Administration Guide. FortiAuthenticator 1.3

Transcription

1 Administration Guide FortiAuthenticator 1.3

2 FortiAuthenticator Administration Guide 24 May Copyright 2012 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. Reproduction or transmission of this publication is encouraged. Trademarks The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Visit these links for more information and documentation for your Fortinet products: Fortinet Knowledge Base - Technical Documentation - Training Services - Technical Support - You can report errors or omissions in this or any Fortinet technical document to [email protected].

3 Contents Contents Introduction 7 Before you begin How this guide is organized Registering your Fortinet product Setup and System 9 Initial setup FortiAuthenticator VM setup System requirements FortiAuthenticator-VM image installation and initial setup Administrative access - VM and hardware Web-based manager access Telnet SSH Adding a FortiAuthenticator unit to your network System maintenance Upgrading the firmware Backing up the configuration Licensing High Availability (HA) Operation Administrative access to the HA cluster Configuring servers and services CLI commands Troubleshooting FortiAuthenticator settings FortiGate settings Authentication users and servers 19 What to configure Password-based authentication Token-based authentication Choosing one-factor or two-factor authentication Authentication servers RADIUS Built-in LDAP Remote LDAP Adding Users Administrators User self-registration Adding a user account Configuring token-based authentication for a user FortiAuthenticator Administration Guide

4 Contents Configuring the user s password recovery options Setting a password policy Setting a lock-out policy User groups RADIUS attributes Adding FortiToken devices FortiAuthenticator and FortiTokens Monitoring FortiToken devices FortiToken device maintenance Configuration for FortiTokenMobile device provision Adding FortiGate units as NAS Configuring built-in LDAP LDAP directory tree overview Creating the LDAP directory tree Editing the root node Adding nodes to the LDAP hierarchy Adding user accounts to the LDAP tree Moving LDAP branches in the directory tree Removing entries from the directory tree Configuring a FortiGate unit for FortiAuthenticator LDAP Configuring Remote LDAP Adding a remote LDAP server Adding Remote LDAP users Single Sign-on portal X Authentication Configuring switches to use 802.1X authentication Configuring clients to use 802.1X authentication Windows XP SP MAC-based authentication Monitoring users Dashboard Users monitor Fortinet Single Sign On (FSSO) 39 Communicating with FortiGate units Communicating with Domain Controllers Monitoring FSSO units Monitoring SSO users Monitoring domain controllers Monitoring FortiGate units Administration Guide for FortiAuthenticator

5 Contents Certificate Management 43 Certificate Authorities (CA) Certificates Certificate Revocation List (CRL) Locally created CRL Configuring Online Certificate Status Protocol Users Logging 49 Search button Log entry order Log Type Reference Exporting the log Troubleshooting 51 Index 53 FortiAuthenticator Administration Guide

6 Contents Administration Guide for FortiAuthenticator

7 Introduction Before you begin Introduction Before you begin Welcome and thank you for selecting Fortinet products for your network protection. This chapter contains the following topics: Before you begin How this guide is organized Before you begin using this guide, please ensure that: You have administrative access to the web-based manager and/or CLI. The FortiAuthenticator unit is integrated into your network. The operation mode has been configured. The system time, DNS settings, administrator password, and network interfaces have been configured. Any third-party software or servers have been configured using their documentation. While using the instructions in this guide, note that administrators are assumed to be super_admin administrators unless otherwise specified. Some restrictions will apply to other administrators. How this guide is organized This FortiAuthenticator Handbook chapter contains the following sections: Setup and System describes initial setup for standalone and HA cluster FortiAuthenticator configurations. Authentication users and servers describes how to configure built-in and remote authentication servers and manage user groups. Fortinet Single Sign On (FSSO) describes how to use the FortiAuthenticator unit in a single sign on (SSO) environment. Certificate Management describes how to manage X.509 certificates and how to set up the FortiAuthenticator unit to act as an Certificate Authority. Registering your Fortinet product Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. FortiAuthenticator v3: Administration Guide

8 Registering your Fortinet product Introduction Administration Guide for FortiAuthenticator

9 Setup and System Setup and System A FortiAuthenticator unit is an Authentication server that includes a RADIUS server and an LDAP server. Authentication servers are an important part of an enterprise network, providing access to protected network assets and tracking users activities to comply with security policies. A FortiAuthenticator unit is not a firewall; it requires a FortiGate unit to provide firewallrelated services. Multiple FortiGate units can use a single FortiAuthenticator unit for Fortinet Single Sign On (FSSO) and other types of remote authentication, two-factor authentication, and FortiToken device management. This centralizes authentication and FortiToken maintenance. FortiAuthenticator provides an easy-to-configure remote authentication option for FortiGate users. Additionally, it can replace the FSSO Agent on a Windows AD network. FortiAuthenticator is a server and should be isolated on a network interface separate from other hosts to facilitate server-related firewall protection. Failure to protect the FortiAuthenticator may result in compromised authentication databases. Figure 1: FortiAuthenticator on a multiple FortiGate unit network Client Network FortiGate unit FortiAuthenticator FortiGate unit Client Network The following topics are included in this section: Initial setup Adding a FortiAuthenticator unit to your network System maintenance High Availability (HA) Operation Configuring servers and services CLI commands Troubleshooting FortiAuthenticator Administration Guide

10 Initial setup Setup and System Initial setup For information about installing the FortiAuthenticator unit and accessing the CLI or webbased manager, refer to the Quick Start Guide provided with your unit. The following section provides information about setting up the Virtual Machine (VM) version of the product. FortiAuthenticator VM setup Before using FortiAuthenticator-VM, you need to install the VMware application to host the FortiAuthenticator-VM device. The installation instructions for FortiAuthenticator-VM assume you are familiar with VMware products and terminology. System requirements The minimum system requirements for a computer running the FortiAuthenticator VM image include: Installed latest version of VMware Player, Fusion, or Workstation 512 MB of RAM minimum one virtual NICs minimum, to a maximum of four virtual NICs minimum of 3 GB free space FortiAuthenticator-VM image installation and initial setup The following procedure describes setup on VMware Fusion. To set up the FortiAuthenticator VM image 1 Download the VM image ZIP file to the local computer where VMware is installed. 2 Extract the files from the zip file into a folder. 3 In VMware Fusion, go to File > Open. 4 Navigate to the expanded VM image folder, select the FortiAuthenticator-VM.vmx file and select Open. VMware will install and start FortiAuthenticator-VM. This process can take a minute or two to complete. 5 At the FortiAuthenticator login prompt, enter admin and press Enter. 6 At the password prompt, press Enter. By default, there is no password. 7 At the CLI prompt enter the following commands: set port1-ip /24 set default-gw Substitute your own desired FortiAuthenticator IP address and default gateway. You can now connect to the web-based manager at the address you set for port1-ip. Administration Guide for FortiAuthenticator

11 Setup and System Initial setup Administrative access - VM and hardware Administrative access is enabled by default on port 1. Using the web-based manager, you can enable administrative access on other ports if necessary. Adding administrative access to an interface 1 Go to System > Network > Interfaces. Select the desired interface to edit. 2 In Admin access, select the types of access to allow. 3 Select OK. Web-based manager access Telnet SSH To use the web-based manager, point your browser to the port1 IP address, default For example, Enter admin as the User Name and leave the Password field blank. For secure access, you can enter https instead of http in the URL. CLI access is available using telnet to the port1 interface IP address, default Use the telnet -K option so that telnet does not attempt to log on using your user ID. For example: $ telnet -K At the FortiAuthenticator login prompt, enter admin. When prompted for password, just press Enter. By default there is no password. When you are finished, use the exit command to end the telnet session. SSH provides secure access to the CLI. Connect to the port1 interface IP address, default Specify the user name admin or SSH will attempt to log on with your user name. For example: $ ssh admin@ At the password prompt, just press Enter. By default there is no password. When you are finished, use the exit command to end the session. FortiAuthenticator Administration Guide

12 Adding a FortiAuthenticator unit to your network Setup and System Adding a FortiAuthenticator unit to your network Before the initial setup of FortiAuthenticator, there are some requirements for your network. You must have security policies that allow traffic between the client network and the subnet of the FortiAuthenticator You must ensure that the following ports are open in the security policies between the FortiAuthenticator and NAS devices that will be authenticating: port 8000 (FSSO), ports 389 and 636 (LDAP), and 1812 (RADIUS) in addition to management protocols such as HTTP, HTTPS, telnet, SSH, Ping, and other protocols you may choose to allow. To initially setup FortiAuthenticator on your network 1 Log on to the web-based manager. Use admin for the username. There is no password. 2 Go to System > Network > DNS. Enter your primary and secondary name servers. 3 Go to System > Network > Default Gateway. Enter the gateway IP address. 4 Go to System > Dashboard > Status. 5 In System Information, and select Change in the System Time field. 6 Select your time zone from the list. 7 Either enable NTP or set the date/time manually. Enter a new time and date by either typing it manually, selecting Today or Now, or select the calendar or clock icons for a more visual method of setting the date and time. If you will be using FortiToken devices, Fortinet strongly recommends using NTP FortiToken authentication codes require an accurate system clock. 8 Select OK. 9 If the FortiAuthenticator is connected to additional subnets, configure additional FortiAuthenticator interfaces as required. Go to System > Network > Interfaces to set the IP address and subnet mask for each interface. Go to System > Network > Default Gateway to set the gateway for each interface as required. Administration Guide for FortiAuthenticator

13 Setup and System System maintenance System maintenance System maintenance tasks include: Upgrading the firmware Backing up the configuration Licensing For information about High Availability, see High Availability (HA) Operation on page 14. Upgrading the firmware Periodically, Fortinet issues firmware upgrades that fix known issues, add new features and functionality, and generally improve your FortiAuthenticator experience. To upgrade the firmware, you must first register your FortiAuthenticator with Fortinet. See Registering your Fortinet product on page 7. To upgrade FortiAuthenticator firmware 1 Download the latest firmware to your local computer from the Fortinet Technical Support web site, 2 On FortiAuthenticator, go to System > Maintenance > Firmware. 3 Select Browse, and locate the new firmware image on your local computer. 4 Select OK. When you select OK, the new firmware image will upload from your local computer to the FortiAuthenticator, which will then reboot. You will experience a short period of time during this reboot when the FortiAuthenticator is offline and unavailable for authentication. Backing up the configuration You can back up the configuration of the FortiAuthenticator to your local computer. The backup file is encrypted to prevent tampering. This configuration file backup includes both the CLI and web-based manager configuration of the FortiAuthenticator. The backed up information includes users, user groups, FortiToken device list, NAS device list, LDAP directory tree, FSSO settings, remote LDAP, and certificates. To back up your configuration 1 Go to System > Maintenance > Config. 2 Under Backup, select the Click here link and save the file on your computer. To restore your configuration 1 Go to System > Maintenance > Config. 2 Browse to the location of the backup file on your computer, and select Restore. You will be prompted to confirm the restore action. The FortiAuthenticator unit will reboot. When you restore the configuration from a backup file, any information changed since the backup will be lost. Any active sessions will be ended and must be restarted. You will have to log back in when the system reboots. FortiAuthenticator Administration Guide

14 High Availability (HA) Operation Setup and System Licensing FortiAuthenticator VM works in evaluation mode until it is licensed. To license FortiAuthenticator VM 1 Go to System > Maintenance > License. 2 Select Browse and locate the license file you received from Fortinet. 3 Select OK. High Availability (HA) Operation Two FortiAuthenticator units can operate as a cluster to provide even higher reliability. One unit is active and the other is on standby. If the active unit fails, the standby unit becomes active. The cluster is configured as a single authentication server on your FortiGate units. Authentication requests made during a failover from one unit to another are lost, but subsequent requests complete normally. The failover process takes about 30 seconds. To configure FortiAuthenticator HA 1 On each unit, go to System > Maintenance > High Availability and enter: Enable HA Interface Cluster member IP address Admin access Priority Password Enable 2 When one unit has become the master, connect to the web-based manager again and complete your configuration. You are configuring the Master unit. The configuration will automatically be copied to the slave unit. Refer to the other chapters of this manual for more information. Configuring the cluster is the same as configuring a single FortiAuthenticator unit. Administrative access to the HA cluster Select a network interface to use for communication between the two cluster members. This interface must not already have an IP address assigned and it cannot be used for authentication services. Enter the IP address this unit uses for HA-related communication with the other FortiAuthenticator unit. The two units must have different addresses. Usually, you should assign addresses on the same private subnet. Select the types of administrative access to allow. Set to Low on one unit and High on the other. Normally, the unit with High priority is the master unit. Enter a string to be used as a shared key for IPsec encryption. This must be the same on both units. Administrative access is available through any of the network interfaces using their assigned IP addresses or through the HA interface using the Cluster member IP address, assigned on the System > Maintenance > High Availability page. In all cases, administrative access is available only if it is enabled on the interface. Administrative access through any of the network interface IP addresses connects only to the master unit. The only administrative access to the slave unit is through the HA interface using the slave unit s Cluster member IP address. Administration Guide for FortiAuthenticator

15 Setup and System Configuring servers and services Configuration changes made on the master unit are automatically pushed to the slave unit. The slave unit does not permit configuration changes, but you might want to access the unit to change HA settings or for firmware upgrade, shutdown, reboot, or troubleshooting. Configuring servers and services The FortiAuthenticator unit sends for several purposes, such as password reset requests, new user approvals, user self-registration, and two-factor authentication. By default, the FortiAuthenticator unit uses its built-in SMTP server. For situations where direct SMTP access is not possible, the unit can be configured to use an external mail relay. There are two distinct services for Administrators - password reset, new user approval, two-factor authentication, etc. Users - password reset, self-registration, two-factor authentication, etc. To add an external SMTP server 1 Go to System > s > SMTP Servers and select Create New. 2 Enter the following: Name Server Name/IP Sender address Secure connection Enable authentication Enter a name to identify this mail server on the FortiAuthenticator unit. Enter the IP address or FQDN of the mail server. Enter the address to put in the From field on messages from the FortiAuthenticator unit. For a secure connection to the mail server, select STARTTLS and select the CA certificate that validates the server s certificate. For information about importing the CA certificate, see To import a CA certificate on page 45. Select if the server requires you to authenticate when sending . Enter the Account username and Password. 3 Optionally, select Test Connection to send a test message. Specify a recipient and select Send. Confirm that the recipient received the message. The recipient s system might treat the test message as spam. 4 Select OK. To set the default server 1 Go to System > s > SMTP Servers. 2 Select the check box of the server that you want to make the default. 3 Select Set as Default. To configure services 1 Go to System > s > Services and select Administrators. FortiAuthenticator Administration Guide

16 Configuring servers and services Setup and System 2 Select the SMTP Server to use for these messages. 3 Optionally, change the Public Address provided in the from Automatic discovery to Specify an address - provide the IP address or FQDN or Use the IP address from a network interface - select the interface 4 Select OK. If any information is missing or invalid, you are prompted to make corrections. 5 Select Users and repeat steps 2 through 4. Administration Guide for FortiAuthenticator

17 Setup and System CLI commands CLI commands The FortiAuthenticator has CLI commands that are accessed using the console, SSH, or Telnet. Their purpose is to initially configure the unit, perform a factory reset, or reset the values if the web-based manager is not accessible for some reason. help set port1-ip <addr_ipv4mask> set default-gw <addr_ipv4> set date <YYYY-MM-DD> set time <HH:MM:SS> set tz <timezone_index> unset <setting> show exit reboot factory-reset shutdown status Display list of valid CLI commands. You can also enter? for help. Enter the IPv4 address and netmask for the port1 interface. Netmask is expected in the /xx format, for example /24. Once this port is configured, you can use the web-based manager to configure the remaining ports. Enter the IPv4 address of the default gateway for this interface. This is the default route for this interface. Enter the current date. Valid format is four digit year, 2 digit month, and 2 digit day. For example set date sets the date to August 12th, Enter the current time. Valid format is two digits each for hours, minutes, and seconds. 24-hour clock is used. For example 15:10:00 is 3:10pm. Enter the current time zone using the time zone index. To see a list of index numbers and their corresponding time zones, enter set tz?. Restore default value. For each set command listed above, there is an unset command, for example unset port1-ip. Display current settings of port1 IP, netmask, default gateway, and time zone. Terminate the CLI session. Perform a hard restart the FortiAuthenticator unit. All sessions will be terminated. The unit will go offline and there will be a delay while it restarts. Enter this command to reset the FortiAuthenticator settings to factory default settings. This includes clearing the user database. This procedure deletes all changes that you have made to the FortiAuthenticator configuration and reverts the system to its original configuration, including resetting interface addresses. Turn off the FortiAuthenticator. Display basic system status information including firmware version, build number, serial number of the unit, and system time. FortiAuthenticator Administration Guide

18 Troubleshooting Setup and System Troubleshooting Troubleshooting includes useful tips and commands to help deal with issues that may occur. For additional help, always contact customer support. If you have issues when attempting authentication on FortiGate using the FortiAuthenticator, there are some FortiAuthenticator settings and FortiGate settings to check. In addition to these settings you can use log entries, monitors, and debugging information to determine more information about your authentication problems. For help with FortiAuthenticator logging, see Logging on page 49. For help with FortiGate troubleshooting, see the FortiOS Handbook Troubleshooting and User Authentication guides. FortiAuthenticator settings When checking FortiAuthenticator settings, you should ensure there is a NAS entry for the FortiGate unit. See Adding FortiGate units as NAS on page 28, the user trying to authenticate has a valid active account that is not disabled, and that the username and password are spelled as expected, the user account allows RADIUS authentication if RADIUS is enabled on the FortiGate unit, the FortiGate unit can communicate with the FortiAuthenticator unit, the user account exists as a local user on the FortiAuthenticator if using (RADIUS authentication), in the local LDAP directory (if using local LDAP authentication), in the remote LDAP directory (if using RADIUS authentication with remote LDAP password validation). the user is a member in the expected user groups and these user groups are allowed to communicate on the NAS (FortiGate unit, for example), If authentication fails with the log error bad password try resetting the password. If this fails, verify that the pre-shared secret is identical on both FortiAuthenticator and the NAS. FortiGate settings When checking FortiGate authentication settings, you should ensure the user has membership in the required user groups, and identity-based security policies, there is a valid entry for the FortiAuthenticator as a remote RADIUS or LDAP server, the user is configured explicitly or as a wildcard user. Administration Guide for FortiAuthenticator

19 Authentication users and servers What to configure Authentication users and servers FortiAuthenticator provides an easy-to-configure authentication server for your users. Multiple FortiGate units can use a single FortiAuthenticator unit for remote authentication and FortiToken device management. Figure 2: FortiAuthenticator on a multiple FortiGate unit network Client Network FortiGate unit FortiAuthenticator FortiGate unit Client Network What to configure The following topics are included in this section: What to configure Adding Users Adding FortiToken devices Adding FortiGate units as NAS Configuring built-in LDAP Configuring Remote LDAP Single Sign-on portal 802.1X Authentication MAC-based authentication Monitoring users You need to decide which elements of FortiAuthenticator configuration you need. Determine the type of authentication you will use: password-based or token-based. Optionally, you can enable both types, this is called two-factor authentication. Determine the type of authentication server you will use: RADIUS, built-in LDAP, or Remote LDAP. You will need to use at least one of these server types. FortiAuthenticator Administration Guide

20 What to configure Authentication users and servers Determine which FortiGate units will use the FortiAuthenticator unit. The FortiAuthenticator unit must be configured on each FortiGate unit as an authentication server, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit must be configured on the FortiAuthenticator unit as a NAS. Password-based authentication Users can self-register for password-based authentication. This reduces the workload for the system administrator. Users can choose their own passwords or have a randomlygenerated password provided in the browser or sent to them through or SMS. Selfregistration can be instant, or it can require administrator approval. See User selfregistration on page 22. Token-based authentication Token-based authentication requires the user to enter a six-digit PIN at login. The PIN changes regularly and is known only to the FortiAuthenticator unit and the user. The PIN can be delivered to the user through: a FortiToken device an account a cell phone number with SMS service a cell phone or other mobile device with the FortiTokenMobile app installed FortiToken devices, FortiTokenMobile apps, addresses, and phone numbers must be configured in the user s account. Only the administrator can configure token-based authentication. See Configuring token-based authentication for a user on page 23. Choosing one-factor or two-factor authentication Two-factor authentication increases security. The two factors are: something the user knows, usually a password something the user has, such as a FortiToken device Requiring the two factors increases the difficulty for an unauthorized person to impersonate a legitimate user. To enable two-factor authentication, you simply configure both password-based and token-based authentication in the user s account. Two-factor authentication does not work with FortiOS explicit proxies. Authentication servers The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the use of external LDAP, which can include Windows AD servers. The built-in servers are best used where there is no existing authentication infrastructure. You build a user account database on the FortiAuthenticator unit. The database can include additional user information such as street address and phone numbers that cannot be stored in a FortiGate unit s user authentication database. You can use either LDAP or RADIUS protocol. Administration Guide for FortiAuthenticator

21 Authentication users and servers Adding Users Adding Users The external server options are intended to integrate FortiGate authentication into networks that already have an authentication infrastructure. The Fortinet Single Sign-On (FSSO) option works on Microsoft Windows networks, enabling users already authenticated by a Windows AD server to access network resources. The Remote LDAP option adds your FortiGate units to an existing LDAP structure. Optionally, you can add two-factor authentication to Remote LDAP. RADIUS If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must be registered as NAS in Authentication > NAS. See Adding FortiGate units as NAS on page 28. On each FortiGate unit that will use RADIUS protocol, the FortiAuthenticator unit must be configured as a RADIUS server in User > Remote > RADIUS. Built-in LDAP If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users from the user database to the appropriate nodes in the LDAP hierarchy. See Creating the LDAP directory tree on page 31. On each FortiGate unit that will use LDAP protocol, the FortiAuthenticator unit must be configured as an LDAP server in User > Remote > LDAP. Remote LDAP Administrators Remote LDAP must be enabled in each user account. FortiGate units must be registered as NAS in Authentication > NAS. See Adding FortiGate units as NAS on page 28. FortiGate units must communicate with the FortiAuthenticator unit using RADIUS protocol, with the FortiAuthenticator unit entered as a RADIUS server in User > Remote > RADIUS. User accounts that use two-factor authentication must be imported into the FortiAuthenticator database. You can do this in the server configuration in Authentication Users > Remote. FortiAuthenticator s user database is similar to the local users database on FortiGate units, but it has the added benefit of being able to associate additional information with each user, as you would expect of RADIUS and LDAP servers. This information includes: whether the user is an administrator, uses RADIUS authentication, uses two-factor authentication, and personal information such as full name, address, password recovery options, and of course which groups the user belongs to. The RADIUS server on FortiAuthenticator is configured using default settings. For a user to authenticate using RADIUS, the option Allow RADIUS Authentication must be selected for that user s entry, and the authenticating client must be added to the NAS list. See Adding FortiGate units as NAS on page 28. Administrator accounts on FortiAuthenticator are standard user accounts that are flagged as administrators. Once flagged as an administrator, a user account s administrator privileges can be set to either full access or customized to select their administrator rights for different parts of FortiAuthenticator. There are log events for administrator configuration activities. Administrators can also be configured to authenticate to the local system using twofactor authentication. FortiAuthenticator Administration Guide

22 Adding Users Authentication users and servers User self-registration Optionally, you can enable users to request registration through the FortiAuthenticator web page. Optionally, the user s request will be ed to the administrator for approval. When the account is ready to use, the user receives account information by or SMS message. To enable self-registration 1 Go to Authentication > General > User Registration and select Enable. 2 Optionally, select Require admin approval and enter the Admin s address. 3 Optionally, specify when this account expires. 4 Choose either User-defined or Randomly generated password. 5 Choose how to send account information to the user: SMS message Display on browser page (not available if admin approval is required) Optionally, select the Edit link beside any of these options to modify the message. 6 Select OK. How the user requests registration 1 Browse to the IP address of the FortiAuthenticator unit. Security policies must be in place on the FortiGate unit to allow these sessions to be established. 2 Select Register. The User Registration page opens. 3 Fill in the required fields. Optionally, fill in the Additional Information fields and select OK. If admin approval is not required and Display on browser page is enabled in the User Registration settings, the account details are immediately displayed to the user. To approve a self-registration request 1 Select the link in the Approval Required for... message. The New User Approval page opens in the web browser. 2 Review the information and select either Approve or Deny, as appropriate. Approval is required only if Require admin approval is enabled in the User Registration settings. If the request is approved, the FortiAuthenticator unit sends the user an or SMS message stating that the account has been activated. Adding a user account When creating a user account, there are three ways to handle the password: The administrator assigns a password immediately and communicates it to the user. The FortiAuthenticator unit creates a random password and automatically s it to the new user s address. No password is assigned, because only token-based authentication will be used. Administration Guide for FortiAuthenticator

23 Authentication users and servers Adding Users To add a user account 1 Go to Authentication > Users > Local and select Create New. 2 Enter the Username. 3 In Password creation, do one of the following: Select Specify a password. Enter the Password and then enter it again in Password confirmation. Select Set and a random password. Enter the address for this user and then enter it again in Confirm address. The address supplied in this step is used once and not retained in the database. Select No password, FortiToken authentication only. After you select OK, you need to associate a FortiToken device with this user. 4 Select OK. You can now Configure token-based authentication. See Configuring token-based authentication for a user below. You must do this if you selected No password, FortiToken authentication only. Select the user s Role: Administrator or regular User (default). Enter additional User Information, such as full name, address, phone numbers. Enable Password Recovery Options. See Configuring the user s password recovery options on page 24. Add the user to User Groups. See User groups on page 26. Add RADIUS Attributes to the account. See RADIUS attributes on page Select OK. Configuring token-based authentication for a user Token-based authentication requires a FortiToken device or mobile device with the FortiToken Mobile app installed, or a cell phone with either or SMS capability. If a FortiToken device or FortiToken Mobile app will be used, register it in Authentication > FortiTokens first. To configure an account for token-based authentication 1 Go to Authentication > Users > Local. 2 Select and edit the chosen user. 3 Select Token-based authentication. 4 Do one of the following: Select FortiToken and then select the FortiToken device serial number from the Hardware or Software list, as appropriate. The device must be known to the FortiAuthenticator unit. See Adding FortiToken devices on page 27. Select and enter the user s address. Select SMS and enter the user s mobile information. 5 Select OK. FortiAuthenticator Administration Guide

24 Adding Users Authentication users and servers By default, token-based authentication must be completed within 60 seconds after the authentication code is sent by or SMS. To change this timeout, go to Authentication > General > Settings and modify /SMS Token Timeout. Configuring the user s password recovery options To replace a lost or forgotten password, the FortiAuthenticator unit can send the user a password recovery link by or in the browser in response to a pre-arranged security question. The user then sets a new password. To configure password recovery by security question 1 Go to Authentication > Users > Local. 2 Select and edit the chosen user. 3 Expand Password Recovery options. 4 Select Security Question, and select Edit. 5 Choose one of the questions in the list. If you choose to write your own question, a custom question field will be displayed where you can enter your question. 6 Enter the answer for your question. 7 Select OK. To configure password recovery by 1 Go to Authentication > Users > Local. 2 Select and edit the chosen user. 3 Expand User Information, and then enter the user s address. 4 Expand Password Recovery Options. 5 Select . 6 Optionally, select Manage alternative s and enter up to three additional addresses for this user. In the event of password recovery, an message is sent to all configured addresses both the user information address and the alternative addresses. 7 Select OK. How the user can configure password recovery by security question 1 Log in to the user account. The View Profile page opens. 2 Select Edit Profile at the top left of the page. 3 Expand Password Recovery Options. 4 Select Security Question, and select Edit. 5 Choose one of the questions in the list. If you choose to write your own question, a custom question field will be displayed where you can enter your question. 6 Enter the answer for your question. 7 Select OK. Administration Guide for FortiAuthenticator

25 Authentication users and servers Adding Users How the user can configure password recovery by 1 Log in to the user account. The View Profile page opens. 2 Select Edit Profile at the top left of the page. 3 Expand Password Recovery Options. 4 Select . 5 Optionally, select Manage alternative s and enter up to three additional addresses for this user. 6 Select OK. How the user recovers from a lost password 1 Browse to the IP address of the FortiAuthenticator. Security policies must be in place on the FortiGate unit to allow these sessions to be established. 2 Select Forgot my password. 3 Select either Username or as your method of identification. 4 Enter either your username or address as selected in the previous step, and then select Next. This information is used to select the user account. If your information does not match a user account, password recovery cannot be completed. 5 Do one of the following: Select Send a secure link to your account and select Next. Open the and select the password recovery link. Select Answer the provided security question and select Next. Enter the correct answer to the question and select Next. The recovery options available depend on the settings in the user account. 6 On the Reset Password page, enter and confirm a new password and then select Next. The user can now authenticate using the new password. Setting a password policy You can require a minimum length and complexity for user passwords. Also you can require users to change their passwords periodically. To set password complexity requirements 1 Go to Authentication > General > Settings. 2 Set Minimum length for passwords. The default is 8. If you enter 0, there is no minimum length, but the password cannot be empty. 3 Optionally, select Check for password complexity. You can then enable requirements for minimum numbers of upper-case letters, lower-case letters, numeric characters, and special (non-alphanumeric) characters. 4 Select OK. To set a password change policy 1 Go to Authentication > General > Settings. 2 Set the Maximum password age. The default is 90 days. FortiAuthenticator Administration Guide

26 Adding Users Authentication users and servers 3 Optionally, select Enforce password history and set the Number of passwords to remember. New passwords must not match any of the remembered passwords. For example, if three passwords are remembered, users cannot reuse any of their three previous passwords. Setting a lock-out policy User groups RADIUS attributes You might want to lock out a user s account if there are repeated unsuccessful attempts to log in. This might indicate an attempt at unauthorized access. To set a lock-out policy 1 Go to Authentication > General > Settings. 2 Select Enable account lock-out policy. 3 In Max. failed login attempts, enter the number of failed attempts that triggers the lock-out. 4 Enter the lock-out period in seconds. After the lock-out period expires, the Max. failed login attempts applies again. You can assign user groups to a user in the user account configuration. Go to Authentication > Users > Local and edit the user account. Expand the Groups section. Move the required groups to the Selected Groups list and select OK. You can assign users to user groups in Authentication > User Groups > Local. Edit the desired group. Move the required users to the Selected users list and select OK. Some services can receive information about an authenticated user through RADIUS vendor-specific attributes. FortiAuthenticator user groups and user accounts can include RADIUS attributes for Fortinet and other vendors. Attributes in user accounts can specify user-related information. For example, the Default attribute Framed-IP-Address specifies the VPN tunnel IP address to be sent to the user by the Fortinet SSL-VPN. Attributes in user groups can specify more general information, applicable to the whole group. For example, specifying third-party vendor attributes to a switch could enable administrative level login to all members of the Network_Admins group. To add RADIUS attributes to a user or a group 1 Go to Authentication > User > Local and select a user account to edit, or go to Authentication > User Groups > Local and select a group to edit. 2 In RADIUS Attributes, select Add Attribute. 3 Select the appropriate Vendor and Attr id, then enter the Attribute value. 4 Select OK. 5 Repeat steps 2 through 4 for each additional attribute. 6 Select OK. Administration Guide for FortiAuthenticator

27 Authentication users and servers Adding FortiToken devices Adding FortiToken devices A FortiToken device is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is time-based, so it is important that the FortiAuthenticator unit clock is accurate. If possible, configure the system time to be synchronized with an NTP server. The user enters the authentication code to perform token-based authentication. If the user s username and password are also required, this is called two-factor authentication. The code displayed changes every 60 seconds. When not in use, the LCD screen is shut down to extend the battery life. The FortiToken device has a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and should be treated with similar care. FortiAuthenticator and FortiTokens With FortiOS, FortiToken serial numbers must be entered to the FortiGate unit, which then contacts FortiGuard servers to verify the information before activating them. FortiAuthenticator acts as a repository for all FortiToken devices used on your network it is a single point of registration and synchronization for easier installation and maintenance. To add FortiToken devices 1 Go to Authentication > FortiTokens > FortiTokens. 2 Do one of the following: Select Create New and enter the FortiToken device serial number. If there are multiple numbers to enter, select the + icon to switch to a resizable multiple-line entry box. Select Import to load a file containing the list of serial numbers for the tokens. (FortiToken devices have a barcode on them that can help you read serial numbers to create the import file.) 3 Select OK. To register FortiToken devices, you must have a valid FortiGuard connection. Otherwise any FortiToken devices you enter will remain at Inactive status. After the FortiToken devices have registered, the connection to FortiGuard is no longer essential. If a token authentication fails, check that the system time on the FortiAuthenticator unit is correct and re-synchronize the FortiToken device. FortiAuthenticator Administration Guide

28 Adding FortiGate units as NAS Authentication users and servers Monitoring FortiToken devices To monitor the total number of FortiToken devices registered on the FortiAuthenticator unit, as well as the number of disabled FortiTokens, go to System > Dashboard > Status and view the User Inventory widget. You can also view the list of FortiTokens, their status, if their clocks are drifting, and which user they are assigned to by going to Authentication > FortiTokens > FortiTokens. FortiToken device maintenance Go to Authentication > FortiTokens > FortiTokens and select Edit for the device. Do any of the following: Disable a device when it is reported lost or stolen. Re-enable a device when it is recovered. Synchronize the FortiAuthenticator and the FortiToken device when the device clock has drifted. Synchronizing ensures that the device provides the token code that the FortiGate unit expects, as the codes are time-based. Fortinet recommends synchronizing all new FortiTokens. Select History to view all commands applied to this FortiToken. Configuration for FortiTokenMobile device provision Go to Authentication > General > Settings to modify settings for FortiTokenMobile provision. Adding FortiGate units as NAS Before the FortiAuthenticator unit can accept RADIUS and LDAP authentication requests from a FortiGate unit, the FortiGate unit must be registered as a Network Access Server (NAS) on the FortiAuthenticator unit. A NAS is a gateway that protects parts of the network, and requires authentication to gain access to what it protects. A NAS is commonly used with Authentication, Authorization, and Accounting (AAA) servers. The FortiAuthenticator RADIUS server is already configured and running with default values. Each user account on the FortiAuthenticator unit has an option to authenticate the user using the RADIUS database. Every time there is a change to the list of NAS entries two log messages are generated one for the NAS change, and one to state that the RADIUS server was restarted to apply the NAS change. FortiAuthenticator unit allows both RADIUS and remote LDAP authentication for NAS entries. If you want to use a remote LDAP server, you must configure it first so that you can be select it in the NAS configuration. You can configure the built-in LDAP server before or after creating NAS entries. To configure a NAS 1 Go to Authentication > NAS > NAS. 2 Select Create New and enter the following information: Name A name to identify the NAS device on the FortiAuthenticator unit. NAS name/ip The FQDN or IP address of the NAS unit. Description Optional information about the NAS. Administration Guide for FortiAuthenticator

29 Authentication users and servers Adding FortiGate units as NAS 3 If RADIUS or Remote LDAP authentication will be used, select NAS is a RADIUS client and enter the following information: Secret Two-factor Authentication Validate passwords using an external LDAP server Authenticate: All local users Users from selected local groups only Users using a remote LDAP server Use Radius accounting records received from this NAS as a source of FSSO user activity The RADIUS passphrase that the FortiGate unit will use. Select one of the following: Mandatory all users subject to two-factor authentication Optional depends on setting in user account None all users authenticated only by password Select if Remote LDAP authentication will be used. Select the configured Remote LDAP server from the list. If the server is not listed, create it. See Configuring Remote LDAP on page 34. Limits who can authenticate. No limit. Authenticate only members of specific FortiAuthenticator user groups. Add the required user groups to the Selected local groups list. Authenticate only users of the selected Remote LDAP server. This is required only if you are using an external RADIUS server to notify the FortiAuthenticator unit of logon events for use by FSSO. Otherwise, leave this unselected. This feature will be described in later documentation. 4 If FSSO will be used, select NAS is an FSSO client. Refer to the Fortinet Single Sign On (FSSO) chapter for information about configuring authentication with FSSO. 5 Select OK. If authentication is failing, check that the NAS is configured and that its IP address is correctly specified. Common causes of problems are: RADIUS packets being sent from an unexpected interface NAT being performed between the NAS and the FortiAuthenticator unit FortiAuthenticator Administration Guide

30 Configuring built-in LDAP Authentication users and servers Configuring built-in LDAP Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network. In the LDAP protocol there are a number of operations a client can request such as search, compare, and add or delete an entry. Binding is the operation where the LDAP server authenticates the user. If the user is successfully authenticated, binding allows the user access to the LDAP server based on that user s permissions. This section includes: LDAP directory tree overview Creating the LDAP directory tree Removing entries from the directory tree LDAP directory tree overview The LDAP tree defines the hierarchical organization of user account entries in the LDAP database. The FortiGate unit requesting authentication must then be configured to address its request to the right part of the hierarchy. Often an LDAP server s hierarchy reflects the hierarchy of the organization it serves. The root represents the organization itself, usually defined as Domain Component (DC), a DNS domain, such as example.com. (As the name contains a dot, it is written as two parts separated by a comma: dc=example,dc=com.) Additional levels of hierarchy can be added as needed. These include: c (country) ou (organizational unit, such as a division) o (organization, such as a department) The user account entries relevant to user authentication will have element names such as UID (user ID) or CN (common name, the user s name). They can each be placed at their appropriate place in the hierarchy. Complex LDAP hierarchies are more common in large organizations where users in different locations and departments have different access rights. For basic authenticated access to your office network or the Internet, a much simpler LDAP hierarchy is adequate. The following is a simple example of an LDAP hierarchy in which the all user account ((CN) entries reside at the Organization Unit (OU) level, just below DC. Figure 3: LDAP object directory Administration Guide for FortiAuthenticator

31 Authentication users and servers Configuring built-in LDAP When requesting authentication, an LDAP client, such as a FortiGate unit, must specify the part of the hierarchy where the user account record can be found. This is called the Distinguished Name (DN). In the example above, DN is ou=people,dc=example,dc=com. The authentication request must also specify the particular user account entry. Although this is often called the Common Name (CN), the identifier you use is not necessarily CN. On a computer network, it is appropriate to use UID, the person s user ID, as that is the information that they will provide at logon. Creating the LDAP directory tree The following sections provide a brief explanation of each part of the LDAP attribute directory, what is commonly used to represent, and how to configure it on FortiAuthenticator. When an object name includes a space, as in Test Users, you have to enclose the text with double-quotes. For example: cn="test Users",cn=Builtin,dc=get,dc=local. Editing the root node The root node is the top level of the LDAP directory. There can be only one. All groups, OUs, and users branch off from the root node. Choose the distinguished name (DN) that makes sense for your organization s root node. There are three common forms of DN entries. The most common consists of one or more domain component (dc) elements making up the DN. Each part of the domain has its own dc entry. This comes directly from the DNS entry for the organization. For example.com, the dn entry is dc=example,dc=com. Another popular method is to use the company s Internet presence as the DN. This method uses the domain name as the DN. For example.com, the dn entry would be o=example.com. An older method is to use the company name with a country entry. For Example Inc. operating in the United States, the DN would be o= Example, Inc.,c=US. This makes less sense with international companies. When you configure FortiGate units to use the FortiAuthenticator unit as an LDAP server, you will specify the distinguished name that you created here. This identifies the correct LDAP structure to reference. To rename the root node 1 Go to Authentication > LDAP > Directory Tree. 2 Double-click dc=example,dc=com to edit the entry. 3 In Distinguished Name (DN), enter a new name. Example: dc=fortinet,dc=com. 4 Select OK. If your domain name has multiple parts to it, such as shiny.widgets.example.com, each part of the domain should be entered as part of the DN: dc=shiny,dc=widgets,dc=example,dc=com, for example. FortiAuthenticator Administration Guide

32 Configuring built-in LDAP Authentication users and servers Adding nodes to the LDAP hierarchy You can add a subordinate node at any level in the hierarchy as needed. To add a node 1 Go to Authentication > LDAP > Directory Tree. 2 Select the green + next to the DN entry where the node will be added. 3 In Class, select the identifier to use. For example, to add the ou=people node from the earlier example, select Organizational Unit (ou). 4 Select the [Please Select] dropdown and then select Create New. Enter the name of the node, People for example, and select OK. 5 If needed, repeat steps 2 through 4 to add other nodes. Adding user accounts to the LDAP tree You must add user account entries at the appropriate place in the LDAP tree. These users must already be defined in the FortiAuthenticator user database. See Adding a user account on page 22. To add a user account to the LDAP tree 1 Go to Authentication > LDAP > Directory Tree. 2 Expand nodes as needed to find the required node, then select the node s green + symbol. In the earlier example, you would do this on the ou=people node. 3 In Class, select User (uid). In User (Uid), the list of available users is displayed. You can choose to display them alphabetically by user group or by user. 4 Select users in the Available Users list and move them to the Chosen Users list. 5 Select OK. You can verify your users were added by expanding the node to see their UIDs listed below it. Moving LDAP branches in the directory tree At times you may want to rearrange the hierarchy of the LDAP structure. For example a department may be moved from one country to another. While it is easy to move a branch in the LDAP tree, all systems that use this information will need to be updated to the new structure or they will not be able to authenticate users. To move an LDAP branch 1 Go to Authentication > LDAP > Directory Tree. 2 Select Expand All. 3 Select the branch to move by selecting it and holding down the mouse button. 4 Drag the branch to the location you want it, and release the mouse button. When it is a valid location, an arrow will appear to the left of the current branch to indicate where the new branch will be inserted it will be inserted below the entry with the arrow. Administration Guide for FortiAuthenticator

33 Authentication users and servers Configuring built-in LDAP Removing entries from the directory tree Adding entries to the directory tree involves placing the attribute at the proper place. However, when removing entries it is possible to remove multiple branches at once. Take care not to remove more branches than you intend. Remember that all systems using this information will need to be updated to the new structure or they will not be able to authenticate users. To remove an entry from the LDAP directory 1 Go to Authentication > LDAP > Directory Tree. 2 Select Expand All, and select the entry to remove. 3 Select the red X for the entry. You will be prompted to confirm your deletion. Part of the prompt displays the message of all the entries that will be removed with this deletion. Ensure this is the level that you intend to delete. 4 Select Yes, I m sure. If the deletion was successful there will be a green check next to the successful message above the LDAP directory and the entry will be removed from the tree. Configuring a FortiGate unit for FortiAuthenticator LDAP When you have defined the FortiAuthenticator LDAP tree, you can configure FortiGate units to access the FortiAuthenticator as an LDAP server and authenticate users. To configure the FortiGate unit for LDAP authentication 1 On the FortiGate unit, go to User > Remote > LDAP and select Create New. 2 Enter the following information and select OK: Name Enter a name to identify the FortiAuthenticator LDAP server on the FortiGate unit. Server Name / IP Enter the FQDN or IP address of the FortiAuthenticator unit. Server Port Leave at default (389). Common Name Identifier Enter uid, the user ID. Distinguished Name Enter the LDAP node where the user account entries can be found. For example, ou=people,dc=example,dc=com You can also use the Query button to explore the LDAP tree and select the node. FortiAuthenticator Administration Guide

34 Configuring Remote LDAP Authentication users and servers Bind Type Secure Connection Configuring Remote LDAP 3 Add the LDAP server to a user group. Specify that user group in identity-based security policies where you require authentication. If you already have an LDAP server or servers configured on your network, FortiAuthenticator can connect to them for remote authentication much like FortiOS remote authentication. Adding a remote LDAP server If your organization has existing LDAP servers, you may choose to continue using them with FortiAuthenticator by configuring them as Remote LDAP servers. When entering the Remote LDAP server information, if any information is missing or in the wrong format, error messages will highlight the problem for you. To create a new remote LDAP server entry 1 Go to Authentication > Remote Auth. Servers > LDAP. 2 Select Create New. 3 Enter the following information. Name Server name/ip Common name identifier The FortiGate unit can be configured to use one of three types of binding: anonymous - bind using anonymous user search regular - bind using username/password and then search simple - bind using a simple password authentication without a search You can use simple authentication if the user records all fall under one distinguished name (DN). If the users are under more than one DN, use the anonymous or regular type, which can search the entire LDAP database for the required username. If your LDAP server requires authentication to perform searches, use the regular type and provide values for username and password. If you select Secure Connection, you must select LDAPS or STARTTLS protocol and the CA security certificate that verifies the FortiAuthenticator unit s identity. Enter the name for the remote LDAP server on FortiAuthenticator. Enter the IP address or FQDN for this remote server. The identifier used for the top of the LDAP directory tree as it applies to FortiAuthenticator users. This may be the top of the tree, or only a smaller branch of it. cn is the default, and is used by most LDAP servers. Administration Guide for FortiAuthenticator

35 Authentication users and servers Configuring Remote LDAP Base distinguished name Bind Type 4 If you want to have a secure connection between the FortiAuthenticator unit and the remote LDAP server, select Enable under Secure Connection and enter the following: Protocol CA Certificate 5 Select OK. You can now add remote LDAP users. Adding Remote LDAP users Enter the base distinguished name for the server using the correct X.500 or LDAP format. The maximum length of the DN is 512 characters. You can also select the Browse button to view and select the DN on the LDAP server. The Bind Type determines how the authentication information is sent to the server. Select the bind type required by the remote LDAP server. Simple bind using the user s password which is sent to the server in plaintext without a search. Regular bind using the user s DN and password and then search If the user records fall under one directory, you can use Simple bind type. But Regular is required to allow a search for a user across multiple domains. Select LDAPS or STARTLS as the LDAP server requires. Select the CA certificate that verifies the server certificate. Remote LDAP users must be imported into the FortiAuthenticator user database. A FortiToken device already allocated to a local account cannot be allocated to an LDAP user as well it must be a different FortiToken device. To add Remote LDAP users 1 Go to Authentication > Users > Remote and select Import. 2 Select the Remote LDAP Server to import from and select Import Users. 3 Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply. For example, uid=j* returns only user IDs beginning with j. 4 Select the entries you want to import and then select OK. The default configuration imports the attributes usually found in an Active Directory. To import from other servers, go to Authentication > Remote Auth. Servers > LDAP and edit the user attributes configuration. To add two-factor authentication to a Remote LDAP user 1 Go to Authentication > Users > Remote. 2 Select and edit the chosen user. FortiAuthenticator Administration Guide

36 Single Sign-on portal Authentication users and servers Single Sign-on portal 3 Under Two-factor authentication, do one of the following: Select FortiToken and then select the FortiToken device serial number from the list. Select and enter the user s address. Select SMS and enter the user s mobile information. 4 Select OK. When the Single Sign-on portal is enabled, user logon information is pushed out to Fortinet Single Sign-On (FSSO) servers, providing access to network resources controlled by FSSO. The SSO portal supports a logon widget that you can embed in any web page. Typically, an organization would embed the widget on its home page. The widget looks like this: User not logged in. Click Login to go to the FortiAuthenticator login page. User logged in. Name displayed. Logout button available. The SSO portal sets a cookie on the user s browser. When the user browses to a page containing the login widget, the FortiAuthenticator unit recognizes the user and updates its database if the user s IP address has changed. The user will not need to reauthenticate until the login timeout expires, which can be up to 30 days. To enable the Single Sign-on portal 1 Go to Authentication > General > Settings. 2 Select Enable SSO Portal. 3 Enter Authenticate the following sets of users Select all user types that apply. Local users Users accounts defined in Authentication > Users. Remote users from an LDAP server Login timeout (days) Users defined on an LDAP server. The LDAP server must first be defined in Authentication > LDAP. The user is required to re-authenticate after this period expires. 4 Optionally, copy the code in Embeddable login widget for use on your organization s home page. The widget will look like the Login widget demo. 5 Select OK. Administration Guide for FortiAuthenticator

37 Authentication users and servers 802.1X Authentication 802.1X Authentication On the FortiAuthenticator unit, there is no specific configuration required for basic 802.1X authentication, except the creation of a username and password. This can be automated by pulling the credentials from a remote LDAP system. The FortiAuthenticator 802.1X implementation supports: EAP-MD5 EAP-TTLS PEAP EAP-GTC Configuring switches to use 802.1X authentication The 802.1X configuration will be largely vendor dependent. The key requirements are: RADIUS Server IP: This is the IP address of the FortiAuthenticator Key: The preshared key configured in the FortiAuthenticator NAS settings Authentication Port: By default, FortiAuthenticator listens for authentication requests on port 1812 Configuring clients to use 802.1X authentication Windows XP SP3 1 Open a Command Prompt window and run services.msc. 2 Right-click Wired Autoconfig and select Properties. 3 Set startup type to Automatic and then Start the service. 4 In the Log On tab, select Log on as local system account, then select OK. 5 Go to Control Panel > Network Connections, right-click on Local Area Connection and select Properties. 6 Select the Authentication tab, select Enable IEEE 802.1X authentication and then select the Protected EAP (PEAP) authentication method. 7 Select Settings. In the Protected EAP Properties window, de-select Validate server certificate, and under Select Authentication Method, select Secure password (EAP- MSCHAP v2). 8 Select Configure and deselect Automatically use my Windows logon name and password. Select OK. 9 Connect the PC to a network interface where 802.1X is enabled. A pop-up message will state that additional information is required to connect to the network. Select the pop-up message. Enter your User name and Password. Select Save this User name and password for future use. 10 Select OK. FortiAuthenticator Administration Guide

38 MAC-based authentication Authentication users and servers MAC-based authentication Non-802.1X compliant devices can be identified and accepted onto the network via MAC address authentication. The MAC address is used as both the username and the password. To configure MAC-based authentication for a device 1 Go to Authentication > Users > MAC-based Auth. 2 Enter a Name for the device and enter the device s MAC address. 3 Select OK. Monitoring users There are two methods for monitoring or tracking users that are logged on on the dashboard, and with the Users monitor. Dashboard On the dashboard there are two user related widgets. The Authentication Activity widget is a graph that tracks the number of logons over time. It can display all logons, failed only, successful logons only, or a combination of all three. Multiple occurrences of this widget can be displayed on the dashboard, and configured individually. The User Inventory widget displays the total number of configured users, groups, and FortiTokens. It also tracks the number of disabled users and FortiTokens. Users monitor To see the users monitor, go to Authentication > SSO Monitor > SSO Users. The users monitor displays a list of currently logged on FSSO users and their information. Administration Guide for FortiAuthenticator

39 Fortinet Single Sign On (FSSO) Fortinet Single Sign On (FSSO) FortiAuthenticator provides easy to configure remote authentication options for FortiGate users, such as FSSO. Multiple FortiGate units can use a single FortiAuthenticator for FSSO. The Fortinet Single Sign On (FSSO) agent connects FortiGate Fortinet security appliances your corporate authentication servers, such as Microsoft Active Directory and Novell E-Directory, allowing security policies on the FortiGate unit to be based on user information residing on the corporate authentication servers. FSSO, a component installed on the authentication server or a standalone server, provides user authentication information to the FortiGate unit so users can automatically gain access to the permitted resources with a single sign on. Older versions were called Fortinet Server Authentication Extension (FSAE). FortiAuthenticator acts as the FSSO Agent, or Controller Agent. It can only be configured in polling mode, not DCAgent mode. Figure 4: FSSO topology with FortiAuthenticator Client Network FortiGate unit FortiAuthenticator polling logon events FortiGate unit Windows AD Domain Controllers client logons Client Network This section includes: Communicating with FortiGate units Communicating with Domain Controllers Monitoring FSSO units Communicating with FortiGate units In an FSSO topology, the FortiGate units provide the firewall which acts as the authentication trigger. The FortiAuthenticator communicates logon information from the domain controllers to the FortiGate units by polling the controllers. The FortiGate units then authenticate the user and allow access to the network resources as requested. The FortiAuthenticator is easier to configure than a third party server, contains both an LDAP and RADIUS server, and performs additional functions when compared to the normal FSSO Collector agent. The following procedure assumes the FortiGate already has a NAS entry on the FortiAuthenticator. See Adding FortiGate units as NAS on page 28. FortiAuthenticator Administration Guide

40 Fortinet Single Sign On (FSSO) To configure FortiAuthenticator to communicate with FortiGate units 1 Go to Authentication > SSO > General. 2 Select Enable Authentication and configure: Secret key Log Level FortiGate listening port User Login Expiry (in minutes) 3 On the FortiGate unit, go to User > Remote > LDAP and select Create New. 4 Enter the following information, and select OK. Name Server Name/IP Server port Common Name Identifier Distinguished Name Bind Type Secure Connection 5 Go to User > Single Sign-On > FSSO Agent. 6 Enter the following information, and select OK. Name FSSO Agent IP/Name Port Set to fortinet123. This is the password that will be used when configuring the FSSO Agent on the FortiGate unit. Select one of Debug, Info, Warning, or Error as the minimum severity level of event to log. Leave at 8000 unless your network requires you to change this. Ensure this port is allowed through the firewall. The length of time users can remain logged in before the system logs them off automatically. The default is 300 minutes (5 hours). Enter a unique name to identify the FortiAuthenticator Enter the FortiAuthenticator unit IP address. Leave this at the default (389). FortiAuthenticator uses default values for LDAP and RADIUS servers. Ensure port 389 is open on the firewall. Set this to match your LDAP directory tree. The default identifier is cn. This is the top level of your LDAP tree, or the branch of your tree that will be authenticated using this FortiGate unit. Once you have entered a distinguished name, use the browse button to ensure you have a connection to the FortiAuthenticator. If not, check your information. Select the method that will be used to authenticate using the LDAP server. Leave unchecked. Enter a name to identify the FortiAuthenticator as an FSSO. Enter the FortiAuthenticator unit IP address. This entry must match the FortiGate Listening Port in the FortiAuthenticator SSO configuration. The default value is Ensure this port is open on the firewall. Administration Guide for FortiAuthenticator

41 Fortinet Single Sign On (FSSO) Password LDAP Server This entry must match the Secret Key entered on the FortiAuthenticator SSO configuration. Enable LDAP server, and select the FortiAuthenticator LDAP server from the list. Communicating with Domain Controllers As the FSSO Controller agent, FortiAuthenticator polls the Windows AD Domain Controllers for logon event information. Each Domain Controller that will be polled must be configured on the FortiAuthenticator. You can disable a Domain Controller entry without removing its configuration. This is useful when testing, troubleshooting, or moving controllers within your network. To add a domain controller to FortiAuthenticator 1 Go to Authentication > SSO > Domain Controllers. 2 Select Create New, enter the following information, and then select OK. NetBIOS Name Display Name Network Address Account Password Monitoring FSSO units 3 Repeat step 2 for each Domain Controller FortiAuthenticator will be polling. FortiAuthenticator can monitor the units that make up FSSO. This is useful to ensure there is a connection to the different components when troubleshooting. Monitoring SSO users For this, go to Authentication > SSO Monitor > SSO Users. Monitoring domain controllers When FSSO domain controllers are registered with the FortiAuthenticator unit, they are displayed in the monitor upon a successful connection. For this, go to Authentication > SSO Monitor > Domain Controllers. Monitoring FortiGate units Enter the name of the Domain Controller as it appears in NetBIOS. This is a unique name to easily identify this Domain Controller. Enter the network IPv4 address of this controller. Enter the account name used to access logon events. This account should have administrator rights. To use a nonadministrator account, see the FSSO chapter of the FortiOS Handbook User Authentication guide. Enter the password for the Account selected above. When a FortiGate unit is registered with the FortiAuthenticator unit, it is displayed in the monitor upon a successful connection. For this, go to Authentication > SSO Monitor > FortiGates. FortiAuthenticator Administration Guide

42 Fortinet Single Sign On (FSSO) Administration Guide for FortiAuthenticator

43 Certificate Management Certificate Authorities (CA) Certificate Management Certificate Authorities (CA) Certificates This section describes how FortiAuthenticator allows you to manage certificates including acting as a Certificate Authority. FortiAuthenticator can act as a Certificate Authority (CA) for the creation and signing of X.509 certificates such as server certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPSEC VPN. Any changes made to certificates generate log entries that can be viewed at Logging > Log Access > Logs. See Logging on page 49. This chapter includes: Certificate Authorities (CA) Users A certificate authority (CA) is used to sign other server and client certificates. The authority comes from a well-known trusted authority trusting the CA. You must have a CA certificate on your FortiAuthenticator before you can generate a user certificate. Different CAs can be used for different domains or certificates. For example if your organization is international you may have a CA for each country, or smaller organizations might have a different CA for each department. The benefits of multiple CAs include redundancy in case there are problems with one of the well-known trusted authorities, Once you have created a CA certificate, you can export it to your local computer. This section includes: Certificates Certificate Revocation List (CRL) Do not press Enter while entering the information until you have completed entering the information, otherwise you will create the certificate with incomplete information. Subject Alternative Names (SAN) allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard. An example of where SANs are used is to protect multiple domain names such as and This contrasts a wildcard certificate that can only protect all first-level subdomains on one domain, such as *.example.com. The certificate information including subject, issuer, status, and CA type are displayed on the Certificate Management > Certificate Authorities > Certificates page. If you have many certificates, you can use the search feature to find one or more specific certificates. The search will return certificates that match either subject or issuer. To create a CA certificate 1 Go to Certificate Management > Certificate Authorities > Certificates. 2 Select Create New. FortiAuthenticator Administration Guide

44 Certificate Authorities (CA) Certificate Management 3 Enter the following information and select OK. Certificate type Certificate Authority Subject information Subject input method Subject DN Name (CN) Company (O) Department (OU) City (L) State/Province (ST) Country (C) Subject Alternative Name User Principal Name (UPN) Select one of the following types of CA certificates: Root CA certificate a self-signed CA certificate Intermediate CA certificate a CA certificate that refers to a different root CA as the authority. Intermediate CA certificate signing request (CSR) The fields displayed change based on your certificate type. Select one of the available certificate authorities (CAs) configured on the FortiAuthenticator from the drop-down list. This field is displayed only when Intermediate CA certificate is selected. Select to enter either a Fully distinguished name (DN) or Field-by-Field. Default value is Field-by-Field. The fields displayed for subject information change based on your subject input method. Enter the full DN of the subject. For example c=ca, o=fortinet, cn=john Smith. Valid DN attributes are C, ST, L, O, OU, CN, and address. They are casesensitive. This field is only displayed when fully distinguished name (DN) subject input method is selected. Enter each value in the field provided. These fields need to match the information user who will be using the certificate the fields will be assembled into a distinguished name for the certificate. Select your country from the drop-down list. Each country includes its two-letter code. Enter the address of a user to map to this certificate. This field is not available if certificate type is CSR. Enter the user principal name used to find the user s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping. This field is not available if certificate type is CSR. Administration Guide for FortiAuthenticator

45 Certificate Management Certificate Authorities (CA) Additional Options Validity Period Key Type Key Size Hash Algorithm Select how long before this certificate expires. Select either a set number of days and enter the total number of days before this certificate expires (such as 3650 days for a life of 10 years), or set an expiry date by entering the expiry date in YYYY-MM-DD format, selecting Today, or use the Calendar icon to help you select a date. This field is not available if certificate type is CSR. The key type is set to RSA. Select the key size as one of 1024, 2048, or 4096 Bits long. Select the hash algorithm used as one of SHA-1 or SHA To import a CA certificate 1 Go to Certificate Management > Certificate Authorities > Certificates. 2 Select Import. 3 Enter the following information and select OK. Type PKCS12 certificate file Certificate file Private key file Passphrase Serial number radix Initial serial number Certificate Revocation List (CRL) Select the type of CA certificate to import: PKCS12 Certificate or Certificate and Private Key. Select the certificate file from your local computer to upload to the FortiAuthenticator. This field is visible only if PKCS12 type is selected. Select the certificate file from your local computer to upload to the FortiAuthenticator. This field is visible only if you selected Certificate and Private Key type. Select the private key file from your local computer to upload to the FortiAuthenticator. This field is visible only if you selected Certificate and Private Key type. Enter the passphrase associated with this certificate. Select the radix of the serial number as either decimal or hex. Enter the starting serial number for the CA certificate. A Certificate Revocation List (CRL) is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. A CRL file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour. Some potential reasons for certificates to be revoked include: a CA server was hacked and its certificates are no longer trustworthy, a single certificate was compromised and is no longer trustworthy, or in some cases when certificates expire they are added to the list to ensure they are not used past their lifetime. FortiAuthenticator Administration Guide

46 Certificate Authorities (CA) Certificate Management To import a Certificate Revocation List (CRL) 1 Download the most recent CRL from a CRL Distribution Point (CDP). One or more CDPs are usually listed in a certificate under the Details tab. 2 Go to Certificate Management > Certificate Authorities > CRL. 3 Select Import. 4 Select a CRL file from your local computer, and select OK. When successful, the CRL will be displayed in the CRL list on the FortiAuthenticator. You can select it to see the details. Locally created CRL When you import a CRL, it is from another authority. If you are creating your own CA certificates, then you can also create your own CRL to go with them. As a CA, you sign user certificates. If for any reason you need to revoke one of those certificates, it will go on a local CRL. When this happens you need to export the CRL to all your certificate users so they are aware of the revoked certificate. To create a local CRL 1 Create a local CA certificate. See Certificate Authorities (CA) on page Create one or more user certificates. See Users on page Go to Certificate Management > Users > Certificates. 4 Select one or more certificates and select Revoke. You will be prompted for the reason for the revocation as one of: Unspecified Key has been compromised CA has been compromised Changes in affiliation Superseded Operation ceased On hold Some of these reasons are security related (such as key or CA compromised) where others are more business related change in affiliation could just be an employee leaving the company, or operation ceased could be a project that was cancelled. 5 Select OK. The certificates selected will be removed from the User Certificate list, and a CRL will be created with those certificates as entries in the list. If there is already a CRL for the CA that signed the user certificates, they will be added to the current CRL. If at a later date one or more CAs are deleted, their corresponding CRLs will be deleted as well, along with any user certificates they signed. Configuring Online Certificate Status Protocol As well as manual CRL, FortiAuthenticator also supports Online Certificate Status Protocol (OCSP), defined in RFC2560. To use OCSP, point the NAS at TCP port 2560 on the FortiAuthenticator IP address. Administration Guide for FortiAuthenticator

47 Certificate Management Users For example, configuring OCSP in FortiGate CLI for a FortiAuthenticator with an IP address of , looks like this config vpn certificate ocsp set cert "REMOTE_Cert_1" set url " end Users User certificates are required for mutual authentication on many HTTPS, SSL, and IPSec VPN network resources. You can create a user certificate on FortiAuthenticator or import and sign a Certificate Signing Request (CSR). User certificates, client certificates, or local computer certificates are the same type of certificate. To create a user certificate 1 Go to Certificate Management > Users > Certificates. 2 Select Create New. 3 Enter the following information and select OK. The Certificate Authority used must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate Authorities (CA) on page 43. Certificate Signing Options Certificate Authority Subject information Subject input method Select one of the available certificate authorities (CAs) configured on the FortiAuthenticator from the drop-down list. The CA must be current. Select to enter either a Fully distinguished name (DN) or Field-by-Field. Default value is Field-by-Field. Enter the full DN of the subject. For example C=CA, O=Fortinet, CN=John Smith. Valid DN attributes are C, ST, L, O, OU, CN, and address. They are casesensitive. Subject DN This field is only displayed when fully distinguished name (DN) subject input method is selected. Name (CN) Enter each value in the field provided. Company (O) Department (OU) City (L) State/Province (ST) Country (C) Select your country from the drop-down list. Each country includes its two-letter code. FortiAuthenticator Administration Guide

48 Users Certificate Management Subject Alternative Name Enter the address of a user to map to this certificate. User Principal Name (UPN) Additional Options Validity Period Key Type Key Size Hash Algorithm Enter the user principal name used to find the user s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping. Select how long before this certificate expires. Select either a set number of days and enter the total number of days before this certificate expires (such as 3650 days for a life of 10 years), or set an expiry date by entering the expiry date in YYYY-MM-DD format, selecting Today, or use the Calendar icon to help you select a date. The key type is set to RSA. Select the key size as one of 1024, 2048, or 4096 Bits long. Select the hash algorithm used as one of SHA-1 or SHA Confirm the certificate information is correct by selecting the certificate entry. This will bring up the text of the certificate including the version, serial number, issuer, subject, effective and expiration dates, and the extensions. If any of this information is out of date or incorrect, you will not be able to use this certificate.if this is the case, delete the certificate and re-enter the information. 5 Once the information is confirmed, you can export the certificate to the user s computer and import it into the proper application there, such as browser or FortiClient. Administration Guide for FortiAuthenticator

49 Logging Logging Accounting is an important part of FortiAuthenticator as with any authentication server. Logging provides a record of the events that have taken place on the FortiAuthenticator. To access logs, go to Logging > Log Access > Logs. The Logs page has controls to help you search your logs for the information you need. This includes: Search button Log entry order Log Type Reference Search button You can enter a string to search for in the log entries. The string must appear in the Message portion of the log entry to result in a match for the search. To prevent each term in a phrase from being matched separately, multiple keywords must be in quotes and be an exact match. After the search is complete next to the Search button the number of positive matches will be displayed, with the total number of log entries in brackets following. Select the total number of log entries to return to the full list. Subsequent searches will search all log entries and not just the previous search s matches. Log entry order You can change the order used to display the log entries. To sort the log entries by a particular column, such as Timestamp, select the title for that column. The log entries will now be displayed based on data in that column in ascending order. Ascending or descending is displayed with an arrow next to the column title up arrow for ascending, and down arrow for descending. Log Type Reference There are Admin Configuration, Authentication, System, and User Portal events. Each of these have multiple log message types for each major event. To see the various types of log messages, go to Logging > Log Access > Logs and select Log Type Reference. On this page, you can search for the exact text of a specific log message. The search will return any matches in any columns. Exporting the log You can select Download Raw Log to export the FortiAuthenticator log as a text file named fac.log. FortiAuthenticator Administration Guide

50 Logging Administration Guide for FortiAuthenticator

51 Troubleshooting Troubleshooting Problem All logins fail, no response from FAC, no entries in system log All logins fail with RADIUS ACCESS-REJECT and "invalid password" in logs Generally logins are successful however, individual user authentication attempt fails with "invalid password" in logs Generally logins are successful. However, user authentication attempt fails with "invalid token" in logs Check Check that the NAS has been correctly configured. If the NAS is not configured all requests will be silently dropped. Verify traffic is reaching the FortiAuthenticator. Is there an intervening Firewall blocking 1812/UDP RADIUS Authentication traffic, routing is correct, NAS is configured with correct IP for FortiAuthenticator etc. Verify the NAS secrets are identical on the NAS and FortiAuthenticator Reset user password and re-try Have user (privately) type password into local username field (do not click enter) or into notepad and look for unexpected characters (keyboard regionalization issues) Verify the user is not trying to use a previously used PIN number. Tokens are One Time Passwords i.e. you cannot log in twice with the same PIN. Verify the time and time zone on the FortiAuthenticator is correct and preferably synchronised using NTP. Verify the Token is correctly synced with the FortiAuthenticator. Verify the drift by syncing the token Verify the user is using the token assigned to them (validate serial against FAC config) If the user is using an or SMS token, verify it is being used within the valid timeout period. You can find extended debug logs at IP Address>/debug. FortiAuthenticator Administration Guide

52 Troubleshooting Administration Guide for FortiAuthenticator

53 Index Index A Authentication Activity widget, 38 Authentication, Authorization, and Accounting (AAA), 9, 28 C certificate authority (CA), 43 Certificate Revocation List (CRL), 45 Certificate Signing Request (CSR), 47 common name, LDAP servers, 30 Controller Agent, 39 CRL Distribution Point (CDP), 46 D dashboard Authentication Activity widget, 38 User Inventory widget, 38 default password, 7 distinguished names LDAP servers, 31 domain component, LDAP servers, 30 Domain Controllers, 41 E explicit proxy, 20 F firewall open ports, 12 ports, 12 firmware updates, 7 FortiGuard, 27 FortiGuard Antivirus, 7 Fortinet Server Authentication Extension (FSAE), 39 Fortinet Single Sign On (FSSO), 39 Agent, 39 Domain Controllers, 41 ports, 12 FortiToken, 27 clock drift, 28 monitoring, 28 NTP, 12 registering, 27 synchronization, 28 H hierarchy LDAP servers, 30 L LDAP servers common name, 30 distinguished names, 31 domain component, 30 hierarchy, 30 Lightweight Directory Access Protocol (LDAP), 30 ports, 12 remote server, 28 Logging, 49, 51 NAS, 28 M Microsoft Active Directory, 44, 48 mode, operation, 7 monitor users, 38 Monitoring, 38 N network access server (NAS), 28 NTP, 12 O one-time password (OTP), 27 Online Certificate Status Protocol (OCSP), 46 operation mode, 7 P password administrator, 7 ports, 12 product registration, 7 proxy, 20 R RADIUS NAS, 28 ports, 12 server, 21 remote LDAP, 28 S Subject Alternative Names (SAN), 43 T technical support, 7 Token-based authentication, 20, 23 troubleshooting, 18 two-factor authentication FortiToken, 27 FortiAuthenticator Administration Guide Feedback

54 Index U User Inventory widget, 38 User Principal Name (UPN), 44, 48 users, 21 monitor, 38 monitor, dashboard, 38 NAS, 21 RADIUS authentication, 21 W Windows AD Domain Controllers, 41 Windows Server, 44, 48 Administration Guide for FortiAuthenticator