Tag Archives: troy university

FortiAuthenticator 4.0 Authentication

2 Replies

Authentication

FortiAuthenticator provides an easy to configure authentication server for your users. Multiple FortiGate units can use a single FortiAuthenticator unit for remote authentication and FortiToken device management.

FortiAuthenticatorin a multiple FortiGate unit network

This chapter includes the following topics:

l What to configure l User account policies l User management l FortiToken devices and mobile apps l Self-service portal l Remote authentication servers l RADIUS service l LDAP service l FortiAuthenticator Agents

What to configure

You need to decide which elements of FortiAuthenticator configuration you need.

  • Determine the type of authentication you will use: password-based or token-based. Optionally, you can enable both types. This is called two-factor authentication.

What to configure

  • Determine the type of authentication server you will use: RADIUS, built-in LDAP, or Remote LDAP. You will need to use at least one of these server types.
  • Determine which FortiGate units or third party devices will use the FortiAuthenticator unit. The FortiAuthenticator unit must be configured on each FortiGate unit as an authentication server, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit or third party device must be configured on the FortiAuthenticator unit as an authentication client.

Password-based authentication

User accounts can be created on the FortiAuthenticator device in multiple ways:

l Administrator creates a user and specifies their username and password. l Administrator creates a username and a random password is automatically emailed to the user. l Users are created by importing either a CSV file or from an external LDAP server.

Users can self-register for password-based authentication. This reduces the workload for the system administrator. Users can choose their own passwords or have a randomly generated password provided in the browser or sent to them via email or SMS. Self-registration can be instant, or it can require administrator approval. See Self-registration on page 76.

Once created, users are automatically part of the RADIUS Authentication system and can be authenticated remotely.

See User management on page 57 for more information about user accounts.

Two-factor authentication

Two-factor authentication increases security by requiring multiple pieces of information on top of the username and password. There are generally two factors:

  • something the user knows, usually a password, l something the user has, such as a FortiToken device.

Requiring the two factors increases the difficulty for an unauthorized person to impersonate a legitimate user.

To enable two-factor authentication, configure both password-based and token-based authentication in the user’s account.

FortiAuthenticator token-based authentication requires the user to enter a numeric token at login. Two types of numerical tokens are supported:

  • Time based: TOTP (RFC 6238)

The token passcode is generated using a combination of the time and a secret key which is known only by the token and the FortiAuthenticator device. The token password changes at regular time intervals, and the FortiAuthenticator unit is able to validate the entered passcode using the time and the secret seed information for that token.

Passcodes can only be used a single time (one time passcodes) to prevent replay attacks. Fortinet has the following time based tokens:

  • FortiToken 200 l FortiToken Mobile, running on a compatible smartphone l Event based: HMAC-based One Time Password (HTOP) (RFC 4226) What to configure

The token passcode is generated using an event trigger and a secret key. Event tokens are supported using a valid email account and a mobile phone number with SMS service.

FortiToken devices, FortiToken Mobile apps, email addresses, and phone numbers must be configured in the user’s account.

Only the administrator can configure token-based authentication. See Configuring token based authentication on page 62.

Authentication servers

The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the use of remote RADIUS and LDAP (which can include Windows AD servers).

The built-in servers are best used where there is no existing authentication infrastructure, or when a separate set of credentials is required. You build a user account database on the FortiAuthenticator unit. The database can include additional user information such as street addresses and phone numbers that cannot be stored in a FortiGate unit’s user authentication database. To authenticate, either LDAP or RADIUS can be used. The remote LDAP option adds your FortiGate units to an existing LDAP structure. Optionally, you can add two-factor authentication to remote LDAP.

RADIUS

If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must be registered as RADIUS authentication clients in Authentication > RADIUS Service > Clients. See RADIUS service on page 91. On each FortiGate unit that will use the RADIUS protocol, the FortiAuthenticator unit must be configured as a RADIUS server in User & Device > Authentication > RADIUS Server.

Built-in LDAP

If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users from the user database to the appropriate nodes in the LDAP hierarchy. See Creating the directory tree on page 96. On each FortiGate unit that will use LDAP protocol, the FortiAuthenticator unit must be configured as an LDAP server in User & Device > Authentication > LDAP Server.

Remote LDAP

Remote LDAP is used when an existing LDAP directory exists and should be used for authentication. User information can be selectively synchronised with the FortiAuthenticator unit, but the user credentials (passwords) remain on, and are validated against the LDAP directory.

To utilize remote LDAP, the authentication client (such as a FortiGate device) must connect to the

FortiAuthenticator device using RADIUS to authenticate the user information (see

User & Device > Authentication > RADIUS Server). The password is then proxied to the LDAP server for validation, while any associated token passcode is validated locally.

Machine authentication

Machine, or computer, authentication is a feature of the Windows supplicant that allows a Windows machine to authenticate to a network via 802.1X prior to user authentication.

Machine authentication is performed by the computer itself, which sends its computer object credentials before the Windows logon screen appears. User authentication is performed after the user logs in to Windows.

User account policies

Based on the computer credentials provided during machine authentication, limited access to the network can be granted. For example, access can be granted to just the Active Directory server to enable user authentication.

Following machine authentication, user authentication can take place to authenticate that the user is also valid, and to then grant further access to the network.

Machine authentication commonly occurs on boot up or log out, and not, for example, when a device awakens from hibernation. Because of this, the FortiAuthenticator caches authenticated devices based on their MAC addresses for a configurable period (see General on page 54). For more information on cached users, see Windows device logins on page 131

To configure machine authentication, see Clients on page 92.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13

Reports

1 Reply

Reports

FortiAnalyzer units can analyze information collected from the log files of managed log devices. It then presents the information in tabular and graphical reports that provide a quick and detailed analysis of activity on your networks.

To reduce the number of reports needed, reports are independent from devices, and contain layout information in the form of a report template. The devices, and any other required information, can be added as parameters to the report at the time of report generation.

The Reports tab allows you to configure reports using the predefined report templates, configure report schedules, view report history and the report calendar, and configure and view charts, macros, datasets, and output profiles.

If ADOMs are enabled, each ADOM will have its own report settings including chart library, macro library, dataset library, and output profiles.

FortiCache, FortiMail and FortiWeb reports are available when ADOMs are enabled. Reports for these devices are configured within their respective default ADOM. These devices also have device specific charts and datasets.

This chapter contains the following sections:

  • Reports
  • Report layouts
  • Chart library
  • Macro library
  • Report calendar
  • Advanced

Reports

FortiAnalyzer includes preconfigured reports and report templates for FortiGate, FortiMail, and FortiWeb log devices. These report templates can be used as is, or you can clone and edit the templates. You can also create new reports and report templates that can be customized to your requirements. For a list of preconfigured reports see “Report Templates” on page 207.

Predefined report templates are identified by a blue report icon,             , and custom report templates are identified by a green report icon,    . When a schedule has been enabled, the schedule icon,            , will appear to the left of the report template name.

 

In the Reports tab, go to Reports > [report] to view and configure the report configuration, advanced settings, and layout, and to view completed reports. The currently running reports and completed reports are shown in the View Report tab, see “View report tab” on page 173.

Figure 118:Report page

Right-clicking on a template in the tree menu opens a pop-up menu with the following options:

Report  
 Create New Create a new report. See “To create a new report:” on page 167.

Custom report templates are identified by the custom report icon,             , beside the report name. Predefined report templates are identified by the predefined report icon,           .

Rename              Rename a report.

 Clone Clone the selected report. See “To clone a report:” on page 167.
 Delete Delete the report. The default reports cannot be deleted. See “To delete a report:” on page 167.
 Import Import a report. See “Import and export” on page 167.

Export                Export a report. See “Import and export” on page 167.

Folder  
 Create New Create a new report folder. See “To create a new report folder:” on page 168.

Rename    Rename a report folder. See “To rename a report folder:” on page 168.

Delete                  Delete a report folder. Any report templates in the folder will be deleted. See “To delete a report folder:” on page 168.

Reports and report templates can be created, edited, cloned, and deleted. You can also import and export report templates. New content can be added to and organized on a template, including: new sections, three levels of headings, text boxes, images, charts, and line and page breaks.

To create a new report:

  1. In the Reports tab, right-click on Reports in the tree menu.
  2. Under the Report heading, select Create New.

The Create New Report dialog box opens.

  1. Enter a name for the new report and select OK.
  2. Configure report settings in the Configuration tab. The configuration tab includes time period, device selection, report type, schedule, and notifications.
  3. Select the Report layouts to configure the report template.
  4. Select the Advanced settings tab to configure report filters and other advanced settings.
  5. Select Apply to save the report template.

To clone a report:

  1. Right-click on the report you would like to clone in the tree menu and select Clone.

The Clone Report Template dialog box opens.

  1. Enter a name for the new template, then select OK.

A new template with the same information as the original template is created with the given name. You can then modify the cloned report as required.

To delete a report:

  1. Right-click on the report template that you would like to delete in the tree menu, and select Delete under the Report
  2. In the confirmation dialog box, select OK to delete the report template.

Import and export

Report templates can be imported from and exported to the management computer.

To import a report template:

  1. Right-click on Reports, and select Import.

The Import Report Template dialog box opens.

  1. Select Browse, locate the report template (.dat) file on your management computer, and select OK.

The report template will be loaded into the FortiAnalyzer unit.

To export a report template:

  1. Right-click on the report you would like to export in the tree menu and select Export.
  2. If a dialog box opens, select to save the file (.dat) to your management computer, and select OK.

The report template can now be imported to another FortiAnalyzer device.

Report folders

Report folders can be used to help organize your reports.

To create a new report folder:

  1. In the Reports tab, right-click on Reports in the tree menu.
  2. Under the Folder heading, select Create New.
  3. In the Create New Folder dialog box, enter a name for the folder, and select OK.

A new folder is created with the given name.

To rename a report folder:

  1. Right-click on the report folder that you need to rename in the tree menu.
  2. Under the Folder heading, select Rename.
  3. In the Rename Folder dialog box, enter a new name for the folder, and select OK.

To delete a report folder:

  1. Right-click on the report folder that you would like to delete in the tree menu, and select Delete under the Folder
  2. In the confirmation dialog box, select OK to delete the report folder.

Configuration tab

In FortiAnalyzer v5.2.0 and later, the Reports tab layout has changed. When creating a new report, the Configuration tab is the first tab that is displayed. In this tab you can configure the time period, select devices, enable schedules, and enable notification.

Report schedules provide a way to schedule an hourly, daily, weekly, or monthly report so that the report will be generated at a specific time. You can also manually run a report schedule at any time, and enable or disable report schedules. Report schedules can also be edited and disabled from the Report Calendar. See “Report calendar” on page 198 for more information.

Figure 119:Configuration tab

The following settings are available in the Configuration tab:

Time Period The time period that the report will cover. Select a time period, or select Other to manually specify the start and end date and time.
Devices The devices that the report will include. Select either All Devices or Specify to add specific devices. Select the add icon,        , to select devices.
User or IP Enter the user name or the IP address of the user on whom the report will be based.

This field is only available for the three predefined report templates in the Detailed User Report folder.
Type Select either Single Report (Group Report) or Multiple Reports (Per-Device).

This option is only available if multiple devices are selected.
Enable Schedule Select to enable report template schedules.
Generate PDF

Report Every

 Select when the report is generated.

Enter a number for the frequency of the report based on the time period selected from the drop-down list.
Starts On Enter a starting date and time for the file generation.
Ends Enter an ending date and time for the file generation, or set it for never ending.
Enable Notification Select to enable report notification.
Output Profile Select the output profile from the drop-down list, or select Create New, , to create a new output profile. See “Output profile” on page 203.
Pages: 1 2 3 4 5 6 7 8 9

Configuring System Settings

Leave a reply

Configuring system settings

The System menu lets you administrator accounts, and configure network settings, system time, SNMP, RAID, high availability (HA), certificates, and more.

This section includes:

  • Configuring network settings
  • Configuring system time, configuration options, SNMP, and FortiSandbox
  • Customizing GUI, replacement messages and email templates
  • Configuring administrator accounts and access profiles
  • Configuring RAID
  • Using high availability (HA)
  • Managing certificates
  • Configuring IBE encryption
  • Configuring certificate bindings
Pages: 1 2 3 4 5 6 7 8 9 10 11