Tag Archives: fortiauthenticator

Troubleshooting – FortiAuthenticator 4.0

Troubleshooting

This chapter provides suggestions to resolve common problems encountered while configuring and using your FortiAuthenticator device, as well as information on viewing debug logs.

For more support, contact Fortinet Customer Service & Support (support.fortinet.com).

Before starting, please ensure that your FortiAuthenticator device is plugged in to an appropriate, and functional, power source.

Troubleshooting

The following table describes some of the basic issues that can occur while using your FortiAuthenticator device, and suggestions on how to solve said issues.

Problem Suggestions
All user log in attempts fail, there is no response from the FortiAuthenticator device, and there are no entries in the system log. l  Check that the authentication client has been correctly configured. See Adding a FortiAuthenticator unit to your network on page 16. If the authentication client is not configured, all requests are silently dropped.

l  Verify that traffic is reaching the FortiAuthenticator device.

Is there an intervening Firewall blocking 1812/UDP RADIUS Authentication traffic, is the routing correct, is the authentication client configured with correct IP address for the FortiAuthenticator unit, etc.

All user log in attempts fail with the message RADIUS ACCESS-REJECT, and

invalid password shown in the logs.

l Verify that the authentication client secrets are identical to those on the FortiAuthenticator unit.
Generally, user log in attempts are successful, however, an individual user authentication attempt fails with invalid password shown in the logs. l  Reset the user’s password and try again. See Editing a user on page 60.

l  Have the user privately show their password to the administrator to check for unexpected characters (possibly due to keyboard regionalization issues).

159

Troubleshooting                                                                                                                                Debug logs

Problem Suggestions
Generally, user log in attempts are successful, however, an individual user authentication attempt fails with invalid token shown in the logs. l  Verify that the user is not trying to use a previously used PIN. Tokens are One Time Passwords, so you cannot log in twice with the same PIN.

l  Verify that the time and timezone on the FortiAuthenticator unit are correct and, preferably, synchronised using NTP. See Configuring the system time, time zone, and date on page 27.

l  Verify that the token is correctly synchronized with the

FortiAuthenticator unit, and verify the drift by synchronizing the token. See FortiToken drift adjustment on page 75.

l  Verify the user is using the token assigned to them (validate the serial number against the FortiAuthenticator unit configuration). See User management on page 57.

l  If the user is using an e-mail or SMS token, verify it is being used within the valid timeout period. See Lockouts on page 55.

Debug logs

Extended debug logs can be accessed by using your web browser to browse to https://<FortiAuthenticator IP Address>/debug.

Debug logs                                                                                                                                Troubleshooting

Service Select the service whose logs are shown from the drop-down list: l FSSO Agent l GUI l HA l LDAP

l  RADIUS Accounting l RADIUS Authentication

l  SNMP

l  Startup l Web Server

Enter debug mode If RADIUS Authentication is selected as the service, the option to enter the debug mode is available. See RADIUS debugging on page 161.
Search Enter a search term in the search field, then select Search to search the debug logs.
Page navigation Use the First Page, Previous Page, Next Page, and Last Page icons to navigated through the logs.
Show Select the number of lines to show per page from the drop-down list. The options are: 100 (default), 250, and 500.

RADIUS debugging

RADIUS authentication debugging mode can be accessed to debug RADIUS authentication issues.

In the debug logs screen, select RADIUS Authentication from the Service drop-down list, then select Enter debug mode from the toolbar.

Enter the username and password then select OK to test the RADIUS authentication and view the authentication response and returned attributes.

Select Exit debug mode to deactivate the debugging mode.

Certificate Management – FortiAuthenticator 4.0

Certificate Management

This section describes managing certificates with the FortiAuthenticator device.

FortiAuthenticator can act as a CA for the creation and signing of X.509 certificates, such as server certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPSEC VPN.

The FortiAuthenticator unit has several roles that involve certificates:

Certificate authority The administrator generates CA certificates that can validate the user certificates generated on this FortiAuthenticator unit.

The administrator can import other authorities’ CA certificates and Certificate Revocation Lists (CRLs), as well as generate, sign, and revoke user certificates. See End entities on page 133 for more information.

SCEP server A SCEP client can retrieve any of the local CA certificates (Local CAs on

page 140), and can have its own user certificate signed by the FortiAuthenticator unit CA.

Remote LDAP

Authentication

Acting as an LDAP client, the FortiAuthenticator unit authenticates users against an external LDAP server. It verifies the identity of the external LDAP server by using a trusted CA certificate, see Trusted CAs on page 147.
EAP Authentication The FortiAuthenticator unit checks that the client’s certificate is signed by one of the configured authorized CA certificates, see Certificate authorities on page 140. The client certificate must also match one of the user certificates, see End entities on page 133.

Any changes made to certificates generate log entries that can be viewed at Logging > Log Access > Logs. See Logging on page 154.

This chapter includes the following sections:

l Policies l End entities l Certificate authorities l SCEP

Policies

The policies section includes global configuration settings which are applied across all certificate authorities and end-entity certificates created on the FortiAuthenticator device.

Certificate expiry

Certificate expiration settings can be configured in Certificate Management > Policies > Certificate Expiry.

 

The following settings can be configured:

Warn when a certificate is about to expire Enable sending a warning message to an administrator before a certificate expires.
Send a warning e-mail Enter the number of days before the certificate expires that the email will be sent.
Administrator’s e-mail Enter the email address to which the expiry warning message will be sent.

Select OK to apply any configuration changes.

End entities

User and server certificates are required for mutual authentication on many HTTPS, SSL, and IPsec VPN network resources. You can create a user certificate on the FortiAuthenticator device, or import and sign a CSR. User certificates, client certificates, or local computer certificates are all the same type of certificate.

To view the user certificate list, go to Certificate Management > End Entities > Users. To view the server certificate list, go to Certificate Management > End Entities > Local Services.

The following information is available:

Create New   Create a new certificate.
Import   Select to import a certificate signed by a third-party CA for a previously generated CSR (see To import a local user certificate: on page 138 and To import a server certificate: on page 138) or to import a CSR to sign (see To import a CSR to sign: on page 138).
Revoke   Revoke the selected certificate. See To revoke a certificate: on page 139.
Delete   Delete the selected certificate.
Export Certificate   Save the selected certificate to your computer.
Export PKCS#12   Export the PKCS#12. This is only available for user certificates.
Search   Enter a search term in the search field, then press Enter to search the certificate list.
Filter   Select to filter the displayed certificates by status. The available selections are: All, Pending, Expired, Revoked, and Active.
Certificate ID   The certificate ID.
Subject   The certificate’s subject.
Issuer The issuer of the certificate.
Status The status of the certificate, either active, pending, or revoked.

Certificates can be created, imported, exported, revoked, and deleted as required. CSRs can be imported to sign, and the certificate detail information can also be viewed, see To view certificate details: on page 140.

To create a new certificate:

  1. To create a new user certificate, go to Certificate Management > End Entities > Users. To create a new server certificate, go to Certificate Management > End Entities > Local Services.
  2. Select Create New to open the Create New UserCertificate or Create New ServerCertificate
  3. Configure the following settings:

 

Certificate ID Enter a unique ID for the certificate.
Certificate Signing Options  
Issuer Select the issuer of the certificate, either Local CA or Third-party CA. Selecting Third-party CA generates a CSR that is to be signed by a third-party CA.
Local User (Optional) If Local CA is selected as the issuer, you may select a local user from the drop-down list to whom the certificate will apply.This option is only available when creating a new user certificate.
Certificate authority If Local CA is selected as the issuer, select one of the available CAs configured on the FortiAuthenticator unit from the drop-down list. The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities on page 140.
Subject Information  
Subject input method Select the subject input method, either Fully distinguished name or

Field-by-field.

Fully distinguished name If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.
Field-by-field If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally enter the following fields:

Department (OU) l Company (O) l City (L) l State/Province (ST)

Country (C) (select from drop-down list) l E-mail address

Key and Signing Options  
Validity period Select the amount of time before this certificate expires. This option is only available when Issuer is set to Local CA.

Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

Key type The key type is set to RSA.
Key size Select the key size from the drop-down list: 1024, 2048, or 4096 bits.
Hash algorithm Select the hash algorithm from the drop-down list, either SHA-1 or SHA-256.

 

Subject Alternative Name Subject Alternative Names (SAN) allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

For example, SANs are used to protect multiple domain names such as www.example.com and www.example.net, in contrast to wildcard certificates that can only protect all first-level subdomains on one domain, such as *.example.com.

Email Enter the email address of a user to map to this certificate.
User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
Other Extensions This option is only available when creating a new user certificate, and when Issuer is set to Local CA.
Add CRL Distribution Points extension Select to add CRL distribution points extension to the certificate. Note: Once a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location.

A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS on page 31.

Use certificate for Smart Card logon Select to use the certificate for smart card logon.
Advanced Options: Key Usages Some certificates require the explicit presence of key usage attributes before the certificate can be accepted for use.
Digital Signature a high-integrity signature that assures the recipient that a message was not altered in transit
Non Repudiation an authentication that is deemed as genuine with high assurance
Key Encipherment uses the public key to encrypt private or secret keys
Data Encipherment uses the public key to encrypt data
Key Agreement an interactive method for multiple parties to establish a cryptographic key, based on prior knowledge of a password
Certificate Sign a message from an applicant to a certificate authority in order to apply for a digital identity certificate
CRL Sign a Certificate Revocation List (CRL) Sign states a validity period for an issued certificate
Encipher Only information will be converted into code only
Decipher Only code will be converted into information only
Advanced Options: Extended Key Usages Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

 

Server Authentication authentication will only be granted when the user submits their credentials to the server
Client Authentication authentication will be granted to the server by exchanging a client certificate
Code Signing used to confirm the software author, and guarantees that the code has not been altered or corrupted through use of a cryptographic hash
Secure Email a secure email sent over SSL encryption
OCSP Signing Online Certificate Status Protocol (OCSP) Signing sends a request to the server for certificate status information. The server will send back a response of “current”, “expired”, or “unknown”. OCSP permits a grace period to users or are expired, allowing them a limited time period to renew. This is usually used over CRL.
IPSec End System  
IPSec Tunnel Termination IPSec SAs (Security Associations) are terminated through deletion or by timing out
IPSec User  
IPSec IKE

Intermediate (end entity)

An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs) and ending with the SSL certificate issued to you.
Time Stamping  
Microsoft Individual Code Signing user submits information that is compared to an independent consumer database to validate their credentials
Microsoft Commercial Code Signing user submits information that proves their identity as corporate representatives
Microsoft Trust List Signing uses a Certificate Trust List (CTL), a list of hashes of certificates. The list is comprised of pre-authenticated items that were approved by a trusted signing entity
Microsoft/Netscape Server Gated Crypto a defunct mechanism that stepped up 40-bit and 50-bit to 128-bit cipher suites with SSL
Microsoft Encrypted File System the Encrypted File System (EFS) enables files to be transparently encrypted to protect confidential data
Microsoft EFS File Recovery the certificate will be granted on the condition it has an EFS file recovery agent prepared
Smart Card Logon the certificate will be granted on the condition that the user logs on to the network with a smart card
EAP over PPP/LAN Extensible Authentication Protocol (EAP) will operate within either a Point-to-Point Protocol (PPP) or Local Area Network (LAN) framework
KDC Authentication an Authentication Server (AS) forwards usernames to a key distribution center (KDC), which issues an encrypted, time stamped ticket back to the user
  1. Select OK to create the new certificate.

To import a local user certificate:

  1. Go to Certificate Management > End Entities > Users and select Import.
  2. In the Import Signing Request orCertificate window, in the Type field, select Local certificate.
  3. Select .. to locate the certificate file on your computer.
  4. Select OK to import the certificate.

To import a server certificate:

  1. to Certificate Management > End Entities > Local Services and select Import.
  2. In the Import Certificate window, select .. to locate the certificate file on your computer.
  3. Select OK to import the certificate.

To import a CSR to sign:

  1. Go to Certificate Management > End Entities > Users and select Import.
  2. In the Import Signing Request orCertificate window, in the Type field, select CSR to sign.
  3. Configure the following settings:
Certificate ID Enter a unique ID for the certificate.
CSR file (.csr, .req) Select Browse… then locate the CSR file on your computer.
Certificate Signing Options  
Certificate authority Select one of the available CAs configured on the FortiAuthenticator from the         drop-      down     list.

The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities on page 140.

Validity period Select the amount of time before this certificate expires. Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires
Hash algorithm Select the hash algorithm from the drop-down list, either SHA-1 or SHA256.
Subject Alternative Name  
Email Enter the email address of a user to map to this certificate.
User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique the Windows Server domain. This is a form of one-to-one mapping.
Other Extensions  
                     Add            CRL

Distribution

Points extension

Select to add CRL distribution points extension to the certificate. Note: Once a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location. A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS on page 31.
Use certificate for

Smart Card logon

Select to use the certificate for smart card logon. This option can only be selected concurrently with Add CRL Distribution Points extension.
  1. Select OK to import the CSR.

To revoke a certificate:

  1. Go to Certificate Management > End Entities > Users or to Certificate Management > End Entities > Local Services.
  2. Select the certificate the will be revoked, then select Revoke. The Revoke UserCertificate or Revoke Server Certificate window opens.
  3. Select a reason for revoking the certificate from the Reason code drop-down list. The reasons available are:

l Unspecified l Key has been compromised l CA has been compromised l Changes in affiliation l Superseded l Operation ceased l On Hold

 

Some of these reasons are security related (such as the key or CA being compromised), while others are more business related; a change in affiliation could be an employee leaving the company; Operation ceased could be a project that was cancelled.

  1. Select OK to revoke the certificate.

To view certificate details:

From the certificate list, select a certificate ID to open the Certificate Detail Information window.

Select Edit next to the Certificate ID field to change the certificate ID. If any of this information is out of date or incorrect, you will not be able to use this certificate. If this is the case, delete the certificate and re-enter the information in a new certificate, see To create a new certificate: on page 134. Select Close to return to the certificate list.