Tag Archives: fortinet guides

Global Server Load Balancing – FortiBalancer

Chapter 14 Global Server Load Balancing (GSLB)

14.1 Overview

GSLB (Global Server Load Balance) is also known as Smart DNS (SDNS). This function allows you to distribute Web traffic among a collection of servers deployed in multiple geographic locations. We will cover introduction of GSLB and the examples of GSLB configuration in this chapter.

14.2 Understanding Global Server Load Balance

In GSLB solution, the FortiBalancer appliance works as a complementary DNS server which is able to resolve a set of defined domain names based on load balancing methods. When DNS queries (typically forwarded by corporate DNS server or ISP DNS server) for the domain name are received, GSLB function will resolve the domain name with IP addresses selected from its Domain Name and IP Service Database with configured load balancing method.

SDNS maintains a local Domain Name and IP Service Database by continuously exchanging their local load (Hello message) and domain name/IP address information (Report message) with other members (also FortiBalancer appliances) in the GSLB network. For example, when an FortiBalancer appliance joins the SDNS network, the FortiBalancer appliance will continuously send its local domain name/IP address information to all other participating members (see LLB configuration). For each message transmitted, a confirmation message is expected in return. If a confirmation message is missed or a message is not updated for a period of time (3 tries), GSLB will mark the non-responsive member as down and all the domain name/IP addresses that are hosted by that FortiBalancer appliance will be removed from its local Domain Name and IP Service Database.

The SDNS process works as follows:

 

Figure 14-1 SDNS Working Mechanism

As shown in the above figure, the SDNS module will process a normal DNS request from the client as follows:

  1. The client’s browser generates a DNS request for the domain name of the Web site he wants to visit, and sends the request to its local DNS server.
  2. The local DNS server receives the request and searches in its local cache. If no cache entry hits, it will forward the request to the upper-level SDNS device. In the above example figure, the request is sent to an SDNS server at Beijing according to configurations on the local DNS server.
  3. The SDNS server at Beijing continuously collects the status information of all the application servers in its local Domain Name and IP Service Database, and then forwards the request to a proper application server based on pre-configured load balancing algorithms. In the above example, the application server at New York is selected.
  4. The SDNS server at Beijing returns back the IP addresses of the application server at New York to the local application server of the client.
  5. Upon receiving the response, the local application server forwards IP address to the client directly.
  6. The client’s browser uses the IP address in the response to open an HTTP connection with the corresponding FortiBalancer appliance and proceeds to download the Web page.

In this process, the response is cached on both the client’s local DNS server and the client’s browser.

Note: In this chapter, we will use the term “member” or “SDNS member” frequently. Either

“member” or “SDNS member” is an FortiBalancer appliance which participates in the GSLB management.

14.2.1 SDNS Member Reporter-Receiver Hierarchy

All SDNS members can be divided into two groups: SDNS server and HTTP proxy cache server. They are all FortiBalancer appliances, while HTTP proxy cache servers serve as the “reporter” and SDNS servers serve as the “receiver”.

 

Figure 14-2 SDNS Reporter-Receiver Hierarchy

SDNS Servers

SDNS servers are responsible for DNS resolving. Every HTTP proxy cache server will report its status information to SDNS servers. The status information includes:

  • The domain name configured on proxy cache servers
  • The IPs which are configured for a domain name and their status (“UP” or “DOWN”)
  • The domain name traffic on proxy servers, IP traffic and proxy traffic
  • The status of proxy cache servers (“UP” or “DOWN”)

HTTP Proxy Cache Servers

HTTP proxy cache servers are responsible for HTTP services. All kinds of HTTP requests will be directed to HTTP proxy cache servers, mostly by the SDNS servers. The HTTP proxy cache servers will collect the local status information and send it to SDNS servers at specified frequency. If an FortiBalancer appliance is a DNS server and a proxy cache server at the same time, it will report its local status information to all the SDNS servers (including itself) and collect the status information from all the proxy cache servers.

High Availability – FortiBalancer

Chapter 5 High Availability (HA)

5.1 Overview

As the network applications develop, customers have higher and higher requirements for the reliability of the network and network appliances. During network planning and design, to improve the reliability of the network, some critical network appliances must have redundancy protection mechanisms. The Clustering function mentioned in the “Clustering” chapter uses the VRRP technology to solve the single-point failure. This chapter will introduce the High Availability (HA) function that newly provided by FortiBalancer appliances. The HA function not only solves the single-point failure, but also provides more policies to ensure the network reliability.

The HA function allows two or more FortiBalancer appliances to continuously exchange the running status with each other, and keep their configurations synchronized. When an appliance becomes down, other available appliances will take over the application services on the faulty appliance, which ensures the high availability of application services.

Besides, the HA function provides the Stateful Session Failover (SSF) function. With the SSF function, when a service failover occurs, connections on the service will be switched to the new appliance. This avoids the interruption of connections and therefore improves user experience. The HA function can be deployed flexibly. Besides the Active/Active and Active/Standby deployment scenarios, the HA function can be deployed among multiple appliances to achieve mutual-backup.

Advanced Network Configuration – FortiBalancer

Chapter 2 Advanced Network Configuration

2.1 Overview

This section focuses on introducing the advanced network configurations, including VLAN, MNET, Port Forwarding, NAT, Dynamic Routing and IP Pool functionalities and configurations on the FortiBalancer appliance.

2.1.1 VLAN

VLAN (Virtual Local Area Network) is used to logically segment a network into smaller networks by application, or function, without regard to the physical location of the users. Each VLAN is considered a separate logical network. There are two types of VLAN specifications for Ethernet network.

  • Port-based VLAN

Define VLAN based on port number of the switch. Port-based VLAN is easy to configure but often limited to one single switch.

  • Tag-based VLAN

Tag-based VLAN allows a group of devices on different physical LAN segments to communicate with each other as if they were all on the same physical LAN segment. In tag-based VLAN, an identifying number, called a “VLAN ID” or a “tag”, is written into the Ethernet frame itself, so that switches and routers can use this information to make switching decisions. A tagged frame is four bytes longer than an untagged frame and contains two bytes of Tag Protocol Identifier (TPID) and two bytes of Tag Control Information (TCI).

The FortiBalancer appliance supports Tag-based VLAN on all interfaces. Tag-based VLAN (also known as Trunking by some vendors) is where a tag is inserted into the Ethernet frame so that switches and routers can use this information to make switching decisions.

The FortiBalancer appliance’s VLAN can work in both the IPv4 and IPv6 network environments. Administrator can view all the IPv4 and IPv6-based VLAN configurations by executing the command “show interface”.

For example:

IPv4-based VLAN:

FortiBalancer(config)#show interface

……

V1(vlan1): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 1500         inet 10.8.66.96 netmask 0xffffff00 broadcast 10.8.66.255         ether 00:25:90:39:97:f3          media: autoselect         status: no carrier

vlan : 3 parent interface: port1         webwall status: OFF         packet drop (not permit): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0         packet drop (deny): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

IPv6-based VLAN:

FortiBalancer(config)#show interface

……

V2(vlan2): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 1500         inet6 fe80::230:48ff:fe93:a73e prefixlen 64 scopeid 0xc          ether 00:30:48:93:a7:41          media: autoselect         status: no carrier

vlan : 20 parent interface: port2         webwall status: OFF         packet drop (not permit): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0         packet drop (deny): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

2.1.2 MNET

MNET (Multi-Netting) is used to assign more than one IP address on a physical interface. Here is an example for MNET:

A new Internet site is under development for a small corporation. The network administrator knows that the site will grow in the future but today there is no need for a complex network. A server is installed that will be used as Web server, FTP server, mail server, and the corporation’s DNS server. Later, when the use of the network services grows, new servers will be used for each of the functions.

When the time comes to address the current server, the administrator has a choice. A single IP address can be used on the server. Later when the new servers are needed, new IP addresses can be assigned to them.

Another way of assigning addresses can be used. The administrator can assign four IP addresses to the server. Each IP address will match the IP address to be used in the future on the new servers. The administrator now knows what addresses will be used and can create DNS entries for the new devices with the correct addresses. This process of providing more than one IP address on an interface is often called multi-netting.

The FortiBalancer appliance’s MNET can work in both the IPv4 and IPv6 network environments.

2.1.3 Port Forwarding

Port forwarding allows you to forward any traffic that is destined to an IP/port pair on the FortiBalancer appliance, to an IP/port pair on the inside network. External clients can directly access the internal servers via an address on the outside subnet.

Note: Port Forwarding feature cannot support FTP, users are recommended to use SLB feature instead.

For example, say that you are running SSH on a real server on the port2 interface subnet, and you want to connect to the server from a client in the outside. To get this information from the outside world to the desired inside IP/port pair, we will have to add a port forward on the FortiBalancer appliance.

 

Figure 2-1 Port Forwarding

2.1.4 NAT

NAT (Network Address Translation) is the translation of an IP address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. NAT is used when you want your real servers on the inside network to access the outside network. Using NAT, all packets will appear as though they came from the FortiBalancer appliance.

2.1.4.1 How NAT Works

When a client on the inside network contacts a machine on the outside network, it sends out IP packets destined for that machine. These packets contain all the addressing information necessary to get them to their destination.

When the packets pass through the NAT gateway, they will be modified so that they appear to be coming from the NAT gateway itself. The NAT gateway will record the changes it makes in its state table so that it can reverse the changes on return packets and ensure that return packets are passed through the firewall without being blocked.

NAT Traversal of PPTP

The FortiBalancer appliance supports NAT traversal of PPTP (Point-to-Point Tunneling Protocol). PPTP is a tunneling mechanism to transfer PPP (Point-to-Point Protocol) frames across intermediate networks. PPTP uses GRE (Generic Routing Encapsulation) encapsulation for PPP payload. However, typically GRE tunnels cannot traverse the NAT device (i.e. the FortiBalancer appliance). To resolve this problem, a PPTP NAT editor is used on the FortiBalancer appliance. This editor is an additional software component on the NAT device to perform translation for IP addresses, TCP ports, and call ID.

2.1.4.2 Supported NAT Types

The FortiBalancer appliance supports four types of NAT:

  • Static NAT

Mapping an IP address on one-to-one basis. By configuring static NAT, the FortiBalancer appliance maps an inside real IP address to a VIP address on the outside. For inbound traffic directed from an outside VIP, the traffic will be forwarded to a corresponding inside real IP without any change in the port number or protocol value. Thus, hosts on the inside network will be directly accessible via the VIP on the port1 interface. The outbound traffic coming from an inside host will use the corresponding outside VIP as the source IP for the outgoing traffic. The port number and protocol remain unchanged. TCP, UDP and ICMP are supported for static NAT.

In static NAT, the computer with the IP address (192.168.10.13) will be always translated into 10.10.0.3:

 

Figure 2-2 Static NAT

  • Port-level NAT

Mapping multiple inside real IP addresses to a single VIP address with a different port number assignment on the port1 interface. By configuring port-level NAT, the group of hosts on the inside network will be directly accessible via the VIP on the port1 interface.

In port-level NAT, the computers with the IP address in the range from 192.168.10.11 to 192.168.10.13 will be translated into 10.0.0.3 with a different port on the outside network:

 

 

Figure 2-3 Port-level NAT

If a port-level NAT is configured for an inside real IP address, static NAT should take precedence over the regular NAT policy. VIPs used by static NAT should not be used by regular NAT. Also, one static NAT VIP should not map to multiple real IP addresses.

  • IP pool-based dynamic NAT

Mapping one or multiple inside real IP addresses to an IP pool which contains multiple IP addresses. By configuring IP pool-based dynamic NAT, a group of hosts on the inside network will be translated into via the multiple IP addresses in IP pool.

As shown below, in IP pool-based dynamic NAT, the client IP addresses in the range from 192.168.10.11 to 192.168.10.13 will be translated into 10.0.0.1 to 10.0.0.3 and get connected to the Internet.

 

Figure 2-4 IP Pool-based Dynamic NAT

  • Destination IP based NAT

FortiBalancer supports NAT based on destination IP address. The destination IP based NAT can be performed only when the destination IP address is in the specified network segment and in the same network segment as the route gateway. If the gateway is set to the default value 0.0.0.0, the destination IP/IP pool for NAT and the route gateway should be within the same network segment.

Note: For IPv6 address, only TCP and UDP packets can be NATTed and no gateway can be configured.

Configuration Example via CLI

  • Step 1 Configure IP pool

FortiBalancer(config)#ip pool “pool1” 172.16.72.45 172.16.72.55

FortiBalancer(config)#ip pool “pool3” 3ffd::45 3ffd::46

  • Step 2 Configure destination NAT

FortiBalancer(config)#nat portdst “pool1” 172.16.72.0 255.255.255.0 500 172.16.72.101

FortiBalancer(config)#nat portdst “pool3” 3ff1:: 65 50

Check NAT configurations and statistics

The following two commands can be used to check the NAT configurations and statistics. Ø             Check NAT table

FortiBalancer(config)#show nat table

From 172.16.73.108(5208) through 172.16.72.53(50776) to 172.16.72.77(80)

From 172.16.73.108(5200) through 172.16.72.53(50768) to 172.16.72.77(80)

From 172.16.73.108(5880) through 172.16.72.53(51448) to 172.16.72.77(80)

From 172.16.73.108(6008) through 172.16.72.53(51576) to 172.16.72.77(80)

From 3ffd::108(42720) through 3ffd (45672) to 3ff1::77(80)

From 3ffd::108(42728) through 3ffd (45680) to 3ff1::77(80)

From 3ffd::108(43336) through 3ffd (46288) to 3ff1::77(80)

From 3ffd::108(43376) through 3ffd (46328) to 3ff1::77(80)

From 3ffd::108(43464) through 3ffd (46416) to 3ff1::77(80)

From 3ffd::108(43408) through 3ffd (46360) to 3ff1::77(80)

From 3ffd::108(43840) through 3ffd (46792) to 3ff1::77(80)

From 3ffd::108(43896) through 3ffd (46848) to 3ff1::77(80)

Ø    Check NAT statistics

FortiBalancer(config)#show statistics nat

nat portdst “pool1” 172.16.72.0 255.255.255.0 500 172.16.72.101         protol(total/current):icmp(1/1) udp(0/0) tcp(23724/251)  nat portdst “pool3” 3ff1:: 65 50

protol(total/current):icmp(0/0) udp(0/0) tcp(23716/246)

2.1.5 Dynamic Routing

Dynamic Routing is a process in which routers automatically adjust to changes in network topology or traffic. It is more robust than static routing. Now, there are several protocols used to support dynamic routing including RIPv1 (Routing Information Protocol version 1), RIPv2 (Routing Information Protocol version 2) and OSPFv2 (Open Shortest Path First version 2) and OSPFv3 (Open Shortest Path First version 3).

Dynamic Routing is especially suitable for today’s large, constantly changed networks. It improves performance by allowing network routers to adjust to changes in the network topology. And it distributes routing information between routers and chooses the best path for the network, saving money and improving performance.

2.1.6 IP Pool

An IP pool contains multiple IP addresses from one IP segment. Administrators can use the pre-defined IP pools for NAT and SLB configurations.

For the NAT module, IP pool can be defined on the outside interface to realize translation of multiple outgoing IP addresses. This helps increase the concurrent capacity and fully utilize the IP resources. For the SLB module, IP pool can be defined for real server groups. Under the SLB reverse mode, when different real server groups are selected, FortiBalancer can select different IP addresses in IP pools to connect to real servers. This not only increases the concurrent connection capacity, but also provides a more flexible configuration method for administrators.

FortiBalancer appliance supports multiple IP pools, and at most 256 IP addresses can be added in one IP pool. The maximum number of IP pools allowed on the FortiBalancer appliance varies with different system memories. Please see the table below for details.

Table 2-1 Maximum IP Pool Entry

System Memory Maximum IP Pool Number
4GB 32
8GB 64
16GB 128
32GB 256

Both IPv4 and IPv6 addresses can be configured in the IP pool.

When configuring the IP pool, please note:

  • Each IP pool should be assigned with a unique name in the system.
  • The IP addresses in one IP pool must belong to the same subnet.
  • The subnet can be the same between two or more pools.
  • One IP address can belong to multiple IP pools.
  • IP segment is composed of continuous IPs, and an IP pool can be composed of multiple IP segments.
  • IP addresses in IP pool must be legal.
    • IP addresses which are not covered by any interface subnet are illegal.
    • Broadcast IP address is illegal. Ÿ IP with hostID 0 is illegal.

Certificate Management – FortiAuthenticator 4.0

Certificate Management

This section describes managing certificates with the FortiAuthenticator device.

FortiAuthenticator can act as a CA for the creation and signing of X.509 certificates, such as server certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPSEC VPN.

The FortiAuthenticator unit has several roles that involve certificates:

Certificate authority The administrator generates CA certificates that can validate the user certificates generated on this FortiAuthenticator unit.

The administrator can import other authorities’ CA certificates and Certificate Revocation Lists (CRLs), as well as generate, sign, and revoke user certificates. See End entities on page 133 for more information.

SCEP server A SCEP client can retrieve any of the local CA certificates (Local CAs on

page 140), and can have its own user certificate signed by the FortiAuthenticator unit CA.

Remote LDAP

Authentication

Acting as an LDAP client, the FortiAuthenticator unit authenticates users against an external LDAP server. It verifies the identity of the external LDAP server by using a trusted CA certificate, see Trusted CAs on page 147.
EAP Authentication The FortiAuthenticator unit checks that the client’s certificate is signed by one of the configured authorized CA certificates, see Certificate authorities on page 140. The client certificate must also match one of the user certificates, see End entities on page 133.

Any changes made to certificates generate log entries that can be viewed at Logging > Log Access > Logs. See Logging on page 154.

This chapter includes the following sections:

l Policies l End entities l Certificate authorities l SCEP

Policies

The policies section includes global configuration settings which are applied across all certificate authorities and end-entity certificates created on the FortiAuthenticator device.

Certificate expiry

Certificate expiration settings can be configured in Certificate Management > Policies > Certificate Expiry.

 

The following settings can be configured:

Warn when a certificate is about to expire Enable sending a warning message to an administrator before a certificate expires.
Send a warning e-mail Enter the number of days before the certificate expires that the email will be sent.
Administrator’s e-mail Enter the email address to which the expiry warning message will be sent.

Select OK to apply any configuration changes.

End entities

User and server certificates are required for mutual authentication on many HTTPS, SSL, and IPsec VPN network resources. You can create a user certificate on the FortiAuthenticator device, or import and sign a CSR. User certificates, client certificates, or local computer certificates are all the same type of certificate.

To view the user certificate list, go to Certificate Management > End Entities > Users. To view the server certificate list, go to Certificate Management > End Entities > Local Services.

The following information is available:

Create New   Create a new certificate.
Import   Select to import a certificate signed by a third-party CA for a previously generated CSR (see To import a local user certificate: on page 138 and To import a server certificate: on page 138) or to import a CSR to sign (see To import a CSR to sign: on page 138).
Revoke   Revoke the selected certificate. See To revoke a certificate: on page 139.
Delete   Delete the selected certificate.
Export Certificate   Save the selected certificate to your computer.
Export PKCS#12   Export the PKCS#12. This is only available for user certificates.
Search   Enter a search term in the search field, then press Enter to search the certificate list.
Filter   Select to filter the displayed certificates by status. The available selections are: All, Pending, Expired, Revoked, and Active.
Certificate ID   The certificate ID.
Subject   The certificate’s subject.
Issuer The issuer of the certificate.
Status The status of the certificate, either active, pending, or revoked.

Certificates can be created, imported, exported, revoked, and deleted as required. CSRs can be imported to sign, and the certificate detail information can also be viewed, see To view certificate details: on page 140.

To create a new certificate:

  1. To create a new user certificate, go to Certificate Management > End Entities > Users. To create a new server certificate, go to Certificate Management > End Entities > Local Services.
  2. Select Create New to open the Create New UserCertificate or Create New ServerCertificate
  3. Configure the following settings:

 

Certificate ID Enter a unique ID for the certificate.
Certificate Signing Options  
Issuer Select the issuer of the certificate, either Local CA or Third-party CA. Selecting Third-party CA generates a CSR that is to be signed by a third-party CA.
Local User (Optional) If Local CA is selected as the issuer, you may select a local user from the drop-down list to whom the certificate will apply.This option is only available when creating a new user certificate.
Certificate authority If Local CA is selected as the issuer, select one of the available CAs configured on the FortiAuthenticator unit from the drop-down list. The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities on page 140.
Subject Information  
Subject input method Select the subject input method, either Fully distinguished name or

Field-by-field.

Fully distinguished name If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.
Field-by-field If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally enter the following fields:

Department (OU) l Company (O) l City (L) l State/Province (ST)

Country (C) (select from drop-down list) l E-mail address

Key and Signing Options  
Validity period Select the amount of time before this certificate expires. This option is only available when Issuer is set to Local CA.

Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

Key type The key type is set to RSA.
Key size Select the key size from the drop-down list: 1024, 2048, or 4096 bits.
Hash algorithm Select the hash algorithm from the drop-down list, either SHA-1 or SHA-256.

 

Subject Alternative Name Subject Alternative Names (SAN) allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

For example, SANs are used to protect multiple domain names such as www.example.com and www.example.net, in contrast to wildcard certificates that can only protect all first-level subdomains on one domain, such as *.example.com.

Email Enter the email address of a user to map to this certificate.
User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
Other Extensions This option is only available when creating a new user certificate, and when Issuer is set to Local CA.
Add CRL Distribution Points extension Select to add CRL distribution points extension to the certificate. Note: Once a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location.

A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS on page 31.

Use certificate for Smart Card logon Select to use the certificate for smart card logon.
Advanced Options: Key Usages Some certificates require the explicit presence of key usage attributes before the certificate can be accepted for use.
Digital Signature a high-integrity signature that assures the recipient that a message was not altered in transit
Non Repudiation an authentication that is deemed as genuine with high assurance
Key Encipherment uses the public key to encrypt private or secret keys
Data Encipherment uses the public key to encrypt data
Key Agreement an interactive method for multiple parties to establish a cryptographic key, based on prior knowledge of a password
Certificate Sign a message from an applicant to a certificate authority in order to apply for a digital identity certificate
CRL Sign a Certificate Revocation List (CRL) Sign states a validity period for an issued certificate
Encipher Only information will be converted into code only
Decipher Only code will be converted into information only
Advanced Options: Extended Key Usages Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

 

Server Authentication authentication will only be granted when the user submits their credentials to the server
Client Authentication authentication will be granted to the server by exchanging a client certificate
Code Signing used to confirm the software author, and guarantees that the code has not been altered or corrupted through use of a cryptographic hash
Secure Email a secure email sent over SSL encryption
OCSP Signing Online Certificate Status Protocol (OCSP) Signing sends a request to the server for certificate status information. The server will send back a response of “current”, “expired”, or “unknown”. OCSP permits a grace period to users or are expired, allowing them a limited time period to renew. This is usually used over CRL.
IPSec End System  
IPSec Tunnel Termination IPSec SAs (Security Associations) are terminated through deletion or by timing out
IPSec User  
IPSec IKE

Intermediate (end entity)

An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs) and ending with the SSL certificate issued to you.
Time Stamping  
Microsoft Individual Code Signing user submits information that is compared to an independent consumer database to validate their credentials
Microsoft Commercial Code Signing user submits information that proves their identity as corporate representatives
Microsoft Trust List Signing uses a Certificate Trust List (CTL), a list of hashes of certificates. The list is comprised of pre-authenticated items that were approved by a trusted signing entity
Microsoft/Netscape Server Gated Crypto a defunct mechanism that stepped up 40-bit and 50-bit to 128-bit cipher suites with SSL
Microsoft Encrypted File System the Encrypted File System (EFS) enables files to be transparently encrypted to protect confidential data
Microsoft EFS File Recovery the certificate will be granted on the condition it has an EFS file recovery agent prepared
Smart Card Logon the certificate will be granted on the condition that the user logs on to the network with a smart card
EAP over PPP/LAN Extensible Authentication Protocol (EAP) will operate within either a Point-to-Point Protocol (PPP) or Local Area Network (LAN) framework
KDC Authentication an Authentication Server (AS) forwards usernames to a key distribution center (KDC), which issues an encrypted, time stamped ticket back to the user
  1. Select OK to create the new certificate.

To import a local user certificate:

  1. Go to Certificate Management > End Entities > Users and select Import.
  2. In the Import Signing Request orCertificate window, in the Type field, select Local certificate.
  3. Select .. to locate the certificate file on your computer.
  4. Select OK to import the certificate.

To import a server certificate:

  1. to Certificate Management > End Entities > Local Services and select Import.
  2. In the Import Certificate window, select .. to locate the certificate file on your computer.
  3. Select OK to import the certificate.

To import a CSR to sign:

  1. Go to Certificate Management > End Entities > Users and select Import.
  2. In the Import Signing Request orCertificate window, in the Type field, select CSR to sign.
  3. Configure the following settings:
Certificate ID Enter a unique ID for the certificate.
CSR file (.csr, .req) Select Browse… then locate the CSR file on your computer.
Certificate Signing Options  
Certificate authority Select one of the available CAs configured on the FortiAuthenticator from the         drop-      down     list.

The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities on page 140.

Validity period Select the amount of time before this certificate expires. Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires
Hash algorithm Select the hash algorithm from the drop-down list, either SHA-1 or SHA256.
Subject Alternative Name  
Email Enter the email address of a user to map to this certificate.
User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique the Windows Server domain. This is a form of one-to-one mapping.
Other Extensions  
                     Add            CRL

Distribution

Points extension

Select to add CRL distribution points extension to the certificate. Note: Once a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location. A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS on page 31.
Use certificate for

Smart Card logon

Select to use the certificate for smart card logon. This option can only be selected concurrently with Add CRL Distribution Points extension.
  1. Select OK to import the CSR.

To revoke a certificate:

  1. Go to Certificate Management > End Entities > Users or to Certificate Management > End Entities > Local Services.
  2. Select the certificate the will be revoked, then select Revoke. The Revoke UserCertificate or Revoke Server Certificate window opens.
  3. Select a reason for revoking the certificate from the Reason code drop-down list. The reasons available are:

l Unspecified l Key has been compromised l CA has been compromised l Changes in affiliation l Superseded l Operation ceased l On Hold

 

Some of these reasons are security related (such as the key or CA being compromised), while others are more business related; a change in affiliation could be an employee leaving the company; Operation ceased could be a project that was cancelled.

  1. Select OK to revoke the certificate.

To view certificate details:

From the certificate list, select a certificate ID to open the Certificate Detail Information window.

Select Edit next to the Certificate ID field to change the certificate ID. If any of this information is out of date or incorrect, you will not be able to use this certificate. If this is the case, delete the certificate and re-enter the information in a new certificate, see To create a new certificate: on page 134. Select Close to return to the certificate list.

RADIUS Single Sign On – FortiAuthenticator 4.0

RADIUS Single Sign-On

A FortiGate or FortiMail unit can transparently identify users who have already authenticated on an external RADIUS server by parsing RADIUS accounting records. However, this approach has potential difficulties:

  • The RADIUS server is business-critical IT infrastructure, limiting the changes that can be made to the server configuration.
  • In some cases, the server can send accounting records only to a single endpoint. Some network topologies may require multiple endpoints.

The FortiAuthenticator RADIUS Accounting Proxy overcomes these limitations by proxying the RADIUS accounting records, modifying them, and replicating them to the multiple subscribing endpoints as needed.

RADIUS accounting proxy

The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and then forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On. This differs from the packet use of RADIUS accounting (RADIUS accounting on page 115).

The accounting proxy needs to know:

l Rule sets to define or derive the RADIUS attributes that the FortiGate unit requires, l The source of the RADIUS accounting records: the RADIUS server, l The destination(s) of the accounting records: the FortiGate units using this information for RADIUS SSO authentication.

General settings

General RADIUS accounting proxy settings can be configure by going to Fortinet SSO Methods > Accounting Proxy > General.

The following settings are available:

Log level Select Debug, Info, Warning, or Error as the minimum severity level of event to log from the drop-down list.
Group cache lifetime Enter the amount of time after which user group memberships will expire in the cache, from 1 to 10080 minutes (7 days). The default is 480 minutes.
Number of proxy retries Enter the number of times to retry proxy requests if they timeout, from 0 to 3 retries, where 0 disables retries. The default is 3 retries.
Proxy retry timeout Enter the retry period (timeout) of a proxy request, from 1 to 10 seconds.
Statistics update period Enter the time between statistics updates to the seconds debug log, from 1 to 3600 seconds (1 hour).

Select OK to apply your changes.

accounting proxy                                                                                                                 RADIUS

Rule sets

A rule set can contain multiple rules. Each rule can do one of:

l add an attribute with a fixed value l add an attribute retrieved from a user’s record on an LDAP server l rename an attribute to make it acceptable to the accounting proxy destination.

The FortiAuthenticator unit can store up to 10 rule sets. You can provide both a name and a description to each rule set to help you remember each rule set’s purpose.

Rules access RADIUS attributes of which there are both standard attributes and vendor-specific attributes (VSAs). To select a standard attribute, select the Default vendor. See RADIUS attributes on page 72.

To view the accounting proxy rule set list, go to Fortinet SSO Methods > Accounting Proxy > Rule Sets.

To add RADIUS accounting proxy rule sets:

  1. From the rule set list, select Create New. The Create New Rule Set window opens.
  2. Enter the following information:
Name Enter a name to use when selecting this rule set for an accounting proxy destination.
Description Optionally, enter a brief description of the rule’s purpose.
Rules Enter one or more rules.

Single Sign-On                                                                                      RADIUS accounting proxy

Action The action for each rule can be either Add or Modify.

Add: add either a static value or a value derived from an LDAP server.

Modify: rename an attribute.

Attribute Select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
Attribute 2 If the action is set to Modify, a second attribute may be selected. The first attribute will be renamed to the second attribute.
Value Type If the action is set to Add, select a value type from the drop-down list.

Static value: adds the attribute in the Attribute field containing the static value in the Value field.

Group names: adds attribute in the Attribute field containing “Group names” from the group membership of the Username Attribute on the remote LDAP server. l Services: adds attribute in the Attribute field containing “Services” from the group membership of the Username Attribute on the remote LDAP server.

UTM profile groups: adds attribute in the Attribute field containing “UTM profile groups” from the group membership of the Username Attribute on the remote LDAP server.

Value If the action is set to Add and Value Type is set to Static value, enter the static value.
Username

Attribute

If the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
Remote LDAP If the attribute addition requires an LDAP server, select one from the dropdown list. See LDAP on page 88 for information on remote LDAP servers.
Description A brief description of the rule is provided.
Add another rule Select to add another rule to the rule set.
  1. Select OK to create the new rule set.
Example rule set

The incoming accounting packets contain the following fields:

  • User-Name l NAS-IP-Address l Fortinet-Client-IP-Address

The outgoing accounting packets need to have these fields:

accounting proxy                                                                                                                 RADIUS

  • User-Name l NAS-IP-Address l Fortinet-Client-IP-Address l Session-Timeout: Value is always 3600 l Fortinet-Group-Name: Value is obtained from user’s group membership on remote LDAP l Service-Type: Value is obtained from user’s group membership and SSO Group Mapping

The rule set needs three rules to add Session-Timeout, Fortinet-Group-Name, and Service-Type. The following image provides an example:

Sources

The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy > Sources. Sources can be added, edited, and deleted as needed.

To add a RADIUS accounting proxy source:

  1. From the source list, select Create New. The Create New RADIUS Accounting Proxy Source window opens.
  2. Enter the following information:
Name                                         Enter           the           name           of           the

This is used in FortiAuthenticator configurations.

RADIUS server.

Single Sign-On                                                                                      RADIUS accounting proxy

Source name/IP Enter the FQDN or IP address of the server.
Secret Enter the shared secret required to access the server.
Description Optionally, enter a description of the source.
  1. Select OK to add the RADIUS accounting proxy source.

Destinations

The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.

To view the RADIUS accounting proxy destinations list, go to Fortinet SSO Methods > Accounting Proxy > Destinations.

To add a RADIUS accounting proxy destinations:

  1. From the destinations list, select Create New. The Create New RADIUS Accounting Proxy Destination window opens.
  2. Enter the following information:
Name Enter a name to identify the destination device in your configuration.
Destination name/IP Enter The FQDN or IP address of the FortiGate that will receive the RADIUS accounting records.
Secret Enter the preshared key of the destination.
Source Select a RADIUS client defined as a source from the drop-down list. See Sources on page 127.
Rule set Select an appropriate rule set from the drop-down list or select Create New to create a new rule set. See Rule sets on page 125.
  1. Select OK to add the RADIUS accounting proxy destination.

Fortinet Single Sign On – FortiAuthenticator 4.0

Fortinet Single Sign-On

FSSO is a set of methods to transparently authenticate users to FortiGate and FortiCache devices. This means that the FortiAuthenticator unit is trusting the implicit authentication of a different system, and using that to identify the user. FortiAuthenticator takes this framework and enhances it with several authentication methods:

  • Users can authenticate through a web portal and a set of embeddable widgets. l Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated. l RADIUS Accounting packets can be used to trigger an FSSO authentication. l Users can be identified through the FortiAuthenticator API. This is useful for integration with third party systems.

The FortiAuthenticator unit must be configured to collect the relevant user logon data. After this basic configuration is complete, the various methods of collecting the log in information can be set up as needed.

Domain controller polling

When the FortiAuthenticator runs for the first time, it will poll the domain controller (DC) logs backwards until either the end of the log file or the logon timeout setting, whichever is reached first.

When the FortiAuthenticator is rebooted, the memory cache is written to the disk, then re-read at startup, allowing the previous state to be retained. Windows DC polling restarts on boot, then searches backwards in the DC log files until it reaches either the log that matches the last known serial number found in the login cache file, the log that is older than the last recorded read time, or the end of the log file, whichever is reached first.

The currently logged in FSSO users list is cached in memory and periodically written to disk. In an active-passive HA cluster, this file is synchronized to the slave device.

Windows management instrumentation polling

The FortiAuthenticator supports Windows Management Instrumentation (WMI) polling to detect workstation log off. This validates the currently logged on user for an IP address that has been discovered by the DC polling detection method.

Remote WMI access requires that the related ports are opened in the Windows firewall, and access to a domain account that belongs to the Domain Admin group.

To open ports in the Windows firewall in Windows 7, run gpedit.msc, go to Computerconfiguration >

Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile, go to Allow remote admin exception, then enable remote admin exception and, if necessary, configure an IP subnet/range.

 

General settings

General settings

The FortiAuthenticator unit listens for requests from authentication clients and can poll Windows Active Directory servers.

To configure FortiAuthenticator FSSO polling:

  1. Go to Fortinet SSO Methods > SSO > General to open the Edit SSO Configuration The Edit SSO Configuration window contains sections for FortiGate, FSSO, and user group membership.
  2. In the FortiGate section, configure the following settings:
Listening port Leave at 8000 unless your network requires you to change this. Ensure this port is allowed through the firewall.
Enable authentication Select to enable authentication, then enter a secret key, or password, in the Secret key field.
Login Expiry The length of time, in minutes, that users can remain logged in before the system logs them off automatically. The default is 480 minutes (8 hours).
Extend              user             session beyond logoff by The length of time, in seconds, that a user session is extended after the user logs off, from 0 (default) to 3600 seconds.
Enable NTLM

authentication

Select to enable NTLM authentication, then enter the NETBIOS or DNS name of the domain that the login user belongs to in the Userdomain field.
  1. In the Fortinet Single Sign-On (FSSO) section, configure the following settings:
Maximum concurrent user sessions Enter the maximum number of concurrent FSSO login sessions a user is allowed to have. Use 0 for unlimited.

Select Configure Per User/Group to configure the maximum number of concurrent sessions for each user or group. See Fine-grained controls on page 112.

Log Level Select one of Debug, Info, Warning, or Error as the minimum severity level of events to log from the drop- down list.

Select Download all logs to download all FSSO logs to your management computer.

General settings

Enable       Windows         Active

Directory domain controller polling

Select             to             enable             Windows             AD             polling.

Select to enable polling additional logon events, including from devices using Kerberos authentication or from Mac OS X systems, and from event IDs 672, 680, 4776, and 4768.

Enable polling additional logon events When additional active directory logon event IDs is enabled, event IDs 528, 540, and 4624 are also polled. These event are generated when a user attempts to access a domain service or resource. When a user logs off from the          workstation,         such      an          event     will         be               generated.

Enter the additional logon event timeout time in the Additional logon event timeout field, from 1 to 480 minutes, with 5 minutes being the default time.

Note: After a user logs off, their SSO session will stay active for the above configured period of time. During this time, if another user changes to the previous user’s IP address, they may be able to bypass the necessary authentication. For this reason, it is strongly recommended that the timeout time be kept short.

                     Enable         DNS

lookup to get IP

from workstation name

Select to use DNS lookup to get IP address information when an event contains only the workstation name.

This option is enabled by default.

Directly use domain DNS

suffix in lookup

Select to use the domain DNS suffix when doing a DNS lookup.

This option is disabled by default.

Enable  reverse DNS               lookup  to get         workstation name from IP Select to enable reverse DNS lookup. Reverse DNS lookup is used when an event contains only an IP address and no workstation name.

This option is enabled by default.

Do one more DNS lookup to get full list of IPs after reverse lookup of workstation name Reverse DNS lookup is used when an event contains only an IP address and no workstation name. Once the workstation name is determined, it is used in the DNS lookup again to get more complete IP address

information. This is useful in environments where workstations have multiple network interfaces.

This option is disabled by default.

Include     account name         ending

with $ (usually computer account)

Accounts that end in “$” used to exclusively denote computer accounts with

no actual user, but in some cases, valid accounts imported from dated systems can        feature  them.

This option is disabled by default.

Enable Radius Accounting SSO clients Select to enable the detection of users sign-ons and sign- offs from incoming RADIUS accounting (Start, Stop, and Interim-Update) records.
Use RADIUS realm as

Windows       Active

Directory domain

Select to use the RADIUS realm as the Windows AD domain.
Enable Syslog SSO Select to enable Syslog SSO.

General settings

Enable        FortiClient     SSO

Mobility Agent Service

Select to enable single sign-on (SSO) by clients running FortiClient Endpoint Security. For more information, see FortiClient SSO Mobility Agent on page 123.
FortiClient listening port Enter the FortiClient listening port number.
Enable authentication Select to enable authentication, then enter a secret key, or password, in the Secret key field.
Keep-alive interval Enter the duration between keep-alive transmissions, from 1 to 60 minutes. Default is 5 minutes.
Idle timeout Enter an amount of time after which to logoff a user if their status is not updated. The value cannot be lower than the Keep-alive interval value.
Enable NTLM Select to enable the NT LAN Manager (NTLM) to allow logon of users who are connected to a domain that does not have the FSSO DC Agent installed. Disable NTLM authentication only if your network does not support NTLM authentication for security or other reasons. Enter an amount of time after which NTLM authentication expires in the NTLM authentication expiry field, from 1 to 10080 minutes (7 days).
Enable hierarchical FSSO tiering Select to enable hierarchical FSSO tiering. Enter the collector listening port in the Collectorlistening port field.
Enable DC/TS Agent Clients Select to enable clients using DC or TS Agent. Enter the UDP port in the

DC/TS      Agent     listening     port     field.       Default       is          8002.

Select Enable authentication to enable authentication, then enter a secret key, or password, in the Secret key field.

Restrict             auto- discovered domain             controllers          to configured domain

controllers

Select to enable restricting automatically discovered domain controllers to already configured domain controllers only. See Domain controllers on page 114.
Enable       Windows         Active

Directory workstation IP

verification

Select to enable workstation IP verification with Windows Active Directory. If enabled, select Enable IP change detection via DNS lookup to detect IP changes via DNS lookup.
  1. In the UserGroup Membership section, configure the following settings:

General settings

Group cache mode Select the group cache mode:

Passive: Items have an expiry time after which the are removed and re-queried on the next logon.

Active: Items are periodically updated for all currently logged on users.

Group cache item

lifetime

Enter the amount of time after which items will expire (default = 480 minutes). This is only available when the group cache mode is set to Passive.
Do not use cached groups… Select to prevent using cached groups and to always load groups from server for the following SSO sources: l Windows Active Directory domain controller polling l RADIUS Accounting SSO l Syslog SSO

FortiClient SSO Mobility Agent l DC Agent l TS Agent

User login portal l SSO web service

Base distinguished names to search… Enter the base distinguished names to search for nesting of users or groups into cross domain and domain local groups.
  1. Select OK to apply the settings.

Port Based Network Access Control – FortiAuthenticator 4.0

Port-based Network Access Control

Port-based Network Access Control (PNAC), or 802.1X, authentication requires a client, an authenticator, and an authentication server (such as a FortiAuthenticator device).

The client is a device that wants to connect to the network. The authenticator is simply a network device, such as a wireless access point or switch. The authentication server is usually a host that supports the RADIUS and EAP protocols.

The client is not allowed access to the network until the client’s identity has been validated and authorized. Using 802.1X authentication, the client provides credentials to the authenticator, which the authenticator forwards to the authentication server for verification. If the authentication server determines that the credentials are valid, the client device is allowed access to the network.

FortiAuthenticator supports several IEEE 802.1X EAP methods.

EAP

The FortiAuthenticator unit supports several IEEE 802.1X EAP methods. These include authentication methods most commonly used in WiFi networks.

EAP is defined in RFC 3748 and updated in RFC 5247. EAP does not include security for the conversation between the client and the authentication server, so it is usually used within a secure tunnel technology such as TLS, TTLS, or MS-CHAP.

The FortiAuthenticator unit supports the following EAP methods:

Method Server Auth Client Auth Encryption Native OS Support
PEAP (MSCHAPv2) Yes Yes Yes Windows XP, Vista, 7
EAP-TTLS Yes No Yes Windows Vista, 7
EAP-TLS Yes Yes Yes Windows (XP, 7), Mac OS X, iOS,

Linux, Android

EAP-GTC Yes Yes Yes None (external supplicant required)

In addition to providing a channel for user authentication, EAP methods also provide certificate-based authentication of the server computer. EAP-TLS provides mutual authentication: the client and server authenticate each other using certificates. This is essential for authentication onto an enterprise network in a BYOD environment.

For successful EAP-TLS authentication, the user’s certificate must be bound to their account in Authentication >

UserManagement > Local Users (see Local users on page 58) and the relevant RADIUS client in Authentication > RADIUS Service > Clients (see RADIUS service on page 91) must permit that user to authenticate. By default, all local users can authenticate, but it is possible to limit authentication to specified user groups.

Port-based Network Access Control                                                                                                          EAP

The FortiAuthenticator unit and EAP

A FortiAuthenticator unit delivers all of the authentication features required for a successful EAP-TLS deployment, including:

  • Certificate Management: create and revoke certificates as a CA. See Certificate Management on page 132.
  • Simple Certificate Enrollment Protocol (SCEP) Server: exchange a Certificate Signing Request (CSR) and the resulting signed certificate, simplifying the process of obtaining a device certificate.

FortiAuthenticator unit configuration

To configure the FortiAuthenticator unit, you need to:

  1. Create a CA certificate for the FortiAuthenticator unit. See Certificate authorities on page 140.

Optionally, you can skip this step and use an external CA certificate instead. Go to Certificate Management > Certificate Authorities > Trusted CAs to import CA certificates. See Trusted CAs on page 147.

  1. Create a server certificate for the FortiAuthenticator unit, using the CA certificate you created or imported in the preceding step. See End entities on page 133.
  2. If you configure EAP-TTLS authentication, go to Authentication > RADIUS Service > EAP and configure the certificates for EAP. See Configuring certificates for EAP on page 102.
  3. If SCEP will be used:
    1. Configure an SMTP server to be used for sending SCEP notifications. Then configure the email service for the administrator to use the SMTP server that you created. See E-mail services on page 46.
    2. Go to Certificate Management > SCEP > General and select Enable SCEP. Then select the CA certificate that you created or imported in Step 1 in the Default CA field and select OK. See SCEP on page 147.
  4. Go to Authentication > Remote Auth. Servers > LDAP and add the remote LDAP server that contains your user database. See LDAP on page 88.
  5. Import users from the remote LDAP server. You can choose which specific users will be permitted to authenticate. See Remote users on page 65.
  6. Go to Authentication > RADIUS Service > Clients to add the FortiGate wireless controller as an authentication client. Be sure to select the type of EAP authentication you intend to use. See RADIUS service on page 91.

Configuring certificates for EAP

The FortiAuthenticator unit can authenticate itself to clients with a CA certificate.

  1. Go to Certificate Management > Certificate Authorities > Trusted CAs to import the certificate you will use. See Trusted CAs on page 147.
  2. Go to Authentication > RADIUS Service > EAP.
  3. Select the EAP server certificate from the EAP ServerCertificate drop-down list.
  4. Select the trusted CAs and local CAs to use for EAP authentication from their requisite lists.
  5. Select OK to apply the settings.

Configuring switches and wireless controllers to use 802.1X authentication

The 802.1X configuration will be largely vendor dependent. The key requirements are:

Device self-enrollment                                                                           Port-based Network Access Control

l RADIUS Server IP: This is the IP address of the FortiAuthenticator l Key: The preshared secret configured in the FortiAuthenticator authentication client settings l Authentication Port: By default, FortiAuthenticator listens for authentication requests on port 1812.

Device self-enrollment

Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It is primarily used in enabling EAP-TLS for BYOD. For example:

l A user brings their tablet to a BYOD organization. l They log in to the FortiAuthenticator unit and create a certificate for the device. l With their certificate, username, and password they can authenticate to gain access to the wireless network. l Without the certificate, they are unable to access the network.

To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal > Device Self-enrollment and select Enable userdevice certificate self-enrollment.

SCEP enrollment template Select a SCEP enrollment template from the drop-down list. SCEP can be configured in Certificate Management > SCEP. See SCEP on page 147 for more information.
Max. devices Set the maximum number of devices that a user can self-enroll.
Key size Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits).

iOS devices only support two key size: 1024 and 2048.

Enable self-enrollment for Smart Card certificate Select to enable self-enrollment for smart card certificates.

This requires that a DNS domain name be configured, as it is used in the CRL Distribution Points (CDPs) certificate extension.

Port-based Network Access Control                                                                          Non-compliant devices

Select OK to apply any changes you have made.

Non-compliant devices

802.1X methods require interactive entry of user credentials to prove a user’s identity before allowing them access to the network. This is not possible for non-interactive devices, such as printers. MAC Authentication Bypass is supported to allow non-802.1X compliant devices to be identified and accepted onto the network using their MAC address as authentication.

This feature is only for 802.1X MAC Authentication Bypass. FortiGate Captive Portal MAC Authentication is supported by configuring the MAC address as a standard user, with the MAC address as both the username and password, and not by entering it in the MAC Devices section.

Multiple MAC devices can be imported in bulk from a CSV file. The first column of the CSV file contains the device names (maximum of 50 characters), and the second column contains the corresponding MAC addresses (0123456789AB or 01:23:45:67:89:AB).

To configure MAC-based authentication for a device:

  1. Go to Authentication > User Management > MAC Devices. The MAC device list will be shown.
  2. If you are adding a new device, select Create New to open the Create New MAC-based Authentication Device

If you are editing an already existing device, select the device from the device list.

  1. Enter the device name in the Name field, and enter the device’s MAC address in the MAC address
  2. Select OK to apply your changes.

To import MAC devices:

  1. In the MAC device list, select Import.
  2. Select Browse to locate the CSV file on your computer.
  3. Select OK to import the list.

The import will fail if the maximum number of MAC devices has already been reached, or if any of the information contained within the file does not conform, for example if the device name too long, or there is an incorrectly formatted MAC address.

FortiAuthenticator 4.0 Authentication

Authentication

FortiAuthenticator provides an easy to configure authentication server for your users. Multiple FortiGate units can use a single FortiAuthenticator unit for remote authentication and FortiToken device management.

FortiAuthenticatorin a multiple FortiGate unit network

This chapter includes the following topics:

l What to configure l User account policies l User management l FortiToken devices and mobile apps l Self-service portal l Remote authentication servers l RADIUS service l LDAP service l FortiAuthenticator Agents

What to configure

You need to decide which elements of FortiAuthenticator configuration you need.

  • Determine the type of authentication you will use: password-based or token-based. Optionally, you can enable both types. This is called two-factor authentication.

What to configure

  • Determine the type of authentication server you will use: RADIUS, built-in LDAP, or Remote LDAP. You will need to use at least one of these server types.
  • Determine which FortiGate units or third party devices will use the FortiAuthenticator unit. The FortiAuthenticator unit must be configured on each FortiGate unit as an authentication server, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit or third party device must be configured on the FortiAuthenticator unit as an authentication client.

Password-based authentication

User accounts can be created on the FortiAuthenticator device in multiple ways:

l Administrator creates a user and specifies their username and password. l Administrator creates a username and a random password is automatically emailed to the user. l Users are created by importing either a CSV file or from an external LDAP server.

Users can self-register for password-based authentication. This reduces the workload for the system administrator. Users can choose their own passwords or have a randomly generated password provided in the browser or sent to them via email or SMS. Self-registration can be instant, or it can require administrator approval. See Self-registration on page 76.

Once created, users are automatically part of the RADIUS Authentication system and can be authenticated remotely.

See User management on page 57 for more information about user accounts.

Two-factor authentication

Two-factor authentication increases security by requiring multiple pieces of information on top of the username and password. There are generally two factors:

  • something the user knows, usually a password, l something the user has, such as a FortiToken device.

Requiring the two factors increases the difficulty for an unauthorized person to impersonate a legitimate user.

To enable two-factor authentication, configure both password-based and token-based authentication in the user’s account.

FortiAuthenticator token-based authentication requires the user to enter a numeric token at login. Two types of numerical tokens are supported:

  • Time based: TOTP (RFC 6238)

The token passcode is generated using a combination of the time and a secret key which is known only by the token and the FortiAuthenticator device. The token password changes at regular time intervals, and the FortiAuthenticator unit is able to validate the entered passcode using the time and the secret seed information for that token.

Passcodes can only be used a single time (one time passcodes) to prevent replay attacks. Fortinet has the following time based tokens:

  • FortiToken 200 l FortiToken Mobile, running on a compatible smartphone l Event based: HMAC-based One Time Password (HTOP) (RFC 4226) What to configure

The token passcode is generated using an event trigger and a secret key. Event tokens are supported using a valid email account and a mobile phone number with SMS service.

FortiToken devices, FortiToken Mobile apps, email addresses, and phone numbers must be configured in the user’s account.

Only the administrator can configure token-based authentication. See Configuring token based authentication on page 62.

Authentication servers

The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the use of remote RADIUS and LDAP (which can include Windows AD servers).

The built-in servers are best used where there is no existing authentication infrastructure, or when a separate set of credentials is required. You build a user account database on the FortiAuthenticator unit. The database can include additional user information such as street addresses and phone numbers that cannot be stored in a FortiGate unit’s user authentication database. To authenticate, either LDAP or RADIUS can be used. The remote LDAP option adds your FortiGate units to an existing LDAP structure. Optionally, you can add two-factor authentication to remote LDAP.

RADIUS

If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must be registered as RADIUS authentication clients in Authentication > RADIUS Service > Clients. See RADIUS service on page 91. On each FortiGate unit that will use the RADIUS protocol, the FortiAuthenticator unit must be configured as a RADIUS server in User & Device > Authentication > RADIUS Server.

Built-in LDAP

If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users from the user database to the appropriate nodes in the LDAP hierarchy. See Creating the directory tree on page 96. On each FortiGate unit that will use LDAP protocol, the FortiAuthenticator unit must be configured as an LDAP server in User & Device > Authentication > LDAP Server.

Remote LDAP

Remote LDAP is used when an existing LDAP directory exists and should be used for authentication. User information can be selectively synchronised with the FortiAuthenticator unit, but the user credentials (passwords) remain on, and are validated against the LDAP directory.

To utilize remote LDAP, the authentication client (such as a FortiGate device) must connect to the

FortiAuthenticator device using RADIUS to authenticate the user information (see

User & Device > Authentication > RADIUS Server). The password is then proxied to the LDAP server for validation, while any associated token passcode is validated locally.

Machine authentication

Machine, or computer, authentication is a feature of the Windows supplicant that allows a Windows machine to authenticate to a network via 802.1X prior to user authentication.

Machine authentication is performed by the computer itself, which sends its computer object credentials before the Windows logon screen appears. User authentication is performed after the user logs in to Windows.

User account policies

Based on the computer credentials provided during machine authentication, limited access to the network can be granted. For example, access can be granted to just the Active Directory server to enable user authentication.

Following machine authentication, user authentication can take place to authenticate that the user is also valid, and to then grant further access to the network.

Machine authentication commonly occurs on boot up or log out, and not, for example, when a device awakens from hibernation. Because of this, the FortiAuthenticator caches authenticated devices based on their MAC addresses for a configurable period (see General on page 54). For more information on cached users, see Windows device logins on page 131

To configure machine authentication, see Clients on page 92.