FortiAuthenticator 6.0.4 Release Notes
FortiAuthenticator 6.0.4 Release Notes
FortiAuthenticator 6.0.4 Release Notes
Version 6.0.4
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
FEEDBACK
Email: techdoc@fortinet.com
April 2, 2020
FortiAuthenticator 6.0.4 Release Notes
23-604-620970-20200402
TABLE OF CONTENTS
Change log 4
FortiAuthenticator 6.0.4 release 5
Special notices 6
TFTP boot firmware upgrade process 6
Monitor settings for GUI access 6
Before any firmware upgrade 6
After any firmware upgrade 6
What's new 7
Upgrade instructions 8
Hardware and VM support 8
Image checksums 8
Upgrading from FortiAuthenticator 4.x/5.x/6.0.x 9
Product integration and support 11
Web browser support 11
FortiOS support 11
Fortinet agent support 11
Virtualization software support 12
Third-party RADIUS authentication 12
FortiAuthenticator-VM 13
FortiAuthenticator-VM system requirements 13
FortiAuthenticator-VM sizing guidelines 13
FortiAuthenticator-VM firmware 14
Resolved issues 15
Known issues 16
Maximum values for hardware appliances 18
Maximum values for VM 20
This document provides a summary of new features, enhancements, support information, installation instructions,
caveats, and resolved and known issues for FortiAuthenticator 6.0.4, build 0059.
FortiAuthenticator is a user and identity management solution that provides strong authentication, wireless 802.1X
authentication, certificate management, RADIUS AAA (authentication, authorization, and accounting), and Fortinet
Single Sign-On (FSSO).
For additional documentation, please visit: https://docs.fortinet.com/product/fortiauthenticator/
Special notices
Upgrading FortiAuthenticator firmware by interrupting the FortiAuthenticator boot process and installing a firmware
image from a TFTP server erases the current FortiAuthenticator configuration and replaces it with factory default
settings.
Fortinet recommends setting your monitor to a screen resolution of 1600x1200. This allows for all the objects in the GUI
to be viewed properly without the need for scrolling.
Save a copy of your FortiAuthenticator configuration before upgrading the firmware. Go to System > Dashboard >
Status and select Backup/Restore > Download Backup File to backup the configuration.
Clear your browser cache before logging in to the FortiAuthenticator GUI to ensure the pages display properly.
What's new
FortiAuthenticator version 6.0.4 is a patch release that enables upgrades to FortiAuthenticator 6.1.0.
In order to upgrade to FortiAuthenticator 6.1.0, all prior versions must first upgrade to FortiAuthenticator 6.0.4
There are no new features.
Upgrade instructions
Back up your configuration before beginning this procedure. While no data loss should occur if
the procedures below are correctly followed, it is recommended a full backup is made before
proceeding and the user will be prompted to do so as part of the upgrade process.
For information on how to back up the FortiAuthenticator configuration, see the
FortiAuthenticator Administration Guide.
Image checksums
To verify the integrity of the firmware file, use a checksum tool to compute the firmware file’s MD5 checksum. Compare
it with the checksum indicated by Fortinet. If the checksums match, the file is intact.
MD5 checksums for software releases are available from the Fortinet Support website.
After logging in to the web site, in the menus at the top of the page, click Download, then click Firmware Image
Checksums.
In the Image File Name field, enter the firmware image file name including its extension, then click Get Checksum
Code.
FortiAuthenticator 6.0.4 build 0059 officially supports upgrade from all versions of FortiAuthenticator 4.x, 5.x, and 6.0.x.
All prior versions must upgrade to FortiAuthenticator 6.0.4 before they are able to upgrade to FortiAuthenticator 6.1.0
and later.
First, back up your configuration, then follow the procedure below to upgrade the firmware.
Before you can install FortiAuthenticator firmware, you must download the firmware image from the Fortinet Support
website, then upload it from your computer to the FortiAuthenticator unit.
1. Log in to the Fortinet Support website. In the Download section of the page, select the Firmware Images link to
download the firmware.
2. To verify the integrity of the download, go back to the Download section of the login page and click the Firmware
Image Checksums link.
3. Log in to the FortiAuthenticator unit’s web-based manager using the admin administrator account.
4. Go to System > Dashboard > Status.
5. In the System Information widget, in the Firmware Version row, select Upgrade. The Firmware Upgrade or
Downgrade dialog box opens.
6. In the Firmware section, select Choose File, and locate the upgrade package that you downloaded.
7. Select OK to upload the file to the FortiAuthenticator.
Your browser uploads the firmware file. The time required varies by the size of the file and the speed of your network
connection. When the file transfer is complete, the following message is shown:
It is recommended that a system backup is taken at this point. Once complete, click Start Upgrade.
Wait until the unpacking, upgrade, and reboot process completes (usually 3-5 minutes), then refresh the page.
FortiOS support
Support for HA in Active-Passive and Active-Active modes has not been confirmed on the
FortiAuthenticator for Xen VM at the time of the release.
FortiAuthenticator uses standards based RADIUS for authentication and can deliver two-factor authentication via
multiple methods for the greatest compatibility:
l RADIUS Challenge Response - Requires support by third party vendor
l Token Passcode Appended - Supports any RADIUS compatible system
FortiAuthenticator should therefore be compatible with any RADIUS capable authentication client / network access
server (NAS).
FortiAuthenticator-VM
The following table provides a detailed summary on FortiAuthenticator virtual machine (VM) system requirements.
Installing FortiAuthenticator-VM requires that you have already installed a supported VM environment. For details, see
the FortiAuthenticator VM Install Guide.
VM requirements
The following table provides FortiAuthenticator-VM sizing guidelines based on typical usage. Actual requirements may
vary based on usage patterns.
VM sizing guidelines
1 - 500 1 2 GB 1 TB
500 to 2,500 2 4 GB 1 TB
2,500 to 7,500 2 8 GB 2 TB
7,500 to 25,000 4 16 GB 2 TB
25,000 to 75,000 8 32 GB 4 TB
75,000 to 250,000 16 64 GB 4 TB
*1TB is sufficient for any number of users if there is no need for long-term storage of logs onboard FortiAuthenticator.
FortiAuthenticator-VM firmware
Resolved issues
Known issues
This section lists the known issues of this release, but is not a complete list. For inquires about a particular bug, please
visit the Fortinet Support website.
Bug ID Description
478985 FortiAuthenticator Windows Agent sometimes doesn't see the domain name and user is not able to login.
519319 FortiAuthenticator is crashing every time when the LDAP Remote user sync rules are supposed to run.
526662 FortiAuthenticator SNMP TRAP on disk failure and/or SNMP OID for disk status.
528231 Log showing "can not add any more users because limit of 1100 has been reached."
536211 Should limit FSSO password to 15 characters since that is the limit on the FortiGate.
540932 FSSOMA nested group search failing if nested via primary group.
541884 FortiAuthenticator drops connection to FortiGate with error "sock_recv() failed, error: 104."
546764 Non-ASCII characters in replacement messages cause line-break in the middle of a URL in emails.
551478 FortiAuthenticator-VM upgrade from 4.0 b6237 to 6.0 b010 not successful.
551706 FortiAuthenticator LB HA Cluster cannot have two remote FortiAuthenticator admins with same
username when 2FA FortiToken is enabled.
554282 Should have similar log messages for remote sync rule when either admin or non-admin role is assigned
to imported user.
555180 Push notification certificates not restored to disk following model conversion.
555320 Captive Portal Time schedule for Device only (MAC address) is not working
Bug ID Description
561563 Guest Portal authentication fails with HTTP 500 if user's name contains non-ASCII characters.
565635 When FortiAuthenticator receives AVP with multiple VSA for MSCHAP-v2 it rejects the 2nd request
(response to challenge).
566145 Usage Profile "TIME USAGE=Time used" is not triggering COA or Disconnect request to Fortigate.
566500 Activation Failed. FTM Server: provision code not exist (40).
567157 Trusted CA import sows as pending when certificate is using SHA512 as hash.
567493 EAP-TLS authentication does not check AuthorityKeyIdentifier when matching allowed/trusted CAs.
568479 EAP-TLS - deletion of local CA#1 breaks authentication for local CA#2 with identical subject.
570138 When accessing Local Users menu under Authentication > User management, error messages are
showing intermittently.
573278 Fortinet SSO Methods > SSO > Portal Services page click to hide elements.
574824 No more than 20 realms can be present in RADIUS client settings.
575996 FortiAuthenticator as RSSO > FSSO processing fails if fails RADIUS Accounting Sources is configured
with FQDN instead of IP.
576691 Default realm allowing RADIUS users to authenticate using non-existing realms.
577590 FortiGuard server failed sending SMS because message is too long.
581967 FTM trial license activation: Disable "Cannot find req_trial_ftm task. It might have been removed."
The following table lists the maximum number of configuration objects per FortiAuthenticator appliance that can be
added to the configuration database for different FortiAuthenticator hardware models.
The maximum values in this document are the maximum configurable values and are not a
commitment of performance.
Feature Model
System
SMS Gateways 20 20 20 20 20
SNMP Hosts 20 20 20 20 20
Language Files 50 50 50 50 50
Authentication
Feature Model
Certificates
Certificate CA Certificates 10 10 50 50 50
Authorities
Trusted CA Certificates 200 200 200 200 200
2 FortiToken Mobile Licenses refers to the licenses that can be applied to a FortiAuthenticator, not the number of
FortiToken Mobile instances that can be managed. The total number is limited by the FortiToken metric.
3 For the 3000E model, the total number of concurrent SSO users is set to a higher level to cater for large deployments.
The following table lists the maximum number of configuration objects that can be added to the configuration database
for different FortiAuthenticator virtual machine (VM) configurations.
The maximum values in this document are the maximum configurable values and are not a
commitment of performance.
The FortiAuthenticator-VM is licensed based on the total number of users and licensed on a stacking basis. All
installations must start with a FortiAuthenticator-VM Base license and users can be stacked with upgrade licenses in
blocks of 100, 1,000, 10,000 and 100,000 users. Due to the dynamic nature of this licensing model, most other metrics
are set relative to the number of licensed users. The Calculating metric column below shows how the feature size is
calculated relative to the number of licensed users for example, on a 100 user FortiAuthenticator]-VM Base License, the
number of auth clients (NAS devices) that can authenticate to the system is:
100 / 10 = 10
Where this relative system is not used e.g. for static routes, the Calculating metric is denoted by a "-". The supported
figures are shown for both the base VM and a 5000 user licensed VM system by way of example.
Feature Model
System
SMS Gateways 2 20 20 20
SNMP Hosts 2 20 20 20
Language Files 5 50 50 50
Authentication
Feature Model
Feature Model
Certificates
2 FortiToken Mobile Licenses refers to the licenses that can be applied to a FortiAuthenticator, not the number of
FortiToken Mobile instances that can be managed. The total number is limited by the FortiToken metric.