Tag Archives: fortiauthenticator 4.0

Filter Syntax – FortiAuthenticator 4.0

Filter Syntax

This chapter outlines some basic filter syntax that is used to select users and groups in LDAP User Import, Dynamic LDAP Groups, and Remote User Sync Rules.

Filters are constructed using logical operators:

= Equal to
~= Approximately equal to
<= Lexicographically less than or equal to
>= Lexicographically greater than or equal to
& AND
| OR
! NOT

Filters can consist of multiple elements, such as (&(filter1)(filter2)). More information about the query syntax of AD filters, see the following web sites:

Examples

The following examples are for a Windows 2008 AD server with the domain corp.example.com, default domain administrators and users, and an additional group called FW_Admins:

l Users (CN) = atano, pjfry, tleela, tbother l FW_Admins (Security Group) = atano, tbother

An unfiltered browse will return all results from the query, including system and computer accounts. To prevent this and only return user accounts, apply the filter (objectClass=person) or (objectCategory=user).

Even if unfiltered, only user accounts will be imported, so this is only required to clean up the results that are displayed in the GUI.

To filter and return only members of the security group: (&(objectCategory=user)(memberOf=CN=FW_ Admin,DC=corp,DC=example,DC=com)).

It is not possible to use the filter to limit results to CNs or OUs. To achieve this, you must change the Base DN in the LDAP Server configuration. For example, to return only users from the CompanyA OU, create an LDAP Server entry with the following Base DN: OU=CompanyA,DC=corp,DC=example,DC=com.

Filter Syntax

Caveats

Users do not always have a memberOf property for their primary group, this means that querying system groups, such as Domain Users, may return zero results. This can be confusing as these are often the first queries to be tried, and can lead the user to think the filter syntax is incorrect.

For example: (memberOf=CN=Domain Users,CN=Domain

Admins,DC=corp,DC=example,DC=com) will return no valid results.

To return all users in such a group, the filter can be made against the ID value of the Primary Group. So, for Domain Users (Group ID = 513), the filter would be: (primaryGroupId=513). 163

FortiAuthenticator 4.0 Authentication

Authentication

FortiAuthenticator provides an easy to configure authentication server for your users. Multiple FortiGate units can use a single FortiAuthenticator unit for remote authentication and FortiToken device management.

FortiAuthenticatorin a multiple FortiGate unit network

This chapter includes the following topics:

l What to configure l User account policies l User management l FortiToken devices and mobile apps l Self-service portal l Remote authentication servers l RADIUS service l LDAP service l FortiAuthenticator Agents

What to configure

You need to decide which elements of FortiAuthenticator configuration you need.

  • Determine the type of authentication you will use: password-based or token-based. Optionally, you can enable both types. This is called two-factor authentication.

What to configure

  • Determine the type of authentication server you will use: RADIUS, built-in LDAP, or Remote LDAP. You will need to use at least one of these server types.
  • Determine which FortiGate units or third party devices will use the FortiAuthenticator unit. The FortiAuthenticator unit must be configured on each FortiGate unit as an authentication server, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit or third party device must be configured on the FortiAuthenticator unit as an authentication client.

Password-based authentication

User accounts can be created on the FortiAuthenticator device in multiple ways:

l Administrator creates a user and specifies their username and password. l Administrator creates a username and a random password is automatically emailed to the user. l Users are created by importing either a CSV file or from an external LDAP server.

Users can self-register for password-based authentication. This reduces the workload for the system administrator. Users can choose their own passwords or have a randomly generated password provided in the browser or sent to them via email or SMS. Self-registration can be instant, or it can require administrator approval. See Self-registration on page 76.

Once created, users are automatically part of the RADIUS Authentication system and can be authenticated remotely.

See User management on page 57 for more information about user accounts.

Two-factor authentication

Two-factor authentication increases security by requiring multiple pieces of information on top of the username and password. There are generally two factors:

  • something the user knows, usually a password, l something the user has, such as a FortiToken device.

Requiring the two factors increases the difficulty for an unauthorized person to impersonate a legitimate user.

To enable two-factor authentication, configure both password-based and token-based authentication in the user’s account.

FortiAuthenticator token-based authentication requires the user to enter a numeric token at login. Two types of numerical tokens are supported:

  • Time based: TOTP (RFC 6238)

The token passcode is generated using a combination of the time and a secret key which is known only by the token and the FortiAuthenticator device. The token password changes at regular time intervals, and the FortiAuthenticator unit is able to validate the entered passcode using the time and the secret seed information for that token.

Passcodes can only be used a single time (one time passcodes) to prevent replay attacks. Fortinet has the following time based tokens:

  • FortiToken 200 l FortiToken Mobile, running on a compatible smartphone l Event based: HMAC-based One Time Password (HTOP) (RFC 4226) What to configure

The token passcode is generated using an event trigger and a secret key. Event tokens are supported using a valid email account and a mobile phone number with SMS service.

FortiToken devices, FortiToken Mobile apps, email addresses, and phone numbers must be configured in the user’s account.

Only the administrator can configure token-based authentication. See Configuring token based authentication on page 62.

Authentication servers

The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the use of remote RADIUS and LDAP (which can include Windows AD servers).

The built-in servers are best used where there is no existing authentication infrastructure, or when a separate set of credentials is required. You build a user account database on the FortiAuthenticator unit. The database can include additional user information such as street addresses and phone numbers that cannot be stored in a FortiGate unit’s user authentication database. To authenticate, either LDAP or RADIUS can be used. The remote LDAP option adds your FortiGate units to an existing LDAP structure. Optionally, you can add two-factor authentication to remote LDAP.

RADIUS

If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must be registered as RADIUS authentication clients in Authentication > RADIUS Service > Clients. See RADIUS service on page 91. On each FortiGate unit that will use the RADIUS protocol, the FortiAuthenticator unit must be configured as a RADIUS server in User & Device > Authentication > RADIUS Server.

Built-in LDAP

If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users from the user database to the appropriate nodes in the LDAP hierarchy. See Creating the directory tree on page 96. On each FortiGate unit that will use LDAP protocol, the FortiAuthenticator unit must be configured as an LDAP server in User & Device > Authentication > LDAP Server.

Remote LDAP

Remote LDAP is used when an existing LDAP directory exists and should be used for authentication. User information can be selectively synchronised with the FortiAuthenticator unit, but the user credentials (passwords) remain on, and are validated against the LDAP directory.

To utilize remote LDAP, the authentication client (such as a FortiGate device) must connect to the

FortiAuthenticator device using RADIUS to authenticate the user information (see

User & Device > Authentication > RADIUS Server). The password is then proxied to the LDAP server for validation, while any associated token passcode is validated locally.

Machine authentication

Machine, or computer, authentication is a feature of the Windows supplicant that allows a Windows machine to authenticate to a network via 802.1X prior to user authentication.

Machine authentication is performed by the computer itself, which sends its computer object credentials before the Windows logon screen appears. User authentication is performed after the user logs in to Windows.

User account policies

Based on the computer credentials provided during machine authentication, limited access to the network can be granted. For example, access can be granted to just the Active Directory server to enable user authentication.

Following machine authentication, user authentication can take place to authenticate that the user is also valid, and to then grant further access to the network.

Machine authentication commonly occurs on boot up or log out, and not, for example, when a device awakens from hibernation. Because of this, the FortiAuthenticator caches authenticated devices based on their MAC addresses for a configurable period (see General on page 54). For more information on cached users, see Windows device logins on page 131

To configure machine authentication, see Clients on page 92.

FortiAuthenticator 4.0 System

System

The System tab enables you to manage and configure the basic system options for the FortiAuthenticator unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access privileges, managing and updating firmware for the device, and managing messaging servers and services.

The System tab provides access to the following menus and sub-menus:

Dashboard Select this menu to monitor, and troubleshoot your FortiAuthenticator device. Dashboard widgets include: l System Information widget l System Resources widget l Authentication Activity widget l User Inventory widget l HA Status l License Information widget l Disk Monitor l Top User Lockouts widget
Network Select this menu to configure your FortiAuthenticator interfaces and network settings. l Interfaces

l   DNS

l   Static routing l Packet capture

Administration Select this menu to configure administrative settings for the FortiAuthenticator device. l GUI access

l   High availability l Firmware l Automatic backup

l   SNMP

l   Licensing l FortiGuard l FTP servers l Administration

Messaging Select this menu to configure messaging servers and services for the FortiAuthenticator device. l SMTP servers l E-mail services l SMS gateways

Dashboard

When you select the System tab, it automatically opens at the System > Dashboard page.

The Dashboard page displays widgets that provide performance and status information and enable you to configure some basic system settings. These widgets appear on a single dashboard.

The following widgets are available:

System Information Displays basic information about the FortiAuthenticator system including host name, DNS domain name, serial number, system time, firmware version, architecture, system configuration, current administrator, and up time.

From this widget you can manually update the FortiAuthenticator firmware to a different release. For more information, see System Information widget on page 25.

System Resources Displays the usage status of the CPU and memory. For more information, see System Resources widget on page 29.
Authentication Activity Displays a customizable graph of the number of logins to the device. For more information, see Authentication Activity widget on page 29.
User Inventory Displays the numbers of users, groups, FortiTokens, FSSO users, and FortiClient users currently used or logged in, as well as the maximum allowed number, the number still available, and the number that are disabled.

For more information, see User Inventory widget on page 29.

HA Status Displays whether or not HA is enabled.
License Information Displays the device’s license information, as well as SMS information. For more information, see License Information widget on page 29.
Disk Monitor Displays if RAID is enabled, and the current disk usage in GB.
Top User Lockouts Displays the top user lockouts. For more information, see Top User Lockouts widget on page 30.

Customizing the dashboard

The FortiAuthenticator system settings dashboard is customizable. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized.

To move a widget

Position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.

To add a widget

In the dashboard toolbar, select Add Widget, then select the name of widget that you want to show. Multiple widgets of the same type can be added. To hide a widget, in its title bar, select the Close icon.

To see the available options for a widget

Position your mouse cursor over the icons in the widget’s title bar. Options include show/hide the widget, edit the widget, refresh the widget content, and close the widget.

The following table lists the widget options.

Show/Hide arrow Display or minimize the widget.
Widget Title The name of the widget.
Edit Select to change settings for the widget.

This option appears only in certain widgets.

Refresh Select to update the displayed information.
Close Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
To change the widget title

Widget titles can be customized by selecting the edit button in the title bar and entering a new title in the widget settings dialog box. Some widgets have more options in their respective settings dialog box.

To reset a widget title to its default name, simply leave the Custom widget title field blank.

The widget refresh interval can also be manually adjusted from this dialog box.

System Information widget

The system dashboard includes a System Information widget, which displays the current status of the FortiAuthenticator unit and enables you to configure basic system settings.

The following information is available on this widget:

Host Name The identifying name assigned to this FortiAuthenticator unit. For more information, see Changing the host name on page 26.
DNS Domain Name The DNS domain name. For more information, see Changing the DNS domain name on page 27.
Serial Number The serial number of the FortiAuthenticator unit. The serial number is unique to the FortiAuthenticator unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server.
System Time The current date, time, and time zone on the FortiAuthenticator internal clock or NTP server. For more information, see Configuring the system time, time zone, and date on page 27.
Firmware Version The version number and build number of the firmware installed on the FortiAuthenticator unit. To update the firmware, you must download the latest version from the Customer Service & Support portal at https://support.fortinet.com. Select Update and select the firmware image to load from your management computer.
Architecture The architecture of the device, such as 32-bit.
System Configuration The date of the last system configuration backup. Select Backup/Restore to backup or restore the system configuration. For more information, see Backing up and restoring the configuration on page 28.
Current Administrator The name of the currently logged on administrator.
Uptime The duration of time the FortiAuthenticator unit has been running since it was last started or restarted.
Shutdown/Reboot Options to shutdown or reboot the device. When rebooting or shutting down the system, you have the option to enter a message that will be added to the event log explaining the reason for the shutdown or reboot.
Changing the host name

The System Information widget will display the full host name.

To change the host name:

  1. Go to System > Dashboard.
  2. In the System Information widget, in the Host Name field, select Change. The Edit Host Name page opens.
  3. In the Host name field, type a new host name.

The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed.

  1. Select OK to save the setting.

FortiAuthenticator 4.0 Introduction

Introduction

The FortiAuthenticator device is an identity and access management solution. Identity and access management solutions are an important part of an enterprise network, providing access to protected network assets and tracking user activities to comply with security policies.

FortiAuthenticator provides user identity services to the Fortinet product range, as well as third party devices.

FortiAuthenticator delivers multiple features including:

  • Authentication: FortiAuthenticator includes Remote Authentication Dial In User Service (RADIUS) and Lightweight Directory Access Protocol (LDAP) server authentication methods. l Two Factor Authentication: FortiAuthenticator can act as a two-factor authentication server with support for onetime passwords using FortiToken 200, FortiToken Mobile, Short Message Service (SMS), or e-mail.

FortiAuthenticator two-factor authentication is compatible with any system which supports RADIUS.

  • 1X Support: FortiAuthenticator supports 802.1X for use in FortiGate Wireless and Wired networks. l User Identification: FortiAuthenticator can identify users through multiple data sources, including Active

Directory, Desktop Client, Captive Portal Logon, RADIUS Accounting, Kerberos, and a Representational State Transfer (REST) API. It can then communicate this information to FortiGate, FortiCache, or FortiMail units for use in Identity Based Policies.

  • Certificate Management: FortiAuthenticator can create and sign digital certificates for use, for example, in FortiGate VPNs and with the FortiToken 300 USB Certificate Store.
  • Integration: FortiAuthenticator can integrate with third party RADIUS and LDAP authentication systems, allowing you to reuse existing information sources. The REST API can also be used to integrate with external provisioning systems.

FortiAuthenticator is a critical system, and should be isolated on a network interface that is separated from other hosts to facilitate server-related firewall protection. Be sure to take steps to prevent unauthorized access to the FortiAuthenticator.

Introduction                                                                                                                              Before you begin

FortiAuthenticator on a multiple FortiGate unit network

The FortiAuthenticator series of identity and access management appliances complement the FortiToken range of two-factor authentication tokens for secure remote access. FortiAuthenticator allows you to extend the support for FortiTokens across your enterprise by enabling authentication with multiple FortiGate appliances and third party devices. FortiAuthenticator and FortiToken deliver cost effective, scalable secure authentication to your entire network infrastructure.

The FortiAuthenticator device provides an easy-to-configure remote authentication option for FortiGate users. Additionally, it can replace the Fortinet Single Sign-On (FSSO) Agent on a Windows Active Directory (AD) network.

For more information about FortiTokens, see the FortiToken information page on the Fortinet web site.

This chapter contains the following topics:

l Before you begin l How this guide is organized l Registering your Fortinet product l What’s new in FortiAuthenticator 4.0

Before you begin

Before you begin using this guide, please ensure that:

  • You have administrative access to the GUI and/or CLI.

For details of how to accomplish this, see the QuickStart Guide provided with your product, or online at http://docs.fortinet.com/fortiauthenticator/hardware.

  • The FortiAuthenticator unit is integrated into your network. l The operation mode has been configured.

How this guide is organized                                                                                                           Introduction

  • The system time, DNS settings, administrator password, and network interfaces have been configured.

Network Time Protocol (NTP) is critical for the time to be accurate and stable for the Time-based One-time Password (TOTP) method used in two-factor authentication to function correctly. See Configuring the system time, time zone, and date on page 27.

  • Any third party software or servers have been configured using their documentation.

While using the instructions in this guide, note that administrators are assumed to have all permissions, unless otherwise specified. Some restrictions will apply to administrators with limited permissions.

How this guide is organized

This FortiAuthenticator Administration Guide contains the following sections:

  • Setup describes initial setup for standalone and HA cluster FortiAuthenticator configurations.
  • System describes the options available in the system menu tree, including: network configuration, administration settings, and messaging settings.
  • Authentication describes how to configure built-in and remote authentication servers and manage users and user groups.
  • Port-based Network Access Control describes how to configure the FortiAuthenticator unit for IEEE 802.1X Extensible Authentication Protocol (EAP) authentication methods, Bring Your Own Device (BYOD), and MAC-based device authentication.
  • Fortinet Single Sign-On describes how to use the FortiAuthenticator unit in a Single Sign On (SSO) environment. l RADIUS Single Sign-On describes how to use the FortiAuthenticator unit RADIUS accounting proxy. l Monitoring describes how to monitor SSO and authentication information.
  • Certificate Management describes how to manage X.509 certificates and how to set up the FortiAuthenticator unit to act as an Certificate Authority (CA).
  • Logging describes how to view the logs on your FortiAuthenticator unit. l Troubleshooting provides suggestions to resolve common problems.

Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site at https://support.fortinet.com. Many Fortinet customer services such as firmware updates, technical support, FortiGuard Antivirus, and other FortiGuard services require product registration.

What’s new in FortiAuthenticator 4.0

What’s new in FortiAuthenticator 4.0

FortiAuthenticator 4.0 includes a host of new and expanded features designed to make it more robust and versatile than ever before, while maintaining ease of use.

New features include:

  • Captive portal guest management – Social and MAC address authentication

Social Wifi authentication allows FortiAuthenticator to utilize third-party user identity methods to authenticate users into a wireless guest network. Supported authentication methods include:

  • Google + l Facebook l LinkedIn l Twitter l Form based authentication (similar to the existing self-registration feature) l SMS based authentication l Email-based authentication
  • MAC address authentication

For more details, see Captive portal on page 80.

  • New SNMP event

A new event (trap) has been added to the SNMP community configuration settings: “HA status is changed.” For more details, see Administration on page 33. l Add Riverbed RADIUS VSAs

The Riverbed RADIUS dictionary has been added to the RADIUS engine to allow Riverbed vendor attributes to be used in Authentication.

  • Role based administration
    • new feature that allows FortiAuthenticator to create and edit admin profiles (similar to FortiOS). Each administrator can be granted either full permissions or an admin profile, and they can be granted read-only or read/write permissions sets. For more details, see Administration on page 33
  • Bulk purge inactive users menu

New options are now available for bulk purging inactive user accounts. For more details, see User management on page 57.

  • Allow expired FTM reactivation
    • new feature that enhances the FTM activation flow allows administrators to see more quickly why a user cannot authenticate using a FortiToken if their pre-configured timeout period expired. For more details, see FortiToken devices and mobile apps on page 72.
  • Remote LDAP password change

What’s new in FortiAuthenticator 4.0

A new feature that — through the use of Windows AD — allows users to change their passwords without provision changes being made to the network by a system administrator. For more details, see Remote authentication servers on page 88

  • RADIUS sub auth client profiles
    • new feature that allows you to assign attributes to RADIUS Auth Client profiles, so that they are more distinguishable for FortiAuthenticator even if the authentication requests may originate from the same IP address. For more details, see RADIUS service on page 91.
  • Windows FAC agent – group/OU exemptions
    • new feature that exempts users from two-factor authentication using AD container filtering has been added to the FortiAuthenticator Agent for Microsoft Windows, and for OWA users. Users who are members of an exempt groups and the users located under an exempt AD container are only required to provide a password to authenticate, i.e. no FortiToken code. For more details, see FortiAuthenticator Agents on page 100. l SSO filtering options expansion

New object types have been added to the group filtering function. For more details, see FortiGate group filtering on page 120

  • SSO – include username with “$”

FortiAuthenticator now includes usernames containing the “$” character in its SSO feature. For more details, see General settings on page 106.

  • DC/TS agent monitoring
    • new subsection of Monitoring which displays information on the server’s Domain Controller (DC) and Terminal Server (TS) Agents, found at SSO Monitor> SSO > DC/TS Agents. For more details, see SSO on page 129.