FortiGate Authentication What’s New

Whats New in FortiOS 5.6

The following section describes new authentication features added to FortiOS 5.6.0. and 5.6.1.

FortiOS 5.6.1

These features first appeared in FortiOS 5.6.1.

IPv6 RADIUS Support (309235, 402437, 439773)

RADIUS authentication is supported with IPv6, allowing administrators to configure an IPv6 RADIUS server on the FortiGate for IPv6 RADIUS authentication traffic to pass between the server and FortiGate.

Syntax

Allow IPv6 access on an interface:

config system interface edit <name> config ipv6 set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap} set ip6-address <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>

next

next

end

Configure the IPv6 RADIUS server:

config user radius edit <name> set server <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> …

next

end

Full certificate chain CRL checking (407988)

Certificate revocation/status check for peer certificates and intermediate CAs is now supported. Redesigned fnbam_auth_cert() API to use stack type of X509 instead of array for certificate chain. Removed obsolete fnbam API and parameters. Now authd, sslvpnd, and GUI send full certificate chains to fnbamd for verification.

 

5.6.1

New option under user > setting to allow/forbid SSL renegotiation in firewall authentication (386595)

A new option auth-ssl-allow-renegotiation is now available under config user setting to allow/forbid renegotiation. The default value is disable, where a session would be terminated by authd once renegotiation is detected and this login would be recorded as failure. Other behavior follows regular auth settings.

Syntax

config user setting set auth-ssl-allow-renegotiation {enable | disable}

end

New option to allow spaces in RADIUS DN format (422978)

Previously, IKEv2 RADIUS group authentication introduced a regression because it removed spaces from ASN.1 DN peer identifier string.

Reverted default DN format to include spaces. Added a new CLI option ike-dn-format to allow the user to select either with-space or no-space. Customers using the group-authentication option can select the ike-dn-format setting to match the format used in their RADIUS user database.

Added LDAP filter when group-member-check is user-attr (403140)

Added LDAP filter when group-member-check is user-attr. LDAP filter is deployed when checking user attribute.

Syntax

config user ldap edit <name> set group-filter ?

next

end

l group-filter is none by default, where the process is the same as before.

When group-filter is set, the LDAP filter takes effect for retrieving the group information.

Added Refresh button to the LDAP browser (416649)

Previously, cached LDAP data was used even if the LDAP server configuration was updated.

In FortiOS 5.6.1, a Refresh button has been added in the LDAP browser. In the LDAP server dialog page, the user can delete the DN field to browse the root level tree when clicking the Fetch DN button.

Differentiate DN option for user authentication and membership searching (435791)

Previously, LDAP used the same DN option for user authentication and membership searching. New CLI commands are introduced to config user ldap to resolve this issue:

  • group-member-check user-attr

For user attribute checking, a new attribute group-search-base is added, which indicates the starting point for

5.6.1

the group search. If the group-search-base is not set, binddn is used as the search base. Removed searchtype when group-member-check is user-attr.

  • group-member-check group-object

For group object checking, the group names in user group match rule will be picked up as the group search base. If there are multiple matching rules, each group name will trigger the ldapsearch query once. l group-member-check posix-group-object

Changed group-object-search-base to group-search-base for posix-group-object groupmember-check.

FTM Push when FAC is auth server (408273)

This feature adds support for FortiToken Mobile (FTM) push with FortiAuthenticator server in FortiOS. It also fixes a crash when adding a node to an RB tree, by checking if the same key has already been used in the tree. If yes, remove the node using the same key before adding a new node.

Non-blocking LDAP authentication (433700)

The previous LDAP authentication in fnbamd used openldap library. OpenLDAP supports non-blocking BIND but it is not event driven.

To support non-blocking LDAP in fnbamd, we stopped using the openLDAP library in fnbamd, instead using only liblber. Instead of using openLDAP, fnbamd will create its own event-driven connection with LDAP servers over LDAP/LDAPS/STARTTLS, make it non-blocking, do CRL checking if necessary, and compose all LDAP requests using liblber (including bind, unbind, search, password renewal, password query, send request and receive response, and parse response). The whole process is done in one connection.

This doesn’t change any openLDAP implementation but moves some data structure definitions and API definitions from some internal header files to public header files.

Manual certificate SCEP renewal (423997)

Added support of manual certificate SCEP renewal besides the auto-regeneration feature that already exists.

More detailed RADIUS responses shown in connectivity test (434303)

Improved on-demand test connectivity for RADIUS servers. Test results show RADIUS server reachability, NAS client rejection, and invalid User/Password. Test also shows RADIUS Attributes returned from the RADIUS server.

Example

FG100D3G12807101 # diagnose test authserver radius-direct

<server_name or IP> <port no(0 default port)> <secret> <user> <password>

FG100D3G12807101 # diagnose test authserver radius-direct 1.1.1.1 0 dd RADIUS server ‘1.1.1.1’ status is Server unreachable

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 dd

RADIUS server ‘172.18.5.28’ status is Secret invalid

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 fortinet jeff1 asdfasdf

5.6.0

RADIUS server ‘172.18.5.28’ status is OK Access-Reject

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 fortinet ychen1 asdfasdf

RADIUS server ‘172.18.5.28’ status is OK

Access-Accept

AVP: l=6 t=Framed-Protocol(7) Value: 1

AVP: l=6 t=Service-Type(6) Value: 2

AVP: l=46 t=Class(25)

Value: 9e 2a 08 6d 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 00 00 5e fe ac 12 05

1c 01 d2 cd b6 75 a6 80 56 00 00 00 00 00 00 00 1c

AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311) VSA: l=6 t=MS-Link-Utilization-Threshold(14) Value: 50

AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311)

VSA: l=6 t=MS-Link-Drop-Time-Limit(15) Value: 120

Firewall user authentication timeout range increased (378085)

The firewall user authentication timeout max value has increased from 3 days to 30 days.

Syntax

config user group set authtimeout <0 – 43200>

end

FortiOS 5.6.0

These features first appeared in FortiOS 5.6.0.

FortiToken Mobile Push (397912, 408273, 399839, 404872)

FortiToken Mobile push supports two-factor authentication without requiring users to enter a four-digit code to authenticate. Instead they can just accept the authentication request from their FortiToken Mobile app.

A new command has been added under config system ftm-push allowing you to configure the FortiToken

Mobile Push services server IP address and port number. The Push service is provided by Apple (APNS) and Google (GCM) for iPhone and Android smartphones respectively. This will help to avoid tokens becoming locked after an already enabled two-factor authentication user has been disabled. In addition, FortiOS supports FTM Push when FortiAuthenticator is the authentication server.

CLI syntax

config system ftm-push set server-ip <ip-address> set server-port [1-65535] Default is 4433. end

5.6.0

In addition, FTM Push is supported on administrator login and SSL VPN login for both iOS and Android. If an SSL VPN user authenticates with their token, then logs out and attempts to reauthenticate again within a minute, a new message will display showing “Please wait x seconds to login again.” This replaces a previous error/permission denied message.

The “x” value will depend on the calculation of how much time is left in the current time step.

CLI syntax

config system interface edit <name> set allowaccess ftm

next

end

Support V4 BIOS certificate (392960)

FortiOS now supports backwards compatibility between new BIOS version 4 and old BIOS version 3.

New BIOS V4 certificates:

  • Fortinet_CA l Fortinet_Sub_CA l Fortinet_Factory

Old BIOS V3 certificates:

  • Fortinet_CA_Backup l Fortinet_Factory_Backup

When FortiOS connects to FortiGuard, FortiCloud, FortiManager, FortiAnalyzer, FortiSandbox as a client, the new BIOS certificate Fortinet_Factory will be the default client certificate. When the server returns its certificate (chain) back, FortiOS looks up the issuer of the server certificate and either keeps client certificate as is or switches to the old BIOS certificate Fortinet_Factory_Backup. This process occurs in one handshake.

When FortiOS connects to FortiCare, the new BIOS certificate Fortinet_Factory is the only client certificate and Server Name Indication (SNI) is set. There is no switchover of certificate during SSL handshake.

When FortiOS acts as a server when connected by FortiExtender, FortiSwitch, FortiAP, etc., Fortinet_Factory is the default server certificate. FortiOS detects SNI in client hello, and if no SNI is found or if the CN in SNI is different from the CN of Fortinet_CA, it switches to use the old Fortinet_Factory_Backup.

Support extendedKeyUsage for x.509 certificates (390393)

As per Network Device Collaborative Protection Profile (NDcPP) v1.0 requirements, server certificates used for TLS connections between FortiGate and FortiAnalyzer should have the “Server Authentication” and “Client Authentication” extendedKeyUsage fields in FIPS/CC mode.

To implement this, a new CLI command has been added under log fortianalyzer setting to allow you to specify the certificate used to communicate with FortiAnalyzer.

CLI syntax config log fortianalyzer setting

5.6.0

set certificate <name>

end

Administrator name added to system event log (386395)

The administrator’s name now appears in the system event log when the admin issues a user quarantine ban on a source address.

Support RSA-4096 bit key-length generation (380278)

In anticipation of quantum computers, RSA-4096 bit key-length CSRs can now be imported.

New commands added to config user ldap to set UPN processing method and filter name (383561)

Added two new commands to config user ldap allowing you to keep or strip domain string of UPN in the token as well as the search name for this kind of UPN.

CLI syntax:

config user ldap set account-key-processing set account-key-name

end

User authentication max timeout setting change (378085)

To accommodate wireless hotspot users authenticated on the FortiGate, the user authentication max timeout setting has been extended to three days (from one day, previously).

Changes to Authentication Settings > Certificates GUI (374980)

Added new icons for certificate types and updated formatters to use these new icons.

Password for private key configurable in both GUI and CLI (374593)

FortiOS 5.4.1 introduced a feature that allowed you to export a local certificate and its private key in password protected p12, and later import them to any device. This option to set password for private key was available only in the CLI (when requesting a new certificate via SCEP or generating a CSR). This feature is now also configurable through the GUI.

The new Password for private key option is available under System > Certificates when generating a new CSR.

RADIUS password encoding (365145)

A new CLI command, under config user radius, has been added to allow you to configure RADIUS password encoding to use ISO-8859-1 (as per RFC 2865).

Certain RADIUS servers use ISO-8859-1 password encoding instead of others such as UTF-8. In these instances, the server will fail to authenticate the user, if the user’s password is using UTF-8.

5.6.0

CLI syntax

config user radius edit <example> set password-encoding <auto | ISO-8859-1>

end

This option will be skipped if the auth-type is neither auto nor pap.

RSSO supports Delegated-IPv6-Prefix and Framed-IPv6-Prefix (290990)

Two attributes, Delegated-IPv6-Prefix and Framed-IPv6-Prefix, have been introduced for RSSO to provide a /56 prefix for DSL customers. All devices connected from the same location (/56 per subscriber) can be mapped to the same profile without the need to create multiple /64 or smaller entries.

 

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.