuthenticator unit must be configured as an LDAP server in User & Device > Authentication > LDAP Server.
Remote LDAP
Remote LDAP is used when an existing LDAP directory exists and should be used for authentication. User information can be selectively synchronised with the FortiAuthenticator unit, but the user credentials (passwords) remain on, and are validated against the LDAP directory.
To utilize remote LDAP, the authentication client (such as a FortiGate device) must connect to the
FortiAuthenticator device using RADIUS to authenticate the user information (see
User & Device > Authentication > RADIUS Server). The password is then proxied to the LDAP server for validation, while any associated token passcode is validated locally.
Machine authentication
Machine, or computer, authentication is a feature of the Windows supplicant that allows a Windows machine to authenticate to a network via 802.1X prior to user authentication.
Machine authentication is performed by the computer itself, which sends its computer object credentials before the Windows logon screen appears. User authentication is performed after the user logs in to Windows.
User account policies
Based on the computer credentials provided during machine authentication, limited access to the network can be granted. For example, access can be granted to just the Active Directory server to enable user authentication.
Following machine authentication, user authentication can take place to authenticate that the user is also valid, and to then grant further access to the network.
Machine authentication commonly occurs on boot up or log out, and not, for example, when a device awakens from hibernation. Because of this, the FortiAuthenticator caches authenticated devices based on their MAC addresses for a configurable period (see General on page 54). For more information on cached users, see Windows device logins on page 131
To configure machine authentication, see Clients on page 92.
I am trying to get uses to be able to do a password change when they VPN into the network after their password expire’s.
One issue i am running into is on the Authenticaticator under monitor the status of the Connection only says “Joined AD” and “not connected” do you know why ?
I am experiencing the same problem