FortiAuthenticator - Administration Guide VERSION 5.3.1 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET KNOWLEDGE BASE http://kb.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ FORTINET COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING AND CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com/ FORTIGUARD CENTER https://fortiguard.com FORTICAST http://forticast.fortinet.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf June 5, 2018 FortiAuthenticator - Administration Guide 23-531-493255-20180605 TABLE OF CONTENTS Change log 8 What's new in FortiAuthenticator 5.3.1 9 What's new in FortiAuthenticator 5.3 9 Introduction 17 Before you begin 18 How this guide is organized 19 Registering your Fortinet product 19 Setup 20 Initial setup 20 FortiAuthenticator VM setup 20 Administrative access 21 Adding FortiAuthenticator to your network 22 Maintenance 23 Backing up the configuration 23 Upgrading the firmware 24 Licensing 24 CLI commands 24 Standardized CLI 27 Troubleshooting 27 FortiAuthenticator settings 28 FortiGate settings 28 System 29 Dashboard 29 Customizing the dashboard 30 System information widget 31 System resources widget 35 Authentication activity widget 35 User inventory widget 35 License information widget 35 Top user lockouts widget 35 Network 36 Interfaces 36 DNS 38 Static routing 38 Packet capture 38 Administration 39 System access 39 High availability 41 Firmware upgrade 45 Configuring auto-backup 45 SNMP 46 Licensing 49 FortiGuard 50 FTP servers 51 Admin profiles 52 Messaging 52 SMTP servers 52 Email services 54 SMS gateways 55 Authentication 58 What to configure 58 Password-based authentication 58 Two-factor authentication 59 Authentication servers 59 Machine authentication 60 User account policies 61 General 61 Lockouts 62 Passwords 63 Custom user fields 65 Tokens 65 User management 68 Administrators 68 Local users 69 Remote users 76 Remote user sync rules 80 Social login users 81 Guest users 81 User groups 82 Usage profile 84 Organizations 84 Realms 85 FortiTokens 86 MAC devices 87 RADIUS attributes 88 FortiToken physical device and FortiToken Mobile 88 FortiAuthenticator and FortiTokens 89 Monitoring FortiTokens 90 FortiToken device maintenance 90 FortiToken drift adjustment 90 Self-service portal 91 General 91 Access control 92 Self-registration 92 Token self-provisioning 95 Replacement messages 96 Device self-enrollment 98 Captive portals 99 General 99 Access control 101 Replacement messages 101 Guest portals 106 Portals 106 Rules 111 Replacement messages 112 Smart Connect profiles 113 Post-login device tracking 115 Remote authentication servers 116 LDAP 116 Remote LDAP password change 120 RADIUS 121 RADIUS service 121 Clients 122 Client profile attributes 124 Extensible authentication protocol 125 Services 125 Custom dictionaries 125 MAC authentication bypass 127 LDAP service 127 General 127 Directory tree overview 127 Creating the directory tree 128 Configuring a FortiGate unit for FortiAuthenticator LDAP 131 SAML IdP 132 General 132 Service providers 133 FortiAuthenticator agents 136 FortiAuthenticator Agent for Microsoft Windows 137 FortiAuthenticator Agent for Outlook Web Access 138 Port-based network access control 139 Extensible Authentication Protocol 139 FortiAuthenticator and EAP 140 FortiAuthenticator unit configuration 140 Configuring certificates for EAP 140 Configuring switches and wireless controllers to use 802.1X authentication 141 Non-compliant devices 141 Fortinet Single Sign-On 142 Domain controller polling 142 Windows management instrumentation polling 142 General settings 143 Configuring FortiGate units for FSSO 147 Portal services 148 Kerberos 149 SAML authentication 150 Windows event log sources 152 RADIUS accounting 154 Syslog 155 Matching rules 155 Predefined rules 156 Syslog sources 157 Fine-grained controls 158 SSO users and groups 159 FortiGate group filtering 160 IP filtering rules 161 Tiered architecture 162 FortiClient SSO Mobility Agent 163 Fake client protection 163 RADIUS Single Sign-On 165 RADIUS accounting proxy 165 General settings 165 Rule sets 166 Sources 168 Destinations 169 Monitoring 170 SSO 170 Domains 170 SSO sessions 170 Windows event log sources 171 FortiGates 171 DC/TS agents 171 NTLM statistics 171 Authentication 171 Locked-out users 172 RADIUS sessions 172 Windows AD 172 Windows device logins 173 Learned RADIUS users 173 Certificate management 174 Policies 174 Certificate expiry 174 End entities 175 Certificate authorities 184 Local CAs 184 Certificate revocations lists 190 Trusted CAs 191 SCEP 192 General 192 Enrollment requests 192 Logging 198 Log access 198 Log configuration 200 Log settings 200 Syslog servers 202 Troubleshooting 204 Troubleshooting 204 Debug logs 205 RADIUS debugging 206 TCP stack hardening 207 LDAP filter syntax 208 Examples 208 Caveats 209 Change log Date Change Description June 5, 2018 FortiAuthenticator 5.3.1 document release. See "What's new in FortiAuthenticator 5.3.1" on page 9. May 9, 2018 FortiAuthenticator 5.3 document release. See "What's new in FortiAuthenticator 5.3" on page 9. FortiAuthenticator - Administration Guide 8 Fortinet Technologies Inc. What's new in FortiAuthenticator 5.3.1 The following list contains new and expanded features added in FortiAuthenticator 5.3.1. l Group password policies. For more information, see "Passwords" on page 63. l FortiToken 202 support. l Dual email and SMS two-factor authentication. For more information, see "Configuring token-based authentication" on page 73. l FortiAuthenticator-VM for HyperV is compatible with Windows Server 2016 . l Support for direct enrollment and VPN certificate renewal via SCEP over HTTPS. What's new in FortiAuthenticator 5.3 The following list contains new and expanded features added in FortiAuthenticator 5.3. Active Directory users password reset This feature adds the ability to reset an Active Directory user's password from the main login page. The work flow is the same as for resetting a local user's password. The Password Recovery Options setting is included in the remote LDAP users configuration page. This feature is available for both self-service and guest portals. REST API for security question This feature provides REST API access to the password recovery security question when adding/editing a user. This includes access to add/edit the password security recovery question when adding/editing a remote LDAP user. Enable Allow password recovery with security question and enter the password recovery question and answer string. PCI DSS 3.2 2FA The login flows for RADIUS authentication, SAML IdP, Guest Portals, and GUI Login are updated to meet PCI DSS 3.2 standards regarding multi-FortiAuthenticatortor authentication. For these new login flows to take effect, go to Authentication > User Account Policies > General and enable PCI DSS 3.2 two-factor authentication. FortiAuthenticator - Administration Guide 9 Fortinet Technologies Inc. What's new in FortiAuthenticator 5.3 Change log In the case where the Bypass FortiToken authentication when user is from a trusted subnet option is enabled (under Authentication > SAML IdP > Service Providers) and the user is logging in from a trusted subnet, the login flow reverts to password-only, regardless of the PCI mode. The GUI login page is hard-coded to Apply two-factor authentication if available (authenticate any user), so it will behave the same as the guest portal. All failed authentications will return the same generic message, so as to not reveal any clue to an attacker about which piece of information was valid or invalid: "Please enter correct credentials. Note that the password is case-sensitive." Remote login to the CLI (i.e., Telnet, SSH) also complies with the new PCI requirements. Guest portal exception There is one exception for guest portals. When a user has exceeded their time and/or data usage limit, the FortiAuthenticator shows the "Usage exceeded" replacement message. The best behavior would be to only show the replacement message if the credentials are valid. However, this would require a major change in the internal flow of the current authentication implementation, so instead, the FortiAuthenticator only requires that the account name be valid (not the credentials). The downside is that it opens the door for leaking valid account names. Nonetheless, it is deemed acceptable because: 1. Account name leakage prevention is not a PCI requirement (just a best practice). 2. Leaked account names are not usable because they are disabled (due to exceeded usage). 3. Disabled accounts can't be leveraged to brute-force credentials (in the hope of using them if an account gets re- enabled/usage extended). Guest portals: SmartConnect for Windows When the user clicks on the SmartConnect button from the post-login portal, the Platform dropdown now includes a Windows option. The SmartConnect for Windows feature provides an executable file that adds specific network settings to an end- user's Windows device. The SmartConnect profile settings are the same as the ones implemented for iOS and MacOS. The main difference is in how the downloaded executable file is built and packaged, so that it installs seamlessly on Windows devices. 10 FortiAuthenticator - Administration Guide Fortinet Technologies Inc. Change log What's new in FortiAuthenticator