FortiAuthenticator - Administration Guide Version 6.0.3 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://fortiguard.com/ END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: [email protected] April 09, 2020 FortiAuthenticator 6.0.3 Administration Guide 23-603-583129-20200409 TABLE OF CONTENTS Change Log 8 What's new in FortiAuthenticator 9 FortiAuthenticator 6.0.3 9 SAML SP single logout enhancements for FSSO 9 SAML remote authentication enhancements 9 Low HA sync activity SNMP trap 9 Reject usernames containing uppercase letters 10 FortiAuthenticator 6.0.2 10 FortiAuthenticator 6.0.1 10 Support for FortiToken Cloud 10 Guest portals: Automatic login after registration 10 Client certificate for TLS authentication with remote LDAP servers 10 SAML IdP enhancements 10 Node-specific default gateway 11 More granular control for purging disabled user accounts 11 REST API enhancement: OAuth verify token returns username 11 FortiAuthenticator on Azure Marketplace 11 FortiAuthenticator 6.0.0 11 GUI update 11 SAML IdP proxy for cloud identity services 11 Improvements to remote LDAP user synchronization rules 12 OAuth server capability 12 Use FortiNAC as sources of SSO sessions 12 FSSO domain monitor improvements 12 HTTPS/HTTP access controls 13 Enhanced cryptography for local user password storage 13 Configurable error pages 13 FortiOS Security Fabric integration 13 G Suite and Azure group lookup for SAML SP 14 Support for additional DC event log types 14 Export intermediate CA certificate and private key 14 Support for Microsoft Azure and Oracle Cloud deployments 14 Upgrade FortiAuthenticator firmware through CLI 14 Introduction 15 Before you begin 16 How this guide is organized 17 Registering your Fortinet product 17 Setup 18 Initial setup 18 FortiAuthenticator-VM setup on VMware 18 Administrative access 19 Adding FortiAuthenticator to your network 21 Maintenance 22 Backing up the configuration 22 FortiAuthenticator 6.0.3 Administration Guide 3 Fortinet Technologies Inc. Upgrading the firmware 22 Licensing 23 Swapping hard disks 23 CLI commands 24 Troubleshooting 27 FortiAuthenticator settings 27 FortiGate settings 27 System 28 Dashboard 28 Customizing the dashboard 29 System information widget 30 System resources widget 33 Authentication activity widget 33 User inventory widget 34 License information widget 34 Disk monitor widget 34 Top user lockouts widget 34 User lookup 35 Network 36 Interfaces 36 DNS 38 Static routing 39 Packet capture 39 Administration 40 System access 41 High availability 42 Firmware upgrade 47 Configuring auto-backup 47 SNMP 48 Licensing 51 FortiGuard 51 FortiNACs 53 FTP servers 53 Admin profiles 54 Messaging 54 SMTP servers 55 Email services 56 SMS gateways 57 Authentication 61 What to configure 61 Password-based authentication 62 Two-factor authentication 62 Authentication servers 63 Machine authentication 63 User account policies 64 General 64 PCI DSS 3.2 two-factor authentication 65 Lockouts 66 FortiAuthenticator 6.0.3 Administration Guide 4 Fortinet Technologies Inc. Passwords 66 Custom user fields 68 Tokens 69 User management 71 Administrators 71 Local users 72 Remote users 80 Remote user sync rules 85 Guest users 87 User groups 88 Usage profile 89 Organizations 90 Realms 91 FortiTokens 92 MAC devices 93 RADIUS attributes 94 FortiToken physical device and FortiToken Mobile 94 FortiAuthenticator and FortiTokens 95 Monitoring FortiTokens 96 FortiToken device maintenance 96 FortiToken drift adjustment 96 Self-service portal 97 General 97 Access control 97 Self-registration 98 Token self-provisioning 100 Replacement messages 102 Device self-enrollment 103 Guest portals 105 Portals 105 Rules 110 Replacement messages 111 Smart Connect profiles 112 Remote authentication servers 114 General 114 LDAP 115 RADIUS 120 OAUTH 120 SAML 121 RADIUS service 124 Clients 124 Client profile attributes 127 Extensible Authentication Protocol 127 Services 127 Custom dictionaries 128 LDAP service 129 General 129 Directory tree overview 129 FortiAuthenticator 6.0.3 Administration Guide 5 Fortinet Technologies Inc. Creating the directory tree 130 Configuring a FortiGate unit for FortiAuthenticator LDAP 133 OAuth Service 134 Settings 134 Applications 134 SAML IdP 135 General 136 Replacement messages 136 Service providers 137 FortiAuthenticator agents 139 FortiAuthenticator Agent for Microsoft Windows 139 FortiAuthenticator Agent for Outlook Web Access 142 Port-based network access control 143 Extensible Authentication Protocol 143 FortiAuthenticator and EAP 144 FortiAuthenticator unit configuration 144 Configuring certificates for EAP 144 Configuring switches and wireless controllers to use 802.1X authentication 144 Non-compliant devices 145 Fortinet Single Sign-On 147 Domain controller polling 147 Windows management instrumentation polling 147 General settings 148 Configuring FortiGate units for FSSO 153 Portal services 153 Kerberos 155 SAML authentication 156 Windows event log sources 157 RADIUS accounting sources 159 Syslog sources 160 Syslog sources 161 Matching rules 161 Predefined rules 161 Fine-grained controls 163 SSO users and groups 164 Domain groupings 166 FortiGate filtering 167 IP filtering rules 168 Tiered architecture 169 FortiClient SSO Mobility Agent 170 Fake client protection 171 RADIUS Single Sign-On 172 RADIUS accounting proxy 172 General 172 Rule sets 173 Sources 176 FortiAuthenticator 6.0.3 Administration Guide 6 Fortinet Technologies Inc. Destinations 177 Monitoring 178 SSO 178 Domains 178 SSO sessions 178 Windows event log sources 179 FortiGates 179 DC/TS agents 179 NTLM statistics 180 Authentication 180 Locked-out users 180 RADIUS sessions 180 Windows AD 181 Windows device logins 181 Learned RADIUS users 181 Certificate management 182 Policies 182 Certificate expiry 182 End entities 183 Certificate authorities 191 Local CAs 191 Certificate revocations lists 196 Trusted CAs 198 SCEP 198 General 199 Enrollment requests 199 Logging 205 Log access 205 Log configuration 207 Log settings 207 Syslog servers 209 Audit reports 210 Users audit 210 Troubleshooting 212 Troubleshooting 212 Debug logs 213 RADIUS debugging 214 TCP stack hardening 215 LDAP filter syntax 216 Examples 216 Caveats 217 FortiAuthenticator 6.0.3 Administration Guide 7 Fortinet Technologies Inc. Change Log Date Change Description 2019-10-09 Initial release. 2019-10-15 Added additional information about HA priority to Administration on page 40. 2019-11-01 Added information about supported VM environments to Initial setup on page 18. 2019-11-18 Added information about installation switches to FortiClient SSO Mobility Agent on page 170 2020-02-05 Added additional information about SCEP key usages and interfaces to SCEP on page 198. 2020-03-05 Added additional information about the CAs used with SCEP to SCEP on page 198. 2020-03-09 Added additional information about importing groups in FortiGate filtering on page 167. 2020-04-09 Updated information about the number of load-balancers supported in High availability. FortiAuthenticator 6.0.3 Administration Guide 8 Fortinet Technologies Inc. What's new in FortiAuthenticator What's new in FortiAuthenticator This section provides a summary of the new features and enhancements in FortiAuthenticator: l FortiAuthenticator 6.0.3 on page 9 l FortiAuthenticator 6.0.2 on page 10 l FortiAuthenticator 6.0.1 on page 10 l FortiAuthenticator 6.0.0 on page 11 Always review the FortiAuthenticator Release Notes prior to upgrading your device. FortiAuthenticator 6.0.3 The following list contains new and expanded features added in FortiAuthenticator 6.0.3. SAML SP single logout enhancements for FSSO New enhancements have been introduced for SAML SP single logout for FSSO: l Support for the handling of IdP-initiated logout. l The logout button on the SAML SP Logout Page replacement message also triggers a logout from the IdP. l A new button has been added to the SAML SP Logout Success Page replacement message to return to the login page. SAML remote authentication enhancements FortiAuthenticator SPs include the "RequestedAuthnContext" assertion in their authentication request to any IdP. FortiAuthenticator 6.0.3 now includes a setting to define the authentication context value. The Default value is "PasswordProtectedTransport," which requires that users are authenticated using a password- based method. When alternative authentication methods are used, None can be selected to omit this requirement (e.g. when a X.509 certificate is used in Azure). Low HA sync activity SNMP trap A new "HA sync activity is low" trap is available that can be used by administrators to monitor the health of the HA cluster. The SNMP trap is sent by the cluster's standby member. To use this trap, create or edit an SNMPv1/v2c/v3 at System > Administration > SNMP and enable the toggle for "HA sync activity is low." FortiAuthenticator 6.0.3 Administration Guide 9 Fortinet Technologies Inc. What's new in FortiAuthenticator Reject usernames containing uppercase letters FortiAuthenticator includes the option to reject usernames that contain uppercase letters when using RADIUS authentication. When the option is enabled, RADIUS authentication automatically fails when the username contains an uppercase