FortiAuthenticator 4.0 Authentication

RADIUS attributes

Some services can receive information about an authenticated user through RADIUS vendor-specific attributes.

FortiAuthenticator user groups and user accounts can include RADIUS attributes for Fortinet and other vendors.

Attributes in user accounts can specify user-related information. For example, the Default attribute Framed-IPAddress specifies the VPN tunnel IP address to be sent to the user by the Fortinet SSL VPN.

Attributes in user groups can specify more general information, applicable to the whole group. For example, specifying third-party vendor attributes to a switch could enable administrative level login to all members of the Network_Admins group, or authorize the user to the correct privilege level on the system.

To add RADIUS attributes to a user or group:

  1. Go to Authentication > User Management > Local Users and select a user account to edit, or go to Authentication > User Management > User Groups and select a group to edit.
  2. In the RADIUS Attributes section, select Add Attribute. The Create New UserGroup RADIUS Attribute or Create New UserRADIUS Attribute window opens.
  3. Select the appropriate Vendor and Attribute ID, then enter the attribute’s value in the Value
  4. Select OK to add the new attribute to the user or group.
  5. Repeat the above steps to add additional attributes as needed.

FortiToken devices and mobile apps

A FortiToken device is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit token passcode. FortiToken Mobile is an application for mobile devices that performs the same one-time password function as a FortiToken device.

FortiToken devices and mobile apps

Each FortiAuthenticator unit or virtual machine (VM) is supplied with two trial FortiToken Mobile tokens. To obtain the free FortiToken Mobile tokens (if they have not been created dynamically on install), select Get FortiToken Mobile trial tokens when adding a token.

This may be required if, for example, you are upgrading an unlicensed FortiAuthenticator unit to a licensed one, as the old tokens associated with the unlicensed serial number will not be compatible with the new, licensed serial number. The tokens will still work, but they are not able to be reassigned to a new user. In this case, you must delete the old tokens, and then generate new ones.

If using a token passcode that is time-based, it is imperative that the FortiAuthenticator unit clock is accurate. If possible, configure the system time to be synchronized with an NTP server.

To perform token-based authentication, the user must enter the token passcode. If the user’s username and password are also required, this is called two-factor authentication. The displayed code changes every 60 seconds on a FortiToken device, and can be changed every 30 seconds on FortiToken Mobile.

The FortiToken device has a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. When not in use, the LCD screen is shut down to extend the battery life.

FortiAuthenticator and FortiTokens

With FortiOS, FortiToken identifiers must be entered to the FortiGate unit, which then contacts FortiGuard servers to verify the information before activating them.

FortiAuthenticator acts as a repository for all FortiToken devices used on your network. It is a single point of registration and synchronization for easier installation and maintenance.

To register FortiTokens, you must have a valid FortiGuard connection. Otherwise, any FortiTokens you enter will remain in Inactive status. After the FortiTokens are registered, the connection to FortiGuard is no longer essential.

If a token authentication fails, check that the system time on the FortiAuthenticator unit is correct and then re-synchronize the FortiToken.

To add FortiTokens manually:

  1. Go to Authentication > User Management > FortiTokens and select Create New. The Create New FortiToken window opens.
  2. Select the Token Type, either FortiToken 200 or FortiToken Mobile.
  3. If FortiToken 200 is selected as the Token Type, enter one or more token serial numbers in the Serial numbers

FortiToken devices and mobile apps

You can also import multiple tokens by selecting Import Multiple, or by selecting Add all FortiTokens from the same Purchase Order then entering a single token’s serial number; all tokens associated with that purchase order will then be imported.

  1. If FortiToken Mobile is selected as the Token Type, enter the activation codes in the Activation codes field, or select Get FortiToken Mobile free trial tokens to use temporary tokens.
  2. Select OK to add the FortiToken or FortiTokens.

To import FortiTokens from a CSV file:

  1. From the FortiToken list, select Import. The Import FortiTokens window opens.
  2. Do one of the following: l Select Serial number file to load a CSV file that contains token serial numbers for the tokens. (FortiToken devices have a barcode on them that can help you read serial numbers to create the import file.)

l Select Seed file to load a CSV file that contains the token serial numbers, encrypted seeds, and IV values.

(FortiToken devices have a barcode on them that can help you read serial numbers to create the import file.)

  1. Select .., find the configuration file, and select Open.
  2. Select OK to import the FortiTokens.

To import FortiTokens from a FortiGate unit:

  1. Export the FortiGate unit configuration to a file.
  2. From the FortiToken list, select Import.
  3. Select FortiGate Configuration file.
  4. In the Data to import field, select Import FortiToken 200 only, Import FortiToken 200 and only theirassociated users, or Import all FortiToken 200 and users.
  5. Select .., find the configuration file, then select Open.
  6. If the file is encrypted, enter the password in the Password
  7. Select OK to import the FortiTokens.

To export FortiTokens:

  1. From the FortiToken list, select Export FTK-200.
  2. Save the file to your computer.

Monitoring FortiTokens

To monitor the total number of FortiToken devices registered on the FortiAuthenticator unit, as well as the number of disabled FortiTokens, go to System > Dashboard > Status and view the UserInventory widget (see User Inventory widget on page 29).

You can also view the list of FortiTokens, their status, if their clocks are drifting, and which user they are assigned to from the FortiToken list found at Authentication > UserManagement > FortiTokens, see FortiTokens on page 71.

FortiToken device maintenance

Go to Authentication > UserManagement > FortiTokens, then select the FortiToken on which you need to perform maintenance and select Edit. The following actions can be performed:

 

  • Comments can be added for FortiToken.
  • The device can be locked if it has been reported lost or stolen.

A reason for locking the device must be entered, and a temporary SMS token can be provided.

  • The device can be unlocked if it is recovered.
  • The device can be synchronized.

Synchronize the FortiAuthenticator and the FortiToken device when the device clock has drifted. This ensures that the device provides the token code that the FortiAuthenticator unit expects, as the codes are time-based. Fortinet recommends synchronizing all new FortiTokens. l The device history can be viewed, showing all commands applied to this FortiToken.

FortiToken drift adjustment

When the FortiAuthenticator unit and FortiTokens have been initialized prior to setting an NTP server, the time difference can be too large to correct with the synchronize function, forcing all tokens to resynchronize. To avoid this, selected tokens can be manually drift shifted.

The following procedure is intended to be used only in special cases where some FortiTokens are severely out-of-sync, for example, when a token is switched from manual configuration to NTP control. Under normal circumstances, this is not required.

Only activated FortiTokens can be adjusted.

To perform time drift adjustment on a FortiToken:

  1. In a browser, go to https://<FortiAuthenticator IP Address> /admin/fac_ auth/fortitokendrift/.
  2. Select the FortiToken to adjust, then select Adjust Drift. The Adjust Token Drift window opens.
  3. Enter the required Time adjustment in minutes.

Include a minus sign for a negative value, but don’t use a plus sign for a positive value.

  1. Select OK to adjust the token drift.

2 thoughts on “FortiAuthenticator 4.0 Authentication

  1. dav

    I am trying to get uses to be able to do a password change when they VPN into the network after their password expire’s.
    One issue i am running into is on the Authenticaticator under monitor the status of the Connection only says “Joined AD” and “not connected” do you know why ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.