Home

Video

FortiGuard

Fuse

KB

Support

  • All Files

What's new in FortiAuthenticator 5.2

FortiAuthenticator 5.2 includes a host of new and expanded features.

New features include:

Guest Portals

The following new features are introduced for Guest Portals in this release:

Disclaimer update

In order to increase parity with captive portal offerings, the guest portal now offers the option to present a disclaimer to the end-user that must be accepted before proceeding to the login page, and another disclaimer page that appears when authentication is denied.

These disclaimers are enabled in the Pre-login Services section of the portal configuration under Authentication > Guest Portals > Portals.

These disclaimer pages are new guest portal replacement messages configurable under the "Authentication" section named "Login Disclaimer Page" and "Disclaimer Denied Page". These messages have the same description and HTML code as the ones for the legacy captive portal (Authentication > Guest Portals > Replacement Messages).

Exceeded usage handling (446146)

Previously, when a user exceeded their utilisation profile, a disconnect message was sent from the FortiAuthenticator to the FortiGate. The user was then disabled on the FortiAuthenticator and could not log back in.

This feature allows the administrator to configure a notification to inform the user as to why they've been disconnected (because their usage profile has been exceeded) and to provide a mechanism where the user can Request Usage Extension. The Request Usage Extension button will email a notification to a pre-configured email address under Authentication > Guest Portals > Portals.

Both the usage exceeded page and request usage extension email can be configured as guest portal replacement messages under the "Authentication" section named "Login Failure Usage Exceeded Page", "Usage Extension Request Email Subject", and "Usage Extension Request Email Message".

The GUI checks the lockout reason to determine whether to display an alternate message to the user. As part of remediation, the administrator now also has the option to clear usage data associated with a user.

Smart Connect Profiles

This feature provides the ability to set up network settings (such as WiFi configuration) on an endpoint by downloading a script or an executable, depending on the endpoint's OS, via the FortiAuthenticator's guest portal.

The Smart Connect feature will show up as a new button on the guest portal's post-login main page:

When clicking on the Smart Connect button, the user is given the option to download a self-install file for the OS of their choice.

For more information, see Smart Connect Profiles.

Social login

To further increase parity with legacy captive portals, social login is added to the guest portal feature under Authentication > Guest Portals > Portals.

In order to give the option to return specific RADIUS attributes for successful social login authentications, the Profile Configuration table now offers the ability to specify the user group to use for social (and device-only) logins for each RADIUS client.  This user group field is optional, even when social or device-only login is enabled.

A few relevant Replacement Messages have been added:

  • Social Login Page:
    HTML for login page when social login is enabled.
  • Social Mobile/Email Verification Page:
    HTML for guest to input mobile number or email address for login using mobile or email verification.
  • Social Mobile/Email Verification Message:
    Message sent to user for mobile or email verification.
  • Social Email Verification Page:
    HTML for email verification page.
  • Social Mobile Verification Page:
    HTML for mobile number verification page.

When only Account Login is enabled, the guest portal presents the existing "Login Page" replacement message.  When Social Login is enabled, the guest portal presents the new "Social Login Page" replacement message.

MAC-only authentication

The option has been added to perform device-only authentication on the guest portals under Authentication > Guest Portals > Portals.

By default, User credentials is selected.  When the Device only (MAC address) option is selected, the "MAC device HTTP parameter" must also be configured.

When the Device only (MAC address) option is enabled, the endpoint will not be presented with the login page.  Instead, the FAC will only use the endpoint device's MAC address for authentication purposes.  If the RADIUS client profile associated has MAC device filtering enabled, the MAC address is authenticated according to those settings.  If MAC device filtering is disabled, any MAC address is accepted.

Once a device-only end-user has successfully authenticated, the FortiAuthenticator generates a log with the device information. The administrator can also view a list of the device accounts with the social user accounts under Authentication > User Management > Social Login Users.

In addition, a new guest portal Replacement Message is introduced accordingly:

  • MAC only authentication failure page:
    HTML page displayed to user when MAC-only authentication fails.

REST API enhancements

In preparation for an upcoming AaaS feature called FortiAuthentication Service (FAS), the REST API is enhanced to handle pushauth requests originating from FAS clients.

Configurable password renewal notification (376122)

Password renewal notification timing is now configurable. Password renewal notifications were previously hard-coded to be sent 14 days, 7 days, 3 days, and 1 day before password expiry.

The new option to configure password renewal notifications to any other combination (other than the defaults of 14, 7, 3, and 1) can be found under Authentication > User Account Policies > Passwords > User Password Renewal Policy.

Remote logging using IPv6 (424243)

Added support for IPv6 remote logging through FortiAnalyzer and Syslog.

FSSO: IPv6 support (367159)

Added support for injection of IPv6 addresses using Syslog-to-FSSO and API-to-FSSO (the IPv6 addresses will no longer be rejected by the backend parsing engine).

FTM: New PIN policy option

Two new options for PIN policy are now offered (in addition to the "Not required" option) under System > Administration > FortiGuard > FortiToken Mobile Provisioning:

  • Required:
    Users have the option to set App PIN and delete App PIN. If the user does not set App PIN or delete App PIN, FTM opens without any protection because it does not have any App protection.
  • Enforced:
    User must set App PIN and cannot delete App PIN. User will always be asked to enter App PIN or TouchID based on settings in the App.
 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy