Fortinet black logo

Administration Guide

FortiAuthenticator 6.3.0

FortiAuthenticator 6.3.0

The following list contains new and expanded features added in FortiAuthenticator 6.3.0.

Enhancements to the FortiAuthenticator REST API

Various improvements and endpoints added to the FortiAuthenticator 6.3.0 REST API Solutions guide.

For more information, see the REST API Solutions Guide.

Exporting MAC devices list

You can now export the list of MAC devices configured in Authentication > User Management > MAC Devices.

FortiToken Mobile logo configuration

The FortiToken configuration page now includes a separate tab where users can upload logo images for their organization which are sent to the FortiToken Mobile app during provisioning. The FortiToken Mobile app displays this logo beside the one-time password for the specific token. This can be used to distinguish between tokens when there are multiple tokens managed by the same FortiToken Mobile app.

FortiToken Mobile logos can be configured by selecting the Logos tab now available in Authentication > User Management > FortiTokens.

This option replaces the previous Organizations page which included the same features, previously available in Authentication > User Management > Organizations.

Monitor active SAML IdP sessions

A monitor for viewing active SAML IdP sessions is available in Monitor > Authentication > SAML IdP Sessions. The page contains the following elements:

  • A table containing the list of IdP sessions.
  • Search options at the top of the table to search by username or by user IP address.
  • The total number of SAML sessions.

TACACS+ Import clients through CSV file

TACACS+ clients can be imported and assigned to TACACS+ policies through a CSV file. See Adding clients

Sync rule: Import RADIUS users from LDAP server

You can now configure a remote LDAP user synchronization rule that allows you to create, edit, or delete remote RADIUS users. When this synchronization rule runs, it creates remote RADIUS users available in User Management > Remote Users.

See Remote user sync rules.

FortiToken Mobile push notification contains user IP and geolocation

FortiAuthenticator now shows user IP and/or geolocation in the FortiToken mobile push notifications in the following locations when available:

  • A new Look up geo-location of user IP for Web Service toggle in Authentication > User Account Policies > General. See General.

  • A new Application name for FTM push notification field when creating or editing a SAML Service Provider in Authentication > SAML IdP > Service Providers. See Service providers.

  • A new Application name for FTM push notification field and Resolve user geolocation from their IP address toggle when creating or editing a self-service portal policy in Authentication > Portals > Policies. See Self-service portal policies.

  • A new Application name for FTM push notification field and Resolve user geolocation from their IP address toggle when creating or editing a captive portal policy in Authentication > Portals > Policies. See Captive portal policies.

  • A new Application name for FTM push notification field and Resolve user geolocation from their IP address toggle when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies. RADIUS policies also contain a new RADIUS attribute for user IP field that allows you to specify the RADIUS attribute to obtain the user IP from. See Policies.

RADIUS Attributes and Certificate Bindings available to users with administrator or sponsor role

RADIUS Attributes and Certificate Bindings tabs are available when you create, edit, or import a user with the role as Administrator or Sponsor in the following locations:

  • Authentication > User Management > Local Users.

  • Authentication > User Management > Remote Users: RADIUS attributes and certificate bindings are available when you import an LDAP user.

    Only Certificate Bindings tab is available for RADIUS users, and SAML users do not have these tabs.

When creating, editing, or importing a user with its role as Administrator or Sponsor, this feature is available only if Sync in HA Load Balancing mode is enabled. See Editing a user.

GUI: Improved LDAP group selection UX

The new Set Group Filter button in Create New Remote LDAP User Synchronization window allows you to set the LDAP filter by selecting one or more groups to build the LDAP filter string in Authentication > User Management > Remote User Sync Rules. See Remote user sync rules.

The Set Group Filter button is also available for the LDAP user groups. See User groups.

Captive portal: Support for Cisco WLC

FortiAuthenticator captive portal now supports Cisco WLC devices. It recognizes and handles redirects from a Cisco WLC device.

When configuring a captive portal policy in Authentication > Portals > Policies, FortiAuthenticator offers the following new built-in HTTP parameters when you select Add Condition in Portal selection criteria > Additional source criteria:

  • client_mac

  • redirect_url

  • switch_url

  • wlan

The switch_url HTTP parameter helps recognize a Cisco WLC captive portal redirect. After the user has successfully logged in to the FortiAuthenticator captive portal, FortiAuthenticator redirects the end user to the Cisco WLC API specified in the switch_url parameter.

Understanding the captive portal workflow help in the Portal selection criteria tab offers a new Cisco WLC topic in the Access point/NAS dropdown.

The Authentication factors tab has a new tooltip for MAC address parameter that lists which MAC parameter to use with a device type.

Symmetric encryption keys for debug logs and config files

When creating a configuration backup, the administrator has the option to enable or disable encryption, and specify the encryption password. By default, encryption is disabled.

When restoring a configuration backup, the administrator enters the decryption password if encryption is enabled. By default, decryption is disabled.

See Backing up and restoring the configuration.

SAML IdP: IAM users

FortiAuthenticator now supports configuring IAM users and accounts in Authentication > User Management > IAM. See Identity and Account Management (IAM).

A new IAM login setting in Authentication > SAML IdP > General that allows IAM logins. When enabled, the SAML IdP login page shows a new Sign-In as IAM user link. This link takes you to the new customizable IAM login page.

Also, when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers, it has the following new user attributes:

  • IAM account name

  • IAM account alias

  • IAM username

A new IAM option when creating a local user that allows you to add this local user to an IAM account. See Local users.

A new Sync users to IAM Account option when creating a remote LDAP user synchronization rule that allows you to synchronize the remote users with an IAM account. See Remote user sync rules.

A new IAM Account dropdown when importing SSO users in Fortinet SSO Methods > SSO > SSO Users that allows associating the imported users with an IAM account. See SSO users and groups.

A new SAML ldP Password Change Page replacement message that allows customization of the password change page for a local user.

On successful IdP login of an IAM user associated with a local user for which Force password change on next logon is enabled, FortiAuthenticator presents a password change page same as the one for non-IAM local users.

New iamaccounts and iamusers endpoints available. A new change_password field is now available for the localusers endpoint. For information about the new endpoints, see the REST API Solutions Guide.

SAML IdP: Support authentication from external IdP servers

FortiAuthenticator now supports IdP initiated SAML from the remote SAML IdP using an existing SAML IdP proxy server type.

The following new changes were implemented to support IdP initiated SAML:

  • A new customizable SAML IdP Proxy Login Success page replacement message for successful IdP initiated login from a proxy remote SAML server.

  • A new Realm user attribute is available when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers. This new SAML assertion returns the realm that the end user was authenticated against. See Service providers.

The end user accesses the FortiAuthenticator SP login portal URL before the FortiAuthenticator IdP login page. From the SP login portal URL, the FortiAuthenticator determines the remote SAML server and identifies its associated realm.

Logging: Improvements for SIEM security analysis

The SAML IdP logs now include a new userip field that contains the end user IP address. Also, the nas field in the logs contains the name of the service provider.

To view log messages, go to Logging > Log Access > Logs. See Log access.

SAML IdP: RADIUS attributes for assertions

FortiAuthenticator can now include attributes returned by the remote RADIUS servers into assertions returned by the SAML IdP.

There is a new option in the GUI to configure a SAML assertion containing the value of a RADIUS attribute:

  • A new RADIUS attribute user attribute is available when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers. See Service providers.

Captive portal: Support for WeChat social login

Captive portal in FortiAuthenticator now supports social login through WeChat. See OAUTH and Captive portal policies.

Also, WeChat is now an option in the Guest Portal Social Network Page and Guest Portal Social Network Plus FAC accounts replacement messages in Authentication > Portals > Replacement Messages.

Adaptive Authentication

FortiAuthenticator now supports bypassing the OTP verification when the end user IP is on a trusted subnet for the following services:

  • RADIUS authentication- A new Adaptive Authentication toggle available when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies. See Policies.

  • Captive portals- A new Adaptive Authentication toggle available when creating or editing a captive portal policy in Authentication > Portals > Policies. See Captive portal policies.

  • Self-service portals- A new Adaptive Authentication toggle available when creating or editing a self-service portal policy in Authentication > Portals > Policies. See Self-service portal policies.

  • TACACS+ policies- A new Adaptive Authentication toggle available when creating or editing a TACACS+ policy in Authentication > TACACS+ Service > Policies. See Creating policies.

  • SAML IdP- In Authentication > SAML IdP > Service Providers, the Bypass FortiToken authentication when user is from a trusted subnet toggle is renamed to Adaptive Authentication. See Service providers.

TACACS+: Support for log files of size up to 500 MB

TACACS+ audit logs support a maximum file size of 500 MB. The following new size options are available:

  • 100 MB

  • 250 MB

  • 500 MB

See Debug logs.

Certificates: GUI improvements

FortiAuthenticator now offers an improved GUI for the Enrollment Requests tab in Certificate Management > SCEP.

A new Delete & Revoke Certificate button in the Enrollment Requests tab that removes the selected SCEP enrollment request and revokes all the corresponding active user certificates. This option is available only if the Automatic request type for the selected request is Regular.

New tooltips for the Subject and the Issuer columns display the full subject and the issuer names.

See Enrollment requests.

FortiAuthenticator Agent for Microsoft OWA: Supports SMS, Email, and FTM push methods for 2FA

FortiAuthenticator Agent for Microsoft OWA supports SMS, Email, and FTM push methods for 2FA.

See FortiAuthenticator Agent for Microsoft OWA 2.2 Release Notes on the Fortinet Docs Library.

Group memberships when importing local users from a CSV file

You can now set group memberships when importing local users from a CSV file.

To support this feature, a new group names field is available in the CSV format.

When exporting the local users CSV file, FortiAuthenticator includes the list of local groups each user is a member of. When importing the local users CSV file, FortiAuthenticator adds the users to the specified groups.

See Local users.

FortiAuthenticator 800F and 300F support user license upgrades

You can now load an add-on user license to FortiAuthenticator 300F and 800F hardware models. This allows for better sizing flexibility without the need to maintain a wider number of different hardware models.

Similar to FortiAuthenticator-VM, number of additional users in the license specifies the number of additional users allowed on top of the built-in user limit. For example, if a license file with a FortiAuthenticator-300F serial number specifies 1000 additional users, uploading that license onto the FortiAuthenticator-300F will result in a maximum user limit of 2500 (1500 built-in + 1000 license).

FSSO: Retry failed DNS lookups

Enable DNS lookup to get IP from workstation name available when the DC/TS Agent Clients setting is enabled in Fortinet SSO Methods > SSO > General allows FortiAuthenticator to retry DNS lookup to obtain the workstation IP address when the logon request contains only the workstation name.

If the initial lookup fails, FortiAuthenticator retries every 10 seconds for the following 5 minutes.

See General settings.

VM: Support disk partition increase

FortiAuthenticator now supports increasing the disk partition size when more disk space is allocated to a FortiAuthenticator-VM.

To allocate more disk space to the VM, use the execute expand-partition command in the CLI console.

FortiAuthenticator reboots with an increased disk partition size.

In FortiAuthenticator 6.3.3, the maximum allowed disk size is 2 TB when attempting to increase the disk partition size.

Logging: Ability to send FortiAuthenticator debug logs to remote logging servers

FortiAuthenticator now supports sending debug logs to remote logging servers.

There is a new Send debug logs to remote Syslog servers toggle in Logging > Log Config > Log Settings.

See Log configuration.

FortiAuthenticator 6.3.0

The following list contains new and expanded features added in FortiAuthenticator 6.3.0.

Enhancements to the FortiAuthenticator REST API

Various improvements and endpoints added to the FortiAuthenticator 6.3.0 REST API Solutions guide.

For more information, see the REST API Solutions Guide.

Exporting MAC devices list

You can now export the list of MAC devices configured in Authentication > User Management > MAC Devices.

FortiToken Mobile logo configuration

The FortiToken configuration page now includes a separate tab where users can upload logo images for their organization which are sent to the FortiToken Mobile app during provisioning. The FortiToken Mobile app displays this logo beside the one-time password for the specific token. This can be used to distinguish between tokens when there are multiple tokens managed by the same FortiToken Mobile app.

FortiToken Mobile logos can be configured by selecting the Logos tab now available in Authentication > User Management > FortiTokens.

This option replaces the previous Organizations page which included the same features, previously available in Authentication > User Management > Organizations.

Monitor active SAML IdP sessions

A monitor for viewing active SAML IdP sessions is available in Monitor > Authentication > SAML IdP Sessions. The page contains the following elements:

  • A table containing the list of IdP sessions.
  • Search options at the top of the table to search by username or by user IP address.
  • The total number of SAML sessions.

TACACS+ Import clients through CSV file

TACACS+ clients can be imported and assigned to TACACS+ policies through a CSV file. See Adding clients

Sync rule: Import RADIUS users from LDAP server

You can now configure a remote LDAP user synchronization rule that allows you to create, edit, or delete remote RADIUS users. When this synchronization rule runs, it creates remote RADIUS users available in User Management > Remote Users.

See Remote user sync rules.

FortiToken Mobile push notification contains user IP and geolocation

FortiAuthenticator now shows user IP and/or geolocation in the FortiToken mobile push notifications in the following locations when available:

  • A new Look up geo-location of user IP for Web Service toggle in Authentication > User Account Policies > General. See General.

  • A new Application name for FTM push notification field when creating or editing a SAML Service Provider in Authentication > SAML IdP > Service Providers. See Service providers.

  • A new Application name for FTM push notification field and Resolve user geolocation from their IP address toggle when creating or editing a self-service portal policy in Authentication > Portals > Policies. See Self-service portal policies.

  • A new Application name for FTM push notification field and Resolve user geolocation from their IP address toggle when creating or editing a captive portal policy in Authentication > Portals > Policies. See Captive portal policies.

  • A new Application name for FTM push notification field and Resolve user geolocation from their IP address toggle when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies. RADIUS policies also contain a new RADIUS attribute for user IP field that allows you to specify the RADIUS attribute to obtain the user IP from. See Policies.

RADIUS Attributes and Certificate Bindings available to users with administrator or sponsor role

RADIUS Attributes and Certificate Bindings tabs are available when you create, edit, or import a user with the role as Administrator or Sponsor in the following locations:

  • Authentication > User Management > Local Users.

  • Authentication > User Management > Remote Users: RADIUS attributes and certificate bindings are available when you import an LDAP user.

    Only Certificate Bindings tab is available for RADIUS users, and SAML users do not have these tabs.

When creating, editing, or importing a user with its role as Administrator or Sponsor, this feature is available only if Sync in HA Load Balancing mode is enabled. See Editing a user.

GUI: Improved LDAP group selection UX

The new Set Group Filter button in Create New Remote LDAP User Synchronization window allows you to set the LDAP filter by selecting one or more groups to build the LDAP filter string in Authentication > User Management > Remote User Sync Rules. See Remote user sync rules.

The Set Group Filter button is also available for the LDAP user groups. See User groups.

Captive portal: Support for Cisco WLC

FortiAuthenticator captive portal now supports Cisco WLC devices. It recognizes and handles redirects from a Cisco WLC device.

When configuring a captive portal policy in Authentication > Portals > Policies, FortiAuthenticator offers the following new built-in HTTP parameters when you select Add Condition in Portal selection criteria > Additional source criteria:

  • client_mac

  • redirect_url

  • switch_url

  • wlan

The switch_url HTTP parameter helps recognize a Cisco WLC captive portal redirect. After the user has successfully logged in to the FortiAuthenticator captive portal, FortiAuthenticator redirects the end user to the Cisco WLC API specified in the switch_url parameter.

Understanding the captive portal workflow help in the Portal selection criteria tab offers a new Cisco WLC topic in the Access point/NAS dropdown.

The Authentication factors tab has a new tooltip for MAC address parameter that lists which MAC parameter to use with a device type.

Symmetric encryption keys for debug logs and config files

When creating a configuration backup, the administrator has the option to enable or disable encryption, and specify the encryption password. By default, encryption is disabled.

When restoring a configuration backup, the administrator enters the decryption password if encryption is enabled. By default, decryption is disabled.

See Backing up and restoring the configuration.

SAML IdP: IAM users

FortiAuthenticator now supports configuring IAM users and accounts in Authentication > User Management > IAM. See Identity and Account Management (IAM).

A new IAM login setting in Authentication > SAML IdP > General that allows IAM logins. When enabled, the SAML IdP login page shows a new Sign-In as IAM user link. This link takes you to the new customizable IAM login page.

Also, when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers, it has the following new user attributes:

  • IAM account name

  • IAM account alias

  • IAM username

A new IAM option when creating a local user that allows you to add this local user to an IAM account. See Local users.

A new Sync users to IAM Account option when creating a remote LDAP user synchronization rule that allows you to synchronize the remote users with an IAM account. See Remote user sync rules.

A new IAM Account dropdown when importing SSO users in Fortinet SSO Methods > SSO > SSO Users that allows associating the imported users with an IAM account. See SSO users and groups.

A new SAML ldP Password Change Page replacement message that allows customization of the password change page for a local user.

On successful IdP login of an IAM user associated with a local user for which Force password change on next logon is enabled, FortiAuthenticator presents a password change page same as the one for non-IAM local users.

New iamaccounts and iamusers endpoints available. A new change_password field is now available for the localusers endpoint. For information about the new endpoints, see the REST API Solutions Guide.

SAML IdP: Support authentication from external IdP servers

FortiAuthenticator now supports IdP initiated SAML from the remote SAML IdP using an existing SAML IdP proxy server type.

The following new changes were implemented to support IdP initiated SAML:

  • A new customizable SAML IdP Proxy Login Success page replacement message for successful IdP initiated login from a proxy remote SAML server.

  • A new Realm user attribute is available when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers. This new SAML assertion returns the realm that the end user was authenticated against. See Service providers.

The end user accesses the FortiAuthenticator SP login portal URL before the FortiAuthenticator IdP login page. From the SP login portal URL, the FortiAuthenticator determines the remote SAML server and identifies its associated realm.

Logging: Improvements for SIEM security analysis

The SAML IdP logs now include a new userip field that contains the end user IP address. Also, the nas field in the logs contains the name of the service provider.

To view log messages, go to Logging > Log Access > Logs. See Log access.

SAML IdP: RADIUS attributes for assertions

FortiAuthenticator can now include attributes returned by the remote RADIUS servers into assertions returned by the SAML IdP.

There is a new option in the GUI to configure a SAML assertion containing the value of a RADIUS attribute:

  • A new RADIUS attribute user attribute is available when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers. See Service providers.

Captive portal: Support for WeChat social login

Captive portal in FortiAuthenticator now supports social login through WeChat. See OAUTH and Captive portal policies.

Also, WeChat is now an option in the Guest Portal Social Network Page and Guest Portal Social Network Plus FAC accounts replacement messages in Authentication > Portals > Replacement Messages.

Adaptive Authentication

FortiAuthenticator now supports bypassing the OTP verification when the end user IP is on a trusted subnet for the following services:

  • RADIUS authentication- A new Adaptive Authentication toggle available when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies. See Policies.

  • Captive portals- A new Adaptive Authentication toggle available when creating or editing a captive portal policy in Authentication > Portals > Policies. See Captive portal policies.

  • Self-service portals- A new Adaptive Authentication toggle available when creating or editing a self-service portal policy in Authentication > Portals > Policies. See Self-service portal policies.

  • TACACS+ policies- A new Adaptive Authentication toggle available when creating or editing a TACACS+ policy in Authentication > TACACS+ Service > Policies. See Creating policies.

  • SAML IdP- In Authentication > SAML IdP > Service Providers, the Bypass FortiToken authentication when user is from a trusted subnet toggle is renamed to Adaptive Authentication. See Service providers.

TACACS+: Support for log files of size up to 500 MB

TACACS+ audit logs support a maximum file size of 500 MB. The following new size options are available:

  • 100 MB

  • 250 MB

  • 500 MB

See Debug logs.

Certificates: GUI improvements

FortiAuthenticator now offers an improved GUI for the Enrollment Requests tab in Certificate Management > SCEP.

A new Delete & Revoke Certificate button in the Enrollment Requests tab that removes the selected SCEP enrollment request and revokes all the corresponding active user certificates. This option is available only if the Automatic request type for the selected request is Regular.

New tooltips for the Subject and the Issuer columns display the full subject and the issuer names.

See Enrollment requests.

FortiAuthenticator Agent for Microsoft OWA: Supports SMS, Email, and FTM push methods for 2FA

FortiAuthenticator Agent for Microsoft OWA supports SMS, Email, and FTM push methods for 2FA.

See FortiAuthenticator Agent for Microsoft OWA 2.2 Release Notes on the Fortinet Docs Library.

Group memberships when importing local users from a CSV file

You can now set group memberships when importing local users from a CSV file.

To support this feature, a new group names field is available in the CSV format.

When exporting the local users CSV file, FortiAuthenticator includes the list of local groups each user is a member of. When importing the local users CSV file, FortiAuthenticator adds the users to the specified groups.

See Local users.

FortiAuthenticator 800F and 300F support user license upgrades

You can now load an add-on user license to FortiAuthenticator 300F and 800F hardware models. This allows for better sizing flexibility without the need to maintain a wider number of different hardware models.

Similar to FortiAuthenticator-VM, number of additional users in the license specifies the number of additional users allowed on top of the built-in user limit. For example, if a license file with a FortiAuthenticator-300F serial number specifies 1000 additional users, uploading that license onto the FortiAuthenticator-300F will result in a maximum user limit of 2500 (1500 built-in + 1000 license).

FSSO: Retry failed DNS lookups

Enable DNS lookup to get IP from workstation name available when the DC/TS Agent Clients setting is enabled in Fortinet SSO Methods > SSO > General allows FortiAuthenticator to retry DNS lookup to obtain the workstation IP address when the logon request contains only the workstation name.

If the initial lookup fails, FortiAuthenticator retries every 10 seconds for the following 5 minutes.

See General settings.

VM: Support disk partition increase

FortiAuthenticator now supports increasing the disk partition size when more disk space is allocated to a FortiAuthenticator-VM.

To allocate more disk space to the VM, use the execute expand-partition command in the CLI console.

FortiAuthenticator reboots with an increased disk partition size.

In FortiAuthenticator 6.3.3, the maximum allowed disk size is 2 TB when attempting to increase the disk partition size.

Logging: Ability to send FortiAuthenticator debug logs to remote logging servers

FortiAuthenticator now supports sending debug logs to remote logging servers.

There is a new Send debug logs to remote Syslog servers toggle in Logging > Log Config > Log Settings.

See Log configuration.