Authentication – Whats New in FortiOS 5.4

RADIUS CoA for user, user-group and captive-portal authentication (RFC 5176) (274813 270166)

RADIUS Change of Authorization (CoA) is a common feature in user authentication. User, user-group and captive-portal authentication now supports RADIUS CoA, when the back end authentication server is RADIUS.

The main use case of this feature is with external captive portal, it can be used to disconnect hotspot users when their time, credit or bandwidth had been used up.

 

RSSO: Enable or disable overriding old attribute value when a user logs in again (possibly on a different device) (278471)

When receiving a new start message with different group name for the same user and different IP address such as the scenario of a mobile device roaming, the original design is to override all group name information to the latest group name received from the latest start message.

This new feature adds an option to disable this override when needed. The default behavior keeps the original design.

 

CLI changes

Add an option to enable or disable overriding SSO attribute value.

 

Syntax

config user radius edit <My_Rsso> set rsso enable

set sso-attribute-value-override enable/disable // Enable/Disable override old attribute value with new value for the same endpoint.

end

 

FSSO supports Microsoft Exchange Server (270174)

FSSO supports monitoring Microsoft Exchange Server. This is useful for situation that the user use the domain account to access their email, but client device might or might not be in the domain. Support for Exchange server is configured on the Back-end FSSO collector agent under Advanced Settings > Exchange Server.

Select Add and enter the following information and select OK.

Domain Name                         Enter your domain name.

Server IP/Hostname               Enter the IP address or the hostname of your exchange server.

Polling forwarded event log

This option for scenarios when you do not want that CA polls the Exchange Server logs directly. In this case you need to configure event log forwarding on the Exchange server. Exchange event logs can be forwarded to any member server.

If you enable this, instead of the IP of the Exchange server configured in the pre- vious step, you must then configure the IP of this member server. CA will then con- tact the member server.

Ignore Name

Because CA will also check Windows log files for logon events and when a user authenticates to Exchange Server there is also a logon event in Windows event log, which CA will read and this will overwrite the Exchange Server logon event (ES- EventLog) on CA. So it is recommended to set the ignore list to the domain the user belongs to.

To do so, enter the domain name in the Ignore Name field and select Add.

 

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.