Technical Documentation http://help.fortinet.

com
Knowledge Base http://kb.fortinet.com
Forums https://support.fortinet.com/forums
Customer Service & Support https://support.fortinet.com
Training http://training.fortinet.com
FortiGuard Threat Research & Response http://www.fortiguard.com
License Agreement http://www.fortinet.com/doc/legal/EULA.pdf
Document Feedback Email: techdocs@fortinet.com
Table of contents
Introducing FortiAuthenticator ............................................................................ 5
FortiAuthenticator Overview ...................................................................................... 5
Strong Authentication and Authorization ......................................................................... 6
Certificate Authority ........................................................................................................ 6
802.1X port access control ............................................................................................. 7
Fortinet Single Sign-on ................................................................................................... 7
FortiAuthenticator Specifications ............................................................................... 7
Management .................................................................................................................. 7
Monitoring ...................................................................................................................... 7
Configuration Backup ..................................................................................................... 7
Firmware Upgrades ........................................................................................................ 8
High Availability .............................................................................................................. 8
Language Options .......................................................................................................... 8
Customisable Pages and Messages ............................................................................... 8
Logging .......................................................................................................................... 9
Debugging ..................................................................................................................... 9
FortiAuthenticator Appliances ................................................................................. 10
FortiAuthenticator Platform Metrics ......................................................................... 10
Hardware Appliances ................................................................................................... 11

.................................................................................................................................... 12
FortiAuthenticator Strong Authentication .......................................................... 14
RADIUS Functionality ............................................................................................. 14
User Management .................................................................................................. 14
Local Users .................................................................................................................. 14
Remote Users .............................................................................................................. 15
User self-service password recovery ............................................................................ 17
Password Policy Enforcement ...................................................................................... 17
Two Factor Authentication ............................................................................... 19
FortiGate Two-Factor Authentication....................................................................... 19
FortiAuthenticator Two Factor Authentication .......................................................... 19
FortiToken Options ................................................................................................. 19
FortiToken200 (FTK200) .............................................................................................. 20
FortiToken Mobile......................................................................................................... 21
Email tokens ................................................................................................................ 21
SMS Tokens ................................................................................................................ 21
Token Seed Protection ................................................................................................. 21
FortiToken300 (FTK300) .............................................................................................. 22

Fortinet 3
 FortiAuthenticator Interoperability ........................................................................... 23
FortiAuthenticator Agent for Microsoft Windows ...................................................... 23
FortiAuthenticator Wireless Authentication ...................................................... 25
Local User Self-Registration ................................................................................... 25
IEEE802.1X Port Access Control ............................................................................ 26
EAP-TLS ...................................................................................................................... 26
MAC Authentication...................................................................................................... 26
Dynamic VLAN Assignment.......................................................................................... 26
FortiAuthenticator Certificate Management ...................................................... 28
Certificate Based VPNs........................................................................................... 28
User Device Certificate Self-Enrolment ................................................................... 29
Fortinet Single Sign-On (FSSO) ....................................................................... 30
Identity Based Policies ............................................................................................ 30
FSSO Overview ...................................................................................................... 30
User Identity Discovery Methods............................................................................. 32
FSSO Domain Controller Polling................................................................................... 32
FortiClient Single Sign-On Mobility Agent ..................................................................... 33
FSSO Portal Authentication .......................................................................................... 33
Radius Accounting ....................................................................................................... 33
FortiAuthenticator API .................................................................................................. 34
Domain Controller and Terminal Services Agents ......................................................... 34
Logout Detection ..................................................................................................... 34
Hierarchical Tiering of Multiple FortiAuthenticator Devices ...................................... 34
REST API ......................................................................................................... 35
Resource Summary ................................................................................................ 35

Fortinet 4
Introducing FortiAuthenticator
FortiAuthenticator is a centralized user identity management solution that strengthens
enterprise security by simplifying the management, manipulation and storage of user identity
information used for secure authentication.
Designed as a central repository for user validation, FortiAuthenticator enables multiple
authentication technologies for controlling user access including RADIUS, LDAP, two-factor
authentication, network access control and transparent user identification. FortiAuthenticator
directly integrates into the Fortinet portfolio as well as supporting standards-based directory
infrastructures and authentication of third party devices.
FortiAuthenticator User Identity Management is an important part of an enterprise security
solution; it enables secure access to protected resources, tracking of user activity and reporting
for compliance purposes. FortiAuthenticator is not a firewall or enforcement point; rather it
provides authentication and identity services to enable other Fortinet or third party devices to
enforce secure access to protected resources.
The following sections outline the technical features and benefits of the FortiAuthenticator
solution.

FortiAuthenticator Overview
FortiAuthenticator is a hardened user identity management appliance which delivers multiple
layers of authentication security to your Fortinet enabled network. FortiAuthenticator is
designed to deploy in minutes and simplify traditionally complicated tasks such as centralized
authentication, two-factor authentication and certificate management.
FortiAuthenticator delivers unprecedented value for money with a range of features to
compliment Fortinet and third party deployments with strong authentication.

Fortinet 5
Strong Authentication and Authorization
FortiAuthenticator delivers standards-based secure authentication via protocols such as
RADIUS and LDAP enhanced with two-factor authentication via integration with the
FortiAuthenticator range of tokens. FortiAuthenticator supports the widest range of tokens with
options for physical (FTK200 time based and FTK300 USB certificate), mobile (iOS, Android)
and tokenless (SMS and email) two-factor solutions.
FortiAuthenticator integrates with external LDAP directory systems (including Active directory)
to streamline deployment and reuse existing credentials.
Additional features such as integrated user self-servicing and password management help
reduce operational costs by allowing users to manage their own registrations and password
resets without administrator intervention.

Certificate Authority
x.509 Certificates can be utilized in many areas of the Fortinet enabled network to enhance
security, e.g. site-to-site VPN, User VPN (IPSEC and SSL) and wireless network access. Often
however, certificates are overlooked due to the perceived complexity in issuing and manage the
certificate lifecycle.
FortiAuthenticator Certificate Management has been designed to reduce the complexity in
certificate management and to integrate with certificate features within the Fortinet product
range. FortiAuthenticator Certificate Management delivers the ability to act as a self-signed
Root or intermediary Certificate Authority (CA). This embedded CA functionality enables strong
certificate based authentication for wireless networks, and VPNs. Supporting features such as
SCEP and integration with FortiManager; FortiAuthenticator allows FortiGate site-to-site IPSEC
VPNs to be quickly and painlessly certificate secured, avoiding the issues associated with
distributing and managing pre-shared keys.

Fortinet 6
 In a “bring your own device” (BYOD) environment, users can be allowed to self-enroll their own
devices with a valid certificate prior to being granted access to protected resources e.g.
wireless networks or client VPNs.

802.1X port access control

Support for IEEE802.1X enables enterprise authentication of users onto wireless and wired
networks. This allows organizations to move away from the traditional shared SSID Security
Keys (wireless) and implement strong user based authentication to wireless and wired
networks. To further enhance security, methods such as PEAP, EAP-TTLS and EAP-TLS
support certificate based authentication which is interoperable with the on-board
FortiAuthenticator certificate authority.

Fortinet Single Sign-on

Fortinet Single Sign-On is a method that describes the identification of users on the network
using and communication to Fortinet devices such as FortiGate and FortiCache for use in
Identity Based Policies. With FortiGate FSSO, user identification is performed using methods
which integrate for example with Active Directory (polling and log file analysis).
FortiAuthenticator supports a wider range of user identification methods including:
 Active directory domain controller polling
 Single Sign-on Mobility Agent
 Manual portal authentication
 Embeddable widgets with automatic cookie based authentication
 RADIUS Accounting Start record analysis
 API based authentication (for integration with third party systems)

FortiAuthenticator can embellish login events with group information (from LDAP) and
selectively communicate events via the FSSO protocol to FortiGate and FortiCache devices for
use in identity based policies.

FortiAuthenticator Specifications

Management
FortiAuthenticator has a CLI however this is used for initial configuration only. All configuration
is performed via a HTTP(S) based GUI which is supported using standard browsers.

Monitoring
FortiAuthenticator supports SNMP v1, v2c and v3 for monitoring. The MIBS are available for
download via the GUI

Configuration Backup
The complete FortiAuthenticator configuration can be backed up to a local file and restored
using the GUI. The backed-up configuration includes all system configuration including but not
limited to, users, user groups, FortiToken device list, authentication client list, LDAP directory
tree, FSSO settings, remote LDAP, and certificates. Scheduled configuration file backup can be
performed on an hourly, daily, weekly or monthly basis to an external location using FTP/SFTP.

Fortinet 7
Firmware Upgrades
FortiAuthenticator is provided as a fully self-contained appliance consisting of a hardened OS
and all preconfigured applications. FortiAuthenticator requires no direct configuration,
management or knowledge of the OS or the applications. Following installation, all
configuration is performed via a simple web based GUI.
All upgrades to the OS and application is performed via the upload of a firmware package
available from the Fortinet Support Web Site. The file is simply downloaded to the desktop and
uploaded to the appliance.

High Availability
Multiple FortiAuthenticator units can operate as a cluster to provide resiliency. One unit is
active and the other is on standby. If the active unit fails, the standby unit becomes active. The
cluster is configured as a single authentication server on your FortiGate units. Authentication
requests made during a failover from one unit to another are lost, but subsequent requests
complete normally. The failover process takes about 30 seconds.
Administrative access is available through any of the network interfaces using their assigned IP
addresses or through the HA interface using the Cluster member IP address. In all cases,
administrative access is available only if it is enabled on the interface.
Administrative access through any of the network interface IP addresses connects only to the
master unit. The only administrative access to the slave unit is through the HA interface using
the slave unit’s Cluster member IP address. Configuration changes made on the master unit
are automatically pushed to the slave unit. The slave unit does not permit configuration
changes, but you it is possible to access the secondary unit to change HA settings or for
firmware upgrade, shutdown, reboot, or troubleshooting.

Language Options
FortiAuthenticator included support for multiple languages including English, French, German,
Simplified Chinese for elements of the user facing GUI and messages (SMS, email etc).
Additional languages can be added to the GUI via an upload file in the standare PO translation
format.

Customisable Pages and Messages

Multiple pages and messages in the end user element of FortiAuthenticator are customizable
allowing that customer branding, text and logos can be added. Administrators have full control
over the content displayed to the end user in a variety of interfaces, including but not limited to:
 E-mail Token Message
 E-mail Token Subject
 User Registration Receipt Message (via e-mail or browser)
 User Registration Receipt Message (via SMS)
 Login Page
 Token Login Page
 Password Reset Complete Page
 Password Reset E-mail Instruction Page
 Password Set Complete Page
 User Registration Confirmation Page (with Admin Approval)
 SMS Verification Page

Fortinet 8
  User Registration Confirmation Page
 Resend Registration Receipt Page
 SMS One-Time Passcode Message
 User Registration Page

Logging
The FortiAuthenticator interface provides administrators with a comprehensive logging view.
Logging features include:
 Real-Time Domain Controller Tree GUI View
 Real-Time Connected FortiGate GUI View
 Real-Time SSO GUI View
 Real-Time Inactive/Locked Out GUI View
 Real-Time information on SMS licensing and statistics
 Logging of all events, both locally and remotely
 Log File in GUI, search and download options available
 Log File Remote Backup, via FTP, based on time schedule. Multiple FTP servers
configurable
 Log File Auto-Deletion
 Remote SYSLOG, Multiple SYSLOG servers, SYSLOG Level and Facility are all
supported

Debugging
A wide range of tools for identifying configuration issues are available via the GUI and CLI
including:

 GUI based system and application error logs

 LDAP connection test tools
 Standard debugging tools including PING and Traceroute
 TCPDUMP for traffic capture
 Support debug log capture
 SNMP v1/v2c, Polling of system statistics and event based Traps
 SNMP v3, Polling of system statistics and event based Traps
 CLI based debugging for fundamental diagnostics, detailed kernel diagnostics can be
performed through the use of debug patch (Fortinet Support Only)

Fortinet 9
FortiAuthenticator Appliances

FortiAuthenticator Platform Metrics

<For latest metrics, please see the FortiAuthenticator Datasheet>

Fortinet 10
Hardware Appliances

Fortinet 11
Fortinet 12
Fortinet 13
FortiAuthenticator Strong Authentication
FortiAuthenticator delivers strong authentication services in a hardened appliance format
allowing the service to be deployed quickly and securely in the most cost effective way possible.
FortiAuthenticator has been designed to simplify all steps of the user authentication life cycle;
from integration with existing authentication databases to zero impact token implementation. To
minimize the support overhead, FortiAuthenticator allows users to self-register and reset their
own credentials through a self-service portal by answering pre-agreed questions and providing
a token PIN.

RADIUS Functionality
FortiAuthenticator features a standards based RADIUS server compliant with common RFCs
(see Appendix A - RFC Compliance)
FortiAuthenticator provides a comprehensive set of RADIUS Server features covering
Authentication and Authorisation. Through support for standards based RADIUS,
FortiAuthenticator integrates directly into a selection of the Fortinet product suite and with third
party products.

 Flexible client (NAS) support with the ability to push RADIUS Attributes on Authentication (in
Accept Packet).
 Upstream Integration into LDAP/AD
 Dynamically limit access to RADIUS Authentication to Authorized NAS devices only
 RADIUS Attribute manipulation with 3rd Party Dictionary support
 Receiving of RADIUS Accounting messages for Identity Based Policies
 Enhancement of RADIUS Authentication with Authorization (vendor dependent using
RADIUS AVPs)
 User Level Authorization (via AVPs)
 Group Level Authorization (via AVPs)

User Management
For authentication and two-factor authentication, users need to exist in FortiAuthenticator. Due
to the fact however that FortiAuthenticator supports operation as a standalone authentication
system and integration with external LDAP and Active Directory repositories; there are 2 types
of users defined on the system, local and remote. User limits are based on the total number of
each user i.e.
20 Local Users + 85 Remote Users = 105 Users.

Local Users
Local users have all of their credentials and information defined and held on the
FortiAuthenticator. This includes (but is not limited to):
Username, First name, Last name, E-mail, Password, Mobile, Email address.

Fortinet 14
 Once defined, users can have tokens assigned to them and be assigned to appropriate groups
based on their status within the organizational structure.
Local users can be created in several ways:

Manual: Users are created by a FortiAuthenticator Administrator. The user

can be defined within the system without a password but with an
email address and they will be emailed a temporary password which
needs to be changed on first log in. The user then can log into the
account and complete details such as the password recovery
securityquestions.

Self-registration: If enabled by the administrator, users can connect to the sel-

registration portal and create their own accounts. This is useful for
guest access to wireless networks. This is covered in more detail in
Local User Self-Registration.

Text file import User can be dynamically created from import of a CSV text file
allowing migration from third party systems. The following fields can
be imported:
 Username
 First name
 Last name
 E-mail
 Mobile
 Password
 Token serial
 Email
 3 x Custom fields

The password field is optional and if not pulled back from the import
file, e-mail address becomes a mandatory field and a randomly
generated password will be emailed out.

LDAP Directory Users can be imported from a third part LDAP directory to the local
Import user database. In this case, the user detail is imported e.g.
firstname, lastname, username, email etc but the password is not
available in its original unencrypted format using this method. The
user will be created and emailed with a temporary password which
needs to be changed.
This method maintains separate 2 distinct passwords (local and the
LDAP). If this is nto what is required, the Remote Users option is
available.

Remote Users
Remote users are almost identical to local users with a key difference. Remote users are those
which are managed on a daily basis via the third party LDAP/Active Directory system. The
purpose of importing them onto FortiAuthenticator is only so that they can be mapped to groups

Fortinet 15
 and more importantly a FortiToken assigned to them. The password does not exist on the
FortiAuthenticator and is validated on the third party LDAP for each authentication.

Users are imported into the remote user list from the remote LDAP directory using GUI based
filers to select the relevant domain users.

The credentials use from the remote LDAP can be defined in a mapping table prior to import

To keep the data synchronized between the FortiAuthenticator and the remote LDAP, regular
synchronization can be performed. Two-factor authentication tokens can also be dynamically
assigned to users as they are imported.

Fortinet 16
User self-service password recovery
FortiAuthenticator incorporates a self-service password reset portal for local users. This
incorporate two methods by which passwords can be reset:

Email: Temporary password sent to the users registered email address.

Password needs to be changed on next login and is valid for a
configurable period (between 1 and 168 hours).

Security Question: If configured, security question based password recovery is allowed

using a choice from the following questions:
 What is the name of your best friend from childhood?
 What was the name of your first teacher?
 What is the name of your manager at your first job?
 What was your first phone number?
 What is your vehicle registration number?
 What is your library card number?
Alternatively a custom question can be created.

Password Policy Enforcement

FortiAuthenticator supports a wide range of password policy and enforcement features to
prevent brute forcing and other attacks on user accounts.

Complexity: Password complexity can be set based on metrics including:

 Password length
 Minimum upper-case
 Minimum lower-case

Fortinet 17
  Minimum numeric
 Minimum non-alphanumeric

Password reuse: Configurable password history can be enforced for up to 20 iterations

Max password age The maximum age of a user password can be configured from
between 14 days and several years. On approaching this time period,
the user is notified to log into the FortiAuthenticator and change their
password.

Password history The reuse of previous passwords can be a security risk.

FortiAuthenticator can prevent a recent The number of passwords to
remember is configurable (max 20).

Lockout policy A user can be configured to be locked out temporarily or permanently

out should a threshold of incorrect login attempt be reached (up to 20)
in a specified time period. The incorrect login counter is reset on a
successful login.

Fortinet 18
Two Factor Authentication
FortiGate Two-Factor Authentication
Fortinet deliver the most cost effective two-factor authentication solution available with the
feature embedded in all FortiGate devices.at no additional cost. Two-factor authentication can
be implemented this way free of charge for FortiGate Management or VPN access using email
tokens or can be enhanced using Physical, Mobile or SMS FortiTokens.
FortiAuthenticator provides a natural upgrade path from the FortiGate solution for situations
where additional functionality is required, for example:
 Support for multiple FortiGate devices with a single token
 Support for more users than are supported directly on FortiOS
 Support for legacy FortiOS releases which do not support two-factor authentication
 Support for Fortinet devices which do not support two-factor authentication
 Support for additional functional options not available on the FortiOS solution such as
certificate management, user self-registration, password self-reset.
 Support for third-party devices via using RADIUS challenge-response mechanism.
 Support for third-party devices via using RADIUS authentication with concatenated
password and token passcode.

FortiAuthenticator Two Factor Authentication

FortiAuthenticator extends two-factor authentication capability to multiple FortiGate appliances
and to third party solutions that support RADIUS or LDAP authentication. User identity
information from FortiAuthenticator combined with authentication information from FortiToken
ensures that only authorized individuals are granted access to your organization’s sensitive
information. This additional layer of security greatly reduces the possibility of data leaks while
helping companies meet audit requirements associated with government and business privacy
regulations.

FortiToken Options
FortiAuthenticator supports the widest range of tokens possible to suit your user requirements.
With the physical time based Fortitoken-200, FortiToken Mobile (for iOS and Android), event

Fortinet 19
 based e-mail and SMS tokens and FortiToken300 USB certificate tokens, FortiAuthenticator has
a token options for all users. Two-factor authentication can be used to control access to
applications such as FortiGate management, SSL and IPSEC VPN, Wireless Captive Portal
login, third party networking equipment and web sites.

Physical Tokens: FTK200 (key fob), FTK300 (USB Certificate Token)

Software Token: FortiToken Mobile (FTM) for Android and iOS
Tokenless: Email and SMS

FortiToken200 (FTK200)
FortiToken 200 is a hardware based, OATH compliant TOTP token, interoperable with FortiGate
(FortiOS 4.3 upwards) and FortiAuthenticator.

The token features include:

 Open Authentication (OATH) compatible Time-based One-time Password Algorithm
(TOTP – RFC6238) hardware tokens with 60s timestep and displays 6 digits
 Expected lifespan of 3-5 years with a perpetual license
 RADIUS Challenge Request, Post username/password authentication Token prompt
 Token Drift Support
 160-bit seed is used for all OTP tokens
 Seed generated using RNG method
 Seed encrypted with 2048-bit RSA and stored in secured database
 One token one seed procedure, ensures seed is non-duplicable

Fortinet 20
  Seed injected into hardware token by automatic processing system, seed never exposed
to operators
 For large requirements, option exists to provision seed on customer premises.
 Multi-level security access control to manufacturing system and database with Smartcard
access control protection

FortiToken Mobile
FortiToken Mobile is a software token which currently supports iOS and Android devices e.g.
mobile phones and tablets. It is an OATH compliant TOTP token generator supporting 30 and
60s timesteps and 6 or 8 digit token passcodes. The token software is protected by a user PIN
preventing mis-use, even if the device is lost and unlocked.

FortiToken Mobile can be downloaded from the respective vendors stores and is interoperable
with Google, Dropbox, Amazon and other OATH compliant TOTP token authentication systems.

Email tokens
The default SMS provider for the FortiAuthenticator is the FortiGuard Messaging Service (SMS
are purchased using the FortiSMS, SMS-LIC-X00) part code.

Support for both E-Mail and SMS even based tokens. Default SMS Gateway is hosted within
the FortiGuard Services, 3rd Party SMS gateways are also supported.

SMS Tokens
The default SMS provider for the FortiAuthenticator is the FortiGuard Messaging Service (SMS
are purchased using the FortiSMS, SMS-LIC-X00) part code.

Token Seed Protection

Two-factor authentication token security is derived from a secret “seed” embedded on the token
which must also be known by the authenticating system (e.g. FortiGate or FortiAuthenticator).
Fortinet are very well aware of customer concerns about the security of storing and handling the
seeds following failures made by other vendors and have taken several step to protect this
information.

 By default, FortiToken200 seeds are are initially stored in the FortiCare database.
When a token is registered via the FortiAuthenticator (or FortiGate), the seeds are
removed from the database removing the risk of future compromise.

Fortinet 21
  Fortinet are aware that some customers do not wish Fortinet to manage the token
seeds on their behalf. In this situation there are two options:
o Token seeds can be delivered encrypted on CD and not stored within the
FortiCare database. For this, order the FTK200CD-X SKU which comes in
10,20,50 and 100 token versions.
o For large deployments, there is also the possibility of self-provisioning the
tokens on site. In this case, a provisioning tool can be purchased to generate
random seeds and burn them into the memory on the token.
 FortiToken Mobile uses a dynamic provisioning service whereby only on assignment of
a token to a user is the seed created and this is removed either on download or after a
configurable timeout. Token seeds can also be invalidated and regenerated.
 FortiAuthenticator uses AES256 encryption for seed storage on the device.

FortiToken300 (FTK300)
FortiToken is a secure USB certificate token which allows the storage of critical keying material
and certificates. It features:
 High-performance smart card chip
 FIPS-140 compliance
 Windows, Linux and MacOS supported
 MS-CAPI and PKCS#11 APIs supported
 On-board random number generator
 On-board RSA, DES, 3DES, SHA-1 algorithms
 Low cost PKI authenticator
 No subscription charge
 Two levels of password; user and admin
 Separate Token Manager Tools for user and admin

Private keys are generated on board and certificates signing requests prepared for signing by
third party certificate authorities e.g. FortiAuthenticator (see the Certificate Authority chapter for
more detail). Signed certificates can be imported onto the token and used for authentication
purposes. The benefits of such a token is that the private keys are never exposed to the
outside world and cannot be extracted from this tamperproof token.
To access certificates stored on the token, which can then be used as part of a two-factor
authentication solution, the user must inset the device into the USB port of a supported device
and enter the token access PIN. System, application or browser access to the certificates is
then provided via the MS-CAPI or PKCS#11 interface.

FortiToken 300 certificates can be used to store certificates to:

 Sign and/or encrypt email
 Sign and/or encrypt PDF documents (files and forms)
 Sign and/or encrypt Microsoft Office
 Sign and/or encrypt application code
 Authenticate to a VPN for secure, remote access to your network

Fortinet 22
FortiAuthenticator Interoperability
FortiAuthenticator two-factor authentication is delivered using standards methods such as
RADIUS. As such, any system claiming RADIUS compatibility should be interoperable with
FortiAuthenticator.
Tested solutions include:
 FortiGate
 FortiManager
 FortiWeb
 FortiMail
 Forticlient
 Cisco iOS switches and routers
 Cisco ASA
 Citrix Access Gateway
 F5 LTM
 Linux Login
 Apache Web Server
More details of the configuration required for each platform can be found in the
FortiAuthenticator Interoperability Guide http://docs.fortinet.com/fauth.html.

FortiAuthenticator Agent for Microsoft Windows

FortiAuthenticator supports two factor authentication with methods such as RADIUS and LDAP.
As it is not easily possible to replace the authentication process for Microsoft Windows Domain
authentication, Fortinet has introduced the Two Factor Authentication Plugin Module to enhance
the existing domain login process. FortiAuthenticator Agent for Microsoft Windows utilizes the
Credential Provider Plugin system provided by Microsoft to add Token Passcode validation to
the standard username and password authentication process. This Agent allows the Username
and Password to be validated directly with Active Directory while the Token Passcode is
validated through a secure HTTPS connection to the FortiAuthenticator.
FortiAuthenticator Agent for Microsoft Windows supports a range of features including:
 Fail open/closed when the FortiAuthenticator unit is unavailable
 Administrator override
 Login with administrators One-Time Passcode
 Exempted accounts
 Support for password changes
 CLI based configuration to simplify GPO roll outs
 Limit the domains for which a One-Time Passcode is required.

Fortinet 23
Fortinet 24
FortiAuthenticator Wireless
Authentication
A cohesive set of wireless related features makes FortiAuthenticator the perfect complement to
a Fortinet wireless enabled network.

Local User Self-Registration

Where guest wireless is provided, collection of user details may be required for marketing or for
compliance purposes. FortiAuthenticator allows wireless service providers to allow users to
self-register, collecting any required information and guaranteeing user identity in the process.
The self-registration is fully customizable with the ability to edit the page HTML and upload
images (e.g. company logos) for display.

The fields which are displayed and required can be edited according to the requirement.
Custom fields are also provided for capture of business specific information for e.g. marketing
purposes. Once created, users can be accepted automatically and credentials provided or, can
be sent for approval by an administrator. Users can be granted permanent access or assigned
an expiry in hours, days, weeks, months or years.

To guarantee user identity before granting internet access, which is a requirement in many
countries, the user credentials can be sent by SMS to the users mobile, thus tying the user to
their mobile device.
Fortinet 25
IEEE802.1X Port Access Control
802.1X authentication involves three parties: a supplicant, an authenticator (such as a network
switch, wireless device), and an authentication server. FortiAuthenticator can act as a role of
authentication server in 802.1X request.
The FortiAuthenticator supports, EAP-TTLS, EAP TLS, EAP-GTC and PEAP protocols for
authentication via 802.1X for Port Based Network Access Control. This can be used by third
party switches and wireless to authenticate devices (and their users) before allowing them onto
the corporate network. FortiAuthenticator also supports fallback to MAC based authentication
for non-interactive devices such as printers.
The protocols and their differences are summarized in the table below.
EAP Method Server Client Dynamic Wired Native OS Support
Authentication Authentication Equivalent Privacy
Support

PEAP Yes No Yes Windows XP, Vista, 7,

(MSCHAPv2) 8

EAP-TTLS Yes No Yes Windows Vista, 7, 8

EAP-TLS Yes Yes Yes Windows XP, 7, 8

Mac OSX
Linux
Android
iOS

EAP-TLS
The EAP-TLS protocol uses 802.1X to deliver centralized authentication, dynamic key
distribution and enable data encryption for wireless networks. This is critical for an enterprise to
overcome the limitations inherent in lower security wireless methods. EAP-TLS has the
additional advantage of supporting both Server and Client Authentication (aka mutual
authentication). Support for mutual authentication makes EAP-TLS an ideal authentication
method for connection of devices to an enterprise network in a BYOD environment.
To support such deployments, FortiAuthenticator supports user device self-enrolment for the
installation of certificates onto “bring your own devices”. This feature is covered in the
Certificate Authority chapter.

MAC Authentication
FortiAuthenticator supports 802.1X fallback to MAC address authentication for non-interactive
devices such as printers, servers etc. Note that this feature requires support from the
authenticating system.

Dynamic VLAN Assignment

FortiAuthenticator can be configured to specify the VLAN to assign to a port or connection
following authentication as part of the ACCESS-ACCEPT packet. This is achieved for
supported wireless access points and wired switches using IETF Attributes:
Tunnel-Type: VLAN
Tunnel-Medium-Type: IEEE-802
Tunnel-Private-Group-Id: 123 (where 123 is the VLAN ID to assign)

Fortinet 26
 Note that this feature requires support from the authenticating system.

Fortinet 27
FortiAuthenticator Certificate
Management
Certificate management has traditionally been considered complicated and difficult to manage
which has led to it having a limited adoption. FortiAuthenticator is designed to remove these
complexities and simplify roll out of digital certificates for use in a Fortinet secured network.
FortiAuthenticator supports the ability to act as both a
self-signed root and intermediary CA, and greatly
reduces the overhead of signing, issuing and revoking
client certificates. Use cases range from FortiGate
VPN deployments with support for SCEP, SSL remote
access user auth, FortiClient IPSec with Certificates.
When combined with FortiToken-300 for secure user
certificate storage, FortiAuthenticator is the ideal
strong authentication server solution, for all user
authentication types.
FortiAuthenticator delivers a wide range of certificate
management features including:
 Self-Signing root Certificate Authority
 Intermediate Certificate Authority
 Manual Creation of Certificates via GUI
 Automatic Signing of Certificates, Simple Certificate Enrolment Protocol (SCEP)
 Administrator approved and/or Manual Enrolment Requests
 Wildcard Certificate Enrolment Requests
 Certificate Revocation List (CRL) maintained and manageable on FortiAuthenticator.
Certificate expiry, configurable warning messages.
 Dynamic Certificate Revocation, Online Certificate Status Protocol (OSCP) maintained
and manageable on FortiAuthenticator. Certificate expiry, configurable warning
messages.

Certificate Based VPNs

Due to the perceived complexity of deploying certificates to remote devices, certificates are
often overlooked in the configuration of site-to-site VPNs, administrators preferring to deploy
using traditional pre-shared keys, despite the inherent limitations.
FortiAuthenticator enables simple roll out of certificate based management FortiGate VPNs

Fortinet 28
 Step 1: FortiManager configures certificate VPN
and specified FortiAuthenticator as SCEP
server to obtain certificate
Step 2: FortiGate devices generate
public/private keys and generate as certificate
signing request and sends it to the
FortiAuthenticator for signing using the SCEP
protocol. FortiAuthenticator signs the request
and returns the certificate.
Step 3: FortiGate devices bring up certificate
based VPNs.

User Device Certificate Self-Enrolment

FortiAuthenticator simplifies the traditional certificate management complications by allowing the
creation, signing, management, and distribution of certificates using SCEP. FortiAuthenticator
further simplifies the user management process by introducing user device self-enrolment. This
feature allows end-users to log into the FortiAuthenticator user portal and create certificates for
their devices, which can be used in things like BYOD wireless authentication.
User self-service certificate enrolment supported for specific devices using the following
protocols and methodologies
 iPhone/iPad to Automated SCEP via Mobile Config
 Android to Manual PKCS#12
 Windows to PKCS#10 CSR
 Other to SCEP, PKCS#10 CSR, Manual PKCS#12

Fortinet 29
Fortinet Single Sign-On (FSSO)
Fortinet Single Sign-On (FSSO) is a general term used by Fortinet to describe methods to
transparently authenticate users, commonly but not limited to Active Directory users, on to a
FortiGate device so that Identity Based Policies (IBP) can be applied.

Identity Based Policies

Identity Based Policies are how FortiOS uses user identity provided by FSSO to deliver
comprehensive user identity centric security. Instead of allowing access based on physical
location or IP address, Identity Based Policies enable access to resources based on who the
user is and what their role is within an organization.

FSSO Overview
FSSO has existed alongside FortiGate devices for several years the form of agents which
collect user identity information by querying security event logs either by polling or directly.
In effect, FSSO is a communications framework to pass logon information to FortiGate or
FortiCache devices, however the method of gathering authentication events is flexible.
FortiAuthenticator has taken this premise and added several additional authentication methods
which can be used to populate the FSSO user identity database.
FortiAuthenticator integrates with commonly used directory services and standards to improve
the user experience by reducing the number of authentication requests required to gain access
to network resources.
There are four layers within the FortiAuthenticator SSO framework:

Fortinet 30
 Discovery Methods: Methods in which the user identity and their location (IP) are
discovered.

Aggregation and Collection of user identity and addition of any missing information
Embellishment: (e.g. group)

Communication Method by which the authentication information is communicated with

Framework: the subscribing device

Subscriber: Device that subscribes to the FortiAuthenticator FSSO feed,

commonly to use in Identity Based Policy.

Fortinet 31
 Method Authentication User Experience Agent
Endpoint Required
Windows Active Directory Windows Domain Transparent No
Polling
Single Sign On Mobility Windows Domain Transparent Yes
Agent
Login Portal Any Manual No
Embedded widget Any Initial manual No
authentication then
transparent
REST API Portals and third party Transparent * No
applications
DC Agent Windows Domain Transparent Yes
TS Agent Citrix/Windows Transparent Yes
Terminal Server
RADIUS Accounting Commonly Wireless Transparent No
controllers. SSL VPN,
third party RADIUS
systems

Once detected using one of these methods, user information is communicated to the
FortiAuthenticator where it can be embellished with additional information e.g. Group
membership taken from LDAP or Active Directory and forwarded selectively to FortiGate or
FortiCache devices where the information can be utilized in dynamic Identity Based Policies.
Multiple methods can be combined to deliver the greatest possible coverage of clients and user
experience for example Single Sign On Mobility Agent may be used for Microsoft Windows
domain PCs but fallback to the login portal with embedded widgets for non-windows systems or
unauthenticated PCs. Such a system utilizing multiple authentication methods is shown below.

User Identity Discovery Methods

FortiAuthenticator has taken the concept of Fortinet Single Sign-On (FSSO) as used in
FortiGate and the FSSO Software client and extended it with several new user identification
methods. Due to the flexibility of the FortiAuthenticator product, this list is continuously growing.
Current authentication sources and the user experiences provided are summarized in the table
below and will be described in more detail below.

FSSO Domain Controller Polling

FortiAuthenticator is able to poll Windows Domain controllers to monitor the security event logs
for login events. Polling is configured to occur every 5 seconds using the NetAPI interface so

Fortinet 32
 that any login event that has occurred since the previous poll is captured and entered into
FSSO.

FortiClient Single Sign-On Mobility Agent

The FortiClient SSO Mobility Agent is part of the standard FortiClient product installation and
can be installed on Windows XP/7/8 as part of the full FortiClient installation or, using the
customized install process installed as a standalone component.
When installed, SSO Mobility Agent identifies Windows Domain users transparently and
communicates the user identity and IP address to FortiAuthenticator for use in FSSO. The
agent also monitors the system for IP address changes, such as those due to WiFi roaming,
and automatically updates FortiAuthenticator. When the user logs off or shuts down, the user is
also logged off from the FortiAuthenticator. In cases where an unclean disconnection is made
(e.g. power failure, hibernation, network failure), a heartbeat system is implemented so the user
will be de-authenticated following a configurable number of heartbeat failures.

FSSO Portal Authentication

In situations where device or user identity cannot be established transparently, such as non-
domain BYOD devices or shared kiosk machines, a web portal can be used to prompt users for
login. This method is commonly combined with other transparent methods and used as a
“catch-all” for non-domain and systems which cannot be identified transparently. Once
authenticated, the user remains authenticated until they logoff from the browser.
As repeated manual re-authentication may impact the user experience, FortiAuthenticator
supports automated user identification for subsequent accesses through the use of Portal
Widgets. The Widget implementation, which uses a HTML iframe, can be incorporated into a
web page, such as an intranet webpage for users to use for login. Following a successful login,
a time limited cookie, validity of which is configurable for up to 30 days, is stored in the users
browser. On subsequent to the users intranet home page, the user will be transparently re-
authenticated using the cookie key (assuming it matches that stored on the FortiAuthenticator).
On timeout of the cookie, should the user clear their cache or visit a new machine, the user will
be required to re-authenticate.

Radius Accounting
The RADIUS accounting method uses RADIUS start, interim and stop accounting packets to
trigger logon/logoff to FSSO. Such RADIUS packets are commonly sent by networking devices
such as wireless controllers, switches and SSL-VPN devices amongst others.

Fortinet 33
 The benefit of this method is that for vendors who support sending such packets, no direct
support is required by FortiAuthenticator (they use standard RADIUS which is already
supported) and minimal change is required to enable the input of the user authentication data
into the FSSO.

FortiAuthenticator API
To enable integration with third party systems, FortiAuthenticator offers a programmatic REST
API which can be used to authenticate and de-authenticate users into FSSO. This can be used
for integration with third party applications such as portals and

Domain Controller and Terminal Services Agents

FortiGate devices support the concept of DCAgent software for the collection of login
information from Windows Active Directory systems through either polling or installation on the
domain controller. TSAgent is a similar concept, except it collects user login information from
Citrix or Windows Terminal Servers. FortiAuthenticator implements the polling functionality
directly; however, it also accepts a feed from both DCAgent and TSAgent installations if
necessary.

Logout Detection
Whilst some methods natively support logout detection (e.g. SSO Mobility Agent), other such as
AD polling do not. To enable logout detection, FortiAuthenticator supports WMI polling to
identify the current logged in user state for a device and log the user out. A manual timeout
period can also be set to remove the user form the authorization table after e.g. 8 hours.

Hierarchical Tiering of Multiple FortiAuthenticator Devices

Tiering of collectors and suppliers allows for the large scale deployment of regional systems
performing detection of user identification. It also allows local LDAP group lookup and
distribution of events to top level collectors, which then distribute login events to FortiGate and
FortiCache devices.

Fortinet 34
REST API
FortiAuthenticator provides a Representational State Transfer (REST) API for interaction with
components of the system. Programs communicate with the REST API over HTTP. Unlike
other most other vendors, API access comes at no additional cost.
The REST API is based on interactions with a web page; data is treated like a static web page,
supported functions include:
 GET retrieves a list of all resources for the endpoint
 POST creates a new resource on the given endpoint. Also used for user authentication
and validation
 PUT updates all of the resources for the given endpoint.
 PATCH updates specific fields on an existing item with ID id
 DELETE removes an existing resource specified with ID from an endpoint

The API supports XML and JSON fomats for query/response

Resource Summary
There are currently 6 main resources and the root record which can be accessed via the API:

Resource URL Operation Description Supported

Methods
Root / Allows querying of available GET
resources
Local User /localusers/ Allows the creation, modification and GET,
Management deletion of user accounts POST,
PATCH
Local Group /usergroups/ Allows the creation and deletion of GET,
Management user groups and specify users within POST,
that group. PUT,
DELETE
User /auth/ Allows validation of user POST
Authentication authentication credentials
SSO Group /ssogroup/ Enables remote configuration of the GET,
SSO & Dynamic Policies  SSO  POST,
SSO Groups table DELETE
FortiGate Filter /fgtgroupfilter Enables remote configuration of the GET, PUT
Group / SSO & Dynamic Policies  SSO
FortiGate Group Filtering table
SSO /ssoauth/ Adds/removes a user from the FSSO POST
Authentication logged in users table.

Fortinet 35
 For further details on the functions and configuration of the API see the API Guide
https://docs.fortinet.com/uploaded/files/3858/fac-rest-api-solution-guide-50.pdf

Fortinet 36
BILL OF MATERIALS

Model SKU Description

Qty

Identity Management and FSSO appliance - 4 x GE RJ45

ports, 2 x GE SFP, 4 TB storage. Supports up to 10,000
FAC-1000D Users 2
FortiAuthenticator FC-10-001K1-247-02-12 24x7 FortiCare Contract 2
1000D Identity
Management FC-10-001K1-247-02-12 24x7 FortiCare Contract 2
Software one-time password tokens for iOS, Android
FortiToken
and Windows Phone mobile devices. Perpetual licenses
Mobile
FTM-ELIC-1000 for 1000 users. Electronic license certificate. 1

Fortinet 37