Fortitoken Cloud Admin Guide
Total Page:16
File Type:pdf, Size:1020Kb
FortiToken Cloud - Admin Guide Version 21.2.d FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://www.fortiguard.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: [email protected] JJune 28, 2021 FortiToken Cloud 21.2.d Admin Guide TABLE OF CONTENTS Introduction 7 Main features 7 Licensing 8 Compatible Fortinet applications 9 Supported browsers 9 Important notes 9 Transferring auth clients 10 Use of non-officially supported FOS 10 The same token for the same user on multiple auth clients 10 FOS 6.2.3 and 6.4.0 CLI differences 10 Admin accounts and realms 11 Supported hard tokens 11 No SMS MFA with FAC as LDAP server 11 A single FTC user in multiple auth clients 11 FAC users' name issues on FTC GUI 12 How to use FortiClient 12 Product documentation and support 12 Release history 14 21.2.d 14 21.2.c 14 21.2.a 14 21.1.a 14 20.4.d 15 20.4.c 15 20.4.a 15 20.3.e 15 20.3.d 15 20.2.c 16 20.1.b 16 20.1.a 16 4.4.c 16 4.4.b 17 4.3.a 17 4.2.d 17 4.2.c 17 4.2.b 17 Getting started—FGT-FTC users 18 Register your FTC subscription 18 Upgrade FortiOS 19 Log in to the FortiToken Cloud portal 19 Activate FGT VDOMs for FTC service 20 Add an admin user for FTC service 20 FortiToken Cloud 21.2.d Admin Guide 3 Fortinet Technologies, Inc. Add a local user for FTC service 20 Add remote FortiGate users for FTC service 21 Getting started—FAC-FTC users 22 Register your FTC subscription 22 Upgrade FortiAuthenticator OS 23 Log in to the FortiToken Cloud portal 23 Activate FAC for FTC service 24 Add an admin user for FTC service 24 Add a local user for FTC service 24 FOS CLI commands for FortiToken Cloud 26 Global system configuration 26 Access FTC management commands 26 Configure admin users 27 Configure local users 28 Configure local LDAP users for FTC service 29 Configure wildcard LDAP users for FTC service 29 Configure local RADIUS users for FTC service 30 Diagnose FortiToken Cloud 30 FortiToken Cloud GUI 32 Launch FortiToken Cloud 33 Log in as a regular FTC user 34 Log in as an IAM user 34 FortiCloud 34 The FortiCloud Logo 35 Your FortiCloud account 35 Services 35 Support 37 Dashboard 37 Last 10 authentication attempts in 30 days 38 Administrators 39 Create a sub-admin group 40 Delete a sub-admin group 41 Realms 41 Create a custom realm 42 Edit a realm 43 View realm permission 43 Delete a realm 43 View realm settings 44 Users 44 Get a new FTM token 46 Auto-assign FTKs to selected users 46 Add user aliases 46 Hide/Show full FortiAuthenticator username 47 View a user's auth clients 47 Edit a user 47 FortiToken Cloud 21.2.d Admin Guide 4 Fortinet Technologies, Inc. FortiProducts 48 Assign an auth client to a realm 49 Edit an auth client 49 Viewing additional information about an auth client 49 Delete an auth client 49 Web Apps 50 Add an auth client 50 Regenerate the API credentials 51 Edit a web app 51 Delete a web app 51 Devices (HA) 52 Search for a standalone device 52 Add devices to cluster 52 Remove devices from a cluster 53 Move a device between clusters 53 Mobile Tokens 53 Hardware Tokens 54 Add hard tokens manually 55 Batch-upload hard tokens 55 Assign a hard token to a user 56 Delete hard tokens 56 Usage 57 View usage data 57 View current user count and user quota 58 Credits 58 Flexible credit-based usage model 58 SKUs and user limits 59 Number of users vs. number of auth client and realms supported 59 Replenish your credit balance 60 Licenses 61 Settings 61 Global 61 Realm 63 Templates 69 Logs 71 Authentication logs 71 Management logs 73 FortiToken Mobile 76 Supported FTM apps 76 Activate FTM tokens 77 Activate third-party tokens 77 Use FTM tokens 77 FAQs 78 Does FortiGate support FTC AD-wildcad 2FA if cnid=sAMAcountName? 78 How to configure FortiGate for LDAP authentication? 78 Step 1: Configure LDAP server in FortiGate via CLI 78 Step 2: Add LDAP server as 'remote server' to the existing SSL VPN group 78 FortiToken Cloud 21.2.d Admin Guide 5 Fortinet Technologies, Inc. Step 3: Search and query users from the AD-LDAP server 79 Step 4: Verify all LDAP users on FTC portal 79 How do FTC credits work? 79 Can you give an example of FTC flexible licensing options? 79 How to check the auth status for WebApp API client for push authentication? 79 Single auth status checking by auth id 79 Batch auth query 80 What are the required parameters for post auth by WebApp client? 80 How to Configure SNMP server on FortiOS 80 Step 1: Configure the SMTP server 80 Step 2: Configure SMS service on FortiGate 80 Step 3: Configure SMS service on SMS provider 80 Step 4: Create a user(s) with SMS with two-factor authentication 81 How does FortiOS support FortiToken Cloud? 81 How to prevent LDAP users from bypassing 2FA? 93 How to debug ‘user is unable to issue a new FortiToken Cloud token’? 93 How to transfer ForitiToken Cloud auth clients from one account to another? 94 How to register FortiToken Cloud license to start using FortiToken Cloud service? 94 What is realm? And what does it do? 94 What does the status of the FortiToken Cloud (FTC) token mean? 94 Can FTC admin enable or disable push feature from the FortiToken Cloud portal? 95 How to add a second FortiGate to the realm where I already have one FortiGate up running? 95 How to create an aliased user? 95 How to provision FortiToken Cloud? 96 Change log 97 FortiToken Cloud 21.2.d Admin Guide 6 Fortinet Technologies, Inc. Introduction Introduction Thank you for choosing FortiToken Cloud (FTC)! FTC is an Identity and Access Management as a Service (IDaaS) cloud service offering by Fortinet. It enables FortiGate (FGT) and FortiAuthenticator (FAC) customers to add multi-factor authentication (MFA) for their respective users, with no additional hardware or software required. It protects local and remote FGT and FAC administrators as well as firewall and VPN users. Main features FortiToken Cloud (FTC) offers the following main features: l Multi-factor authentication (MFA) for FGT and FAC devices—FTC provides a cloud-based MFA solution for all your FortiGate (FGT) and FortiAuthenticator (FAC) devices. l Integration with FOS 6.2—FTC works seamlessly with FortiOS (FOS) 6.2.x. l Support for MFA bypass and new token request—FTC admin users can allow end-uses to bypass MFA and request new tokens on behalf of their end-users easily from the GUI. l Automatic lockout of users for excessive MFA failures—FTC automatically locks out users when they have breached their specified MFA failure threshold, ensuring security and integrity of your account. l Secure, cross-platform token transfer—You can securely transfer your FTC and third-party tokens between iOS and Android devices using the FortiToken Mobile (FTM ) app. l User synchronization from FGT and/or FAC to FTC—The admin user can synchronize their end users from FGT or FAC to FTC from the FGT Console or FAC GUI. The user base of record is always the Auth Client (i.e., FGT or FAC), and trumps the user base that exists in FTC (if different) prior to running the sync command. l Support for remote FortiGate users—You can configure FortiGate wildcard LDAP users to use FTC for MFA. See Configure wildcard LDAP users for FTC service on page 29 for details. l Auth client delete function from FTC—The admin user is able to delete from the FTC portal auth clients that are no longer in use. l Auto log-out—FTC automatically logs out a user when the GUI has been idle for more than ten minutes, safeguarding the security and integrity of your asset on FTC. l Real-time usage statistics—The admin user can view up-to-date usage data for the current month easily from the GUI. l Subscription-based MFA service—FTC uses a flexible SKU-based subscription mechanism to enable you to subscribe and scale your FTC MFA service with ease. l Free trial offer—FTC offers a 24-credit free trial subscription to enable potential customers to try it out before purchase. l FortiCloud SSO—Integration with FortiCloud provides unified single sign-on (SSO) access to all your Fortinet cloud service offerings. l Authentication and Management logs—FTC provides comprehensive authentication and management logs to keep you informed of all authentication and management events that have happened in your account. l Support for FGT HA clusters—FTC supports FGT and FAC HA cluster configuration. You can view your FGT and/or FAC devices in any cluster from the Auth Clients page. FortiToken Cloud 21.2.d Admin Guide 7 Fortinet Technologies, Inc. Introduction l Support for custom logo—The admin user can upload custom logo images to replace the default Fortinet banner at the bottom of the FTM app on your end-users' mobile devices.