The following list contains new and expanded features added in FortiAuthenticator 6.4.1.
When creating or editing a syslog server in Logging > Log Config > Syslog Servers, there is a new Secure Connection pane for sending syslog messages to remote servers using a TLS connection. See Log configuration.
RADIUS clients can be imported and assigned to RADIUS policies through a CSV file. See Clients.
radiuspolicyclient endpoints available, see REST API Solutions Guide.
FortiAuthenticator now supports receiving messages from a syslog source over a TLS connection on the port 6514.
Network interfaces in System > Network > Interfaces have a new Syslog over TLS (TCP/6514) toggle in Services that allows receiving messages from a syslog source over TLS. See Interfaces.
The syslog-based FSSO feature allows enabling or disabling encrypted syslogs:
New Allow TLS encryption and Require client authentication toggle in Enable Syslog SSO when editing SSO configuration in Fortinet SSO Methods > SSO > General. See General settings.
A new TLS encryption toggle when creating or editing a syslog source in Fortinet SSO Methods > SSO > Syslog Sources. See Syslog sources.
You can now see the last used date and time for a FortiToken when editing a FortiToken in Authentication > User Management > FortiTokens.
A new last used column in Authentication > User Management > FortiTokens. See FortiTokens.
last_used_at field is available in the
fortitokens endpoint. See REST API Solutions Guide.
FortiAuthenticator now supports the SmartConnect Android application in the captive and self-service user portals. See Smart Connect profiles.
Android 11 allows the SmartConnect app to install user credential certs for EAP-TLS and PEAP to allow for user authentication.
Android 11 restricts the SmartConnect app from installing global CA certificates. As of Android 11, these certificates have to be installed manually. A warning message appears in the SmartConnect app, which prompts to install certificates manually.
FortiAuthenticator now supports EAP-MSCHAPv2 authentication mechanism against a remote AD server.
FortiAuthenticator also supports multi-factor authentication over EAP-MSCHAPv2.
When creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies, a new EAP-MSCHAPv2 toggle is now available in the Authentication type tab, given that Accept EAP toggle is enabled in Password/OTP authentication. See Policies and Extensible Authentication Protocol.
When editing an interface in System > Network > Interfaces, new SAML IdP and Kerberos SSO toggles available in the Services pane. See Interfaces.
FortiAuthenticator now supports a new temporary token option that allows the use of emergency codes for offline end-users who find themselves without access to FortiToken, email, or SMS.
A new Enable emergency codes toggle and Emergency codes valid for option when editing the token policy settings in Authentication > User Account Policies > Tokens. See Tokens.
OpenID Connect (OIDC) provides an identity layer on top of the OAuth 2.0 protocol to verify end-user identity and obtain profile information. OIDC is a modern SSO protocol that is easier and more flexible to use than SAML.
OIDC authentication can be enabled for the OAuth client by configuring the relying party with an authorization code, policy, redirect URI, and OIDC claim(s).
OAuth Service in Authentication has been reorganized to include the following tabs:
General- Configure general settings for OAuth.
Policies - Create policies to use with OAuth authentication.
Relying Party - Configure OAuth clients and OIDC claims.
New OIDC endpoints are now available. The
token endpoint now expanded to include new fields that support the OIDC configuration. See REST API Solutions Guide.
When creating or editing an LDAP Server in Authentication > Remote Auth. Servers > LDAP, a new Trusted CA toggle now allows you to specify multiple trusted CAs for secure connection to a remote LDAP server. See LDAP.
Using the new Learn Certificate button in Certificate Management > Certificate Authorities > Trusted CAs, you can now extract a certificate chain from a TLS server and show its CA certificates by entering the host name/ IP address and the port number. You can then import CA certificates. See Trusted CAs.
New Password Reset Email Subject and Password Reset Email Message replacement messages in Authentication > Portals > Replacement Messages. See Replacement messages.
You can now set stronger TACACS+ client secrets to include special characters:
!@#$%^&()_+\<>?./ when adding, editing, or importing TACACS+ clients.
tacplusclients endpoint now allows special characters for the
secret field. See REST API Solutions Guide.
Upon a failed SMTP test, FortiAuthenticator displays a message in the GUI to help troubleshoot the source of the issue. See Troubleshooting SMTP server tests.
For SMTP servers, FortiAuthenticator logs the source of the issue to Logging > Log Access > Logs.
Also, upon a failed SMTP send attempt, i.e., when not using the Test Connection button, FortiAuthenticator logs the source of the issue to Logging > Log Access > Logs.
In the RADIUS response tab, when the AD Computer Authentication Result is successful and the user is not authenticated yet, you can now select between the following RADIUS attribute response options:
When Return User Group Attributes is enabled, RADIUS attributes configured in the user groups that the computer is a member of are returned.
Return Additional Attributes.
FortiAuthenticator adds support for TACACS+ over SNMP which is equivalent to RADIUS.
When configuring SNMP settings in System > Administration > SNMP, there is a new TACACS+ Authentication Client Table Nearly Full Trap Threshold (%) field to adjust the TACACS+ SNMP trap threshold.
You can enable or disable TACACS+ NAS trap from within SNMP clients (SNMP v3 and SNMP v1/v2) using the new TACAS+ NAS threshold exceeded toggle. See SNMP.
FortiAuthenticator now returns the remaining validity time for the OAuth2 access token in the
expires_in field is available in the
verify_token endpoint. See REST API Solutions Guide.
A new built-in read-only admin profile in System > Administration > Admin Profiles. See Admin profiles.
The following new fields are available in the
For information about the new fields, see REST API Solutions Guide.
FortiAuthenticator now allows manually logging out of IdP sessions using the new Logoff All and Logoff Selected buttons in Monitor > Authentication > SAML IdP Session.
See SAML IdP sessions.
FortiAuthenticator now supports multiple values for a remote LDAP custom attribute in Authentication > SAML IdP > Service Providers. See Service providers.