You need to decide which elements of FortiAuthenticator configuration you need.
User accounts can be created on the FortiAuthenticator device in multiple ways:
Users can self-register for password-based authentication. This reduces the workload for the system administrator. Users can choose their own passwords or have a randomly generated password provided in the browser or sent to them via email or SMS. Self-registration can be instant, or it can require administrator approval. See Self-registration.
Once created, users are automatically part of the RADIUS Authentication system and can be authenticated remotely.
See User management for more information about user accounts.
Two-factor authentication increases security by requiring multiple pieces of information on top of the username and password. There are generally two factors:
Requiring the two factors increases the difficulty for an unauthorized person to impersonate a legitimate user.
To enable two-factor authentication, configure both password-based and token-based authentication in the user’s account.
FortiAuthenticator token-based authentication requires the user to enter a numeric token at login. Two types of numerical tokens are supported:
The token passcode is generated using a combination of the time and a secret key which is known only by the token and the FortiAuthenticator device. The token password changes at regular time intervals, and the FortiAuthenticator unit is able to validate the entered passcode using the time and the secret seed information for that token.
Passcodes can only be used a single time (one time passcodes) to prevent replay attacks. Fortinet has the following time based tokens:
The token passcode is generated using an event trigger and a secret key. Event tokens are supported using a valid email account and a mobile phone number with SMS service.
FortiToken devices, FortiToken Mobile apps, email addresses, and phone numbers must be configured in the user’s account.
Only the administrator can configure token-based authentication. See Configuring token based authentication.
The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the use of remote RADIUS and LDAP (which can include Windows AD servers).
The built-in servers are best used where there is no existing authentication infrastructure, or when a separate set of credentials is required. You build a user account database on the FortiAuthenticator unit. The database can include additional user information such as street addresses and phone numbers that cannot be stored in a FortiGate unit’s user authentication database. To authenticate, either LDAP or RADIUS can be used. The remote LDAP option adds your FortiGate units to an existing LDAP structure. Optionally, you can add two-factor authentication to remote LDAP.
If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must be registered as RADIUS authentication clients in Authentication > RADIUS Service > Clients. See RADIUS service. On each FortiGate unit that will use the RADIUS protocol, the FortiAuthenticator unit must be configured as a RADIUS server in User & Device > Authentication > RADIUS Server.
If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users from the user database to the appropriate nodes in the LDAP hierarchy. See Creating the directory tree. On each FortiGate unit that will use LDAP protocol, the FortiAuthenticator unit must be configured as an LDAP server in User & Device > Authentication > LDAP Server.
Remote LDAP is used when an existing LDAP directory exists and should be used for authentication. User information can be selectively synchronised with the FortiAuthenticator unit, but the user credentials (passwords) remain on, and are validated against the LDAP directory.
To utilize remote LDAP, the authentication client (such as a FortiGate device) must connect to the FortiAuthenticator device using RADIUS to authenticate the user information (see User & Device > Authentication > RADIUS Server). The password is then proxied to the LDAP server for validation, while any associated token passcode is validated locally.
Machine, or computer, authentication is a feature of the Windows supplicant that allows a Windows machine to authenticate to a network via 802.1X prior to user authentication.
Machine authentication is performed by the computer itself, which sends its computer object credentials before the Windows logon screen appears. User authentication is performed after the user logs in to Windows.
Based on the computer credentials provided during machine authentication, limited access to the network can be granted. For example, access can be granted to just the Active Directory server to enable user authentication.
Following machine authentication, user authentication can take place to authenticate that the user is also valid, and to then grant further access to the network.
Machine authentication commonly occurs on boot up or log out, and not, for example, when a device awakens from hibernation. Because of this, the FortiAuthenticator caches authenticated devices based on their MAC addresses for a configurable period (see General). For more information on cached users, see Windows device logins
To configure machine authentication, see Clients.