FortiAuthenticator User Authentication and Identity Management Last Updated: 17 th April 2015 Copyright Fortinet Inc. All rights reserved.
FortiAuthenticator Overview Answering your authentication challenges FortiAuthenticator Authentication and Authorization RADIUS, LDAP, 802.1X, Radius Proxy SSO Mobility Agent Web based login widget Two Factor Authentication FortiToken, physical and mobile Tokenless, via SMS and email Two-factor Auth FortiAP FortiGate Certificate Management X.509 Certificate Signing, Certificate Revocation Remote Device / Unattended Authentication FortiAuthenticator Wireless Auth User Identity FortiAuthenticator Fortinet Single Sign on Active Directory Agent or agentless Third party systems via RADIUS, Syslog and API Integration FSSO FortiAuthenticator FortiGate 2
FortiAuthenticator Overview Features & Benefits Secure access to your organizations systems and data with identity based policy and two-factor authentication» Control access your intellectual property Enable secure remote and guest network access whilst retaining control over security» Allow business to flourish but not to the detriment of security Two-factor Authentication Reduce the operational burden of local and guest user management» Identify users and apply granular user policy» Integrate with existing user repositories (AD, LDAP)» User lifecycle management workflow Wireless Authentication User Authentication and Identity Management User Identity Confidential 3
FortiAuthenticator Use Cases Two-factor Authentication Enable strong password security across your network and application estate» Secure remote access to critical systems Reduce operational overheads» Self-service password reset» Integration with existing LDAP and AD databases» Built in lost token workflow» Migration strategy from thirdparty vendor tokens Protected Devices Username Token Password FortiAuthenticator LDAP/ Active Directory 4
FortiAuthenticator Use Cases Two-factor Authentication Flexible range of token formats to suit all deployment requirements» OATH compatible TOTP (time) based tokens (FTK200)» USB certificate tokens (FTK300)» FortiToken Mobile for Android, ios and Windows Mobile» SMS and Email tokens. Mobile Physical Support for wide range of secure authentication methods Tokenless Supports any RADIUS capable device» Juniper, Cisco, F5, Array, Citrix etc» Microsoft Windows Domain Login and OWA API Certificate (BYOD) 5
FortiAuthenticator Use Cases Two-factor Authentication FortiToken Mobile: Supports Android, ios and Windows Mobile» 6 or 8 digit passcode, 30 or 60s refresh» Free install, supports other TOTP & HOTP OATH tokens e.g. Google, Dropbox, Amazon» QR Code Provisioning support» PIN protection enforced from FAC Perpetual license» Can be reissued if device is lost» Can be reissued if user leaves the organization 6
FortiAuthenticator Use Cases Wireless Authentication Centralized WiFi Authentication Authenticate users (PEAP, EAP-TTLS) and machines. Certificate based device authorization (EAP-TLS) for BYOD environments In open guest or visitor networks, FortiAuthenticator can provide captive portal functions FortiAP FortiGate FortiAuthenticator 7
FortiAuthenticator Use Cases Guest Management User Self-registration Collection of user details Option to SMS login details (proof of identity) Receptionist registration option Time limited accounts Delete expired accounts Support multiple locations FortiAuthenticator FortiAP Coming soon: Facebook, Google, Linkedin, Twitter login FortiGate 8
FortiAuthenticator Use Cases Fortinet Single Sign-On Identify users and apply identity based security policy» FortiAuthenticator transparent user identification collects and embellishes user identity information» Allows FortiGate, FortiMail and FortiCache devices to apply appropriate policy based on user identity and role» Granular control of network and application access Staff Admin Guest Corporate Resources Guest Access Define who can access what and when 9
FortiAuthenticator Use Cases Fortinet Single Sign-On Transparent User Identity Active Directory Polling Kerberos with NTLM Fallback TS and AD Collector Agents FortiClient SSO Mobility Agent Login Portal & Widgets REST API Syslog RADIUS Accounting Records AD & Windows Generic Sources FortiAuthenticator FortiGate 10
FortiAuthenticator Use Cases Certificate Authority Simplifies the task of certificate management Issue certificates for multiple uses:» VPN Authentication» Wireless 802.1X (PEAP, EAP)» Windows Desktop Authentication» Compatible with FTK300 USB PKI Certificate Store X REVOKED 11
FortiAuthenticator Use Cases Certificate Based VPN Strengthen and simplify VPN security» Certificate based VPN enhances traditional pre shared keys with second factor» Revoke certificates if device is lost (OCSP)» Zero touch certificate distribution (SCEP)» Integration with FortiManager to simplify deployment 12
FortiAuthenticator Use Cases RADIUS Accounting Proxy Integrates Carrier/ISP networks with Fortinet RADIUS Single Sign-on» Minimises changes needed to critical business systems» Takes the additional load by duplicating RADIUS Packets RSSO used to apply Identity Policy for FortiGate, FortiMail and FortiCache RADIUS Accounting RADIUS Accounting Carrier / ISP RADIUS Server 14
FortiAuthenticator Use Cases High Availability and Scalability Active-Passive High Availability» Local sync with failover» Supports all features Active-Active Config Sync Geographic distribution Load balance across devices (scalability) Supports authentication feature sync (not FSSO) Can be combined with Active Passive HA (A-P Master, standalone slaves) 15
Case Studies
Case Study: Medium Enterprise Identity Management Organization and Challenge Online retail organization with mobile workforce and widespread BYOD adoption. Incumbent Cisco wireless network, customer thought Cisco was the only option for gateway Identity Policy Remote Workers Cisco tried to claim that the only way to perform Identity Based Firewalling was using their own ISE and ASA. FortiAuthenticator proved this wrong and have kept Fortinet in the running for the Wifi refresh Who We Beat Cisco Guests FortiGate WAN Why We Won FortiAuthenticator Ability to consume user identity from Cisco wireless network (vis RADIUS Accounting) Fully inclusive guest management and registration features What They Bought 2x FortiAuthenticator 200D (HA) 2x FortiGate 600C (HA) Still in the game for Wifi refresh Multiple user groups / domains 17
Case Study: Local Government Identity Management Organization and Challenge Remote Workers Regional govt. requiring transparent identity aware firewalling 5,000 users with granular permissions across 3 domain controllers, 2 domains Who We Beat Juniper, CheckPoint, SonicWall Guests FortiGate WAN FAC gathers user identity and forwards to FGT Why We Won FortiAuthenticator Multiple identity detection methods AD Polling combined with RADIUS (VPN) and guest portal Fully inclusive guest management and registration features What They Bought 2x FortiAuthenticator 1000D (HA) 2x FortiGate 1000D (HA) Multiple user groups / domains 18
Case Study: Enterprise Identity Management Organization and Challenge 3 Datacenters Multinational enterprise with 3 Datacenters, 90 branches and 17,000 users throughout the world. Mobile workforce means users could be on any site. FortiGate Clusters FAC gathers user identity and selectively forwards identity to relevant FGT Who We Beat PaloAlto, Juniper Why We Won Active Directory WAN FortiAuthenticator Performance and scalability of user identity detection Selective distribution of login events to local site and core What They Bought 3 x FortiAuthenticator 3000D 90 Remote Sites 9 x FortiGate 3600C 90 x FortiGate 110C 19
Case Study: Enterprise Two-Factor Auth Organization and Challenge Multiple Datacenters Enterprise organization requiring secure multi-factor authorization for heterogeneous range of devices Integration with existing LDAP/AD infrastructure Who We Beat RSA, Safenet Why We Won Secure provisioning strategy (CD) Physical and Soft token support Support for wide range of client devices and Windows Desktop login Home Workers Internet FortiAuthenticator What They Bought 2 x FortiAuthenticator 400C 100 x FortiToken 200 500 x FortiToken Mobile Network Operations Center 20
FortiAuthenticator Ordering Information FortiAuthenticator 200D FortiAuthenticator 400C FortiAuthenticator 1000D FortiAuthenticator 3000D Small / Mid Enterprise Deployments Support up to 500 users HDD 1 x 1TB 4 x 10/100/1000 Rack Mountable, 1U Single AC PSU Mid Enterprise Deployments Support up to 2,000 users HDD 1 x 1TB 4 x 10/100/1000 Rack Mountable, 1U Single AC PSU Large Enterprise/Service Provider Deployments Support up to 10,000 users HDD 2 x 2TB 4 x 10/100/1000 2 x SFP Rack Mountable, 2U Dual AC PSU Large Enterprise/Service Provider Deployments Support up to 40,000 users HDD 2 x 2TB 4 x 10/100/1000 2 x SFP Rack Mountable, 2U Dual AC PSU FortiAuthenticator VM All Sized Deployments from SME to Service Provider Deployments From 100 to 1M+ users Unlimited CPU Unlimited RAM **Fully Stackable User Licensing** 21
Competitive
FortiAuthenticator vs FortiGate Feature Comparison Area Feature FortiGate FortiAuthenticator Auth Auth Auth Auth Auth Auth FSSO FSSO FSSO Two-factor Auth w. FortiToken Multiple FortiGate per token Support third party vendors User password reset User self registration Support multiple realms AD Polling DC & TS Agent Kerberos FSSO RADIUS Accounting û (FSSO) (RSSO) FSSO Syslog (Both) 23
Competitive Landscape Two-factor Auth Wireless Auth FortiAuthenticator User Identity 24
Feature Comparison User Identity Feature FortiAuth PaloAlto User-ID Cisco Identity Services Engine Juniper Pulse UAC * Checkpoint Identity Awareness Blade Identity DC Polling Microsoft Windows Environments DC Agent Terminal Services Agent Kerberos Microsoft Exchange Identity Endpoint Agent Non-Microsoft Windows Environments Captive Portal Embeddable Widgets SYSLOG Open API (IF-MAP) RADIUS Accounting Authorization LDAP/AD Local override * Note that the Pulse Product line is now owned and supported by Pulse Secure 25
Feature Comparison Two Factor Auth Feature Type Feature FortiAuth Safenet RSA Vasco Deployment Appliance Software Virtual Machine Cloud Tokens Physical Token (Time) (Event) (USB Cert) (Time) (Event) (USB Cert) (Time) Mobile Token (ios) (Andriod) (WinMo) (BB) (ios) (Andriod) (WinMo) (BB) (ios) (Andriod) (WinMo) (BB) Desktop Token (Mac) (Win) (Mac) (Win) (Mac) (Win) Tokenless SMS Email SMS Email GrIDsure SMS Email Agents Windows Domain 2FA Outlook Web Access 2FA Sharepoint Roadmap Integration Auth Methods RADIUS LDAP SAML API RADIUS LDAP SAML API External User repositories Local AD LDAP RADIUS AD LDAP RADIUS MSSQL AD LDAP (Oracle only) User Self Service 26