Authentication

FortiProxy units support the use of external authentication servers. An authentication server can provide password checking for selected FortiProxy users, or it can be added as a member of a FortiProxy user group.

If you are going to use authentication servers, you must configure the servers before you configure the FortiProxy users or user groups that require them.

This chapter covers the following topics:

Single Sign-On

Fortinet units use security policies to control access to resources based on user groups configured in the policies. Each Fortinet user group is associated with one or more Directory Service user groups. When a user logs in to the Windows or Novell domain, an FSSO agent sends the user’s IP address, and the names of the Directory Service user groups that the user belongs to, to the FortiProxy unit.

The FSSO agent has two components that must be installed on your network:

The unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the unit does not perform authentication. It recognizes group members by their IP address. You must install the FSSO agent on the network and configure the unit to retrieve information from the Directory Service server.

To manage single sign-on (SSO) servers, go to User & Device > Single Sign-On.

Right-click on any column heading to select which columns are displayed or to reset all the columns to their default settings. You can also drag column headings to change their order.

The following options are available:

Create New Create a new FSSO server. See To create a new SSO server:.
Edit Edit an FSSO server. See To edit an SSO server:.
Delete Delete an FSSO server or servers. See To delete a server or servers:.
Name The name of the FSSO server.
Type An icon representing the type of server. Hover your cursor over the icon to view the type.
LDAP Server The LDAP server associated with the FSSO server.
Users/Groups The users and groups associated with the server.
FSSO Agent IP/Name The IP address or name of the FSSO agent.
Status The status of the FSSO server.
Ref. Displays the number of times the object is referenced to other objects.

To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object.
To create a new SSO server:
  1. In the single sign-on server list, select Create New from the toolbar.
    The New Single Sign-On Server page opens.

  2. Select the type of server that will be created in the Type area. One of: Poll Active Directory Server, Fortinet Single Sign-On Agent, or RADIUS Single Sign-On Agent.
    3. Only one RADIUS single sign-on agent can be created on the FortiProxy device.
  3. Enter the following information, depending on the type selected:
    4. Poll Active Directory Server
    Server IP/Name If you selected Poll Active Directory Server, enter the server name or IP address.
    User If you selected Poll Active Directory Server, enter the user name.
    Password If you selected Poll Active Directory Server, enter the password for the user.
    LDAP Server If you selected Poll Active Directory Server, select an LDAP server from the drop-down list to access the Directory Service. To add an LDAP server, see To add a new LDAP server:.
    Enable Polling If you selected Poll Active Directory Server, select this option to enable polling.
    Users/Groups If you selected Poll Active Directory Server and selected an LDAP server, view or edit the users, groups, and organizational units associated with the server.
    Fortinet Single-Sign-On Agent
    Name If you selected Fortinet Single-Sign-On Agent, enter a name for the agent.
    Primary FSSO Agent If you selected Fortinet Single-Sign-On Agent, enter the server IP address or name for the primary agent. Then enter the password in the Password field.

    Select + to add up to four more FSSO agents.

    Enter the IP address or name of the Directory Service server where the collector agent is installed. The maximum number of characters is 63.
    Then enter the password for the collector agent. This is required only if you configured your FSSO agent collector agent to require authenticated access.
    Collector Agent AD access mode If you selected Fortinet Single-Sign-On Agent, select Standard or Advanced for the Collector agent AD access mode.

    The Collector agent has two ways to access Active Directory user information. The main difference between Standard and Advanced mode is the naming convention used when referring to user name information.

    Standard mode uses the regular Windows convention: Domain\Username. Advanced mode uses LDAP convention: CN=User, OU=Name, DC=Domain.

    If there is no special requirement to use LDAP—best practices suggest you set up FSSO in Standard mode. This mode is easier to set up and is usually easier to maintain and troubleshoot.

    Standard and advanced modes have the same level of functionality with the following exceptions:
    • Users have to create Group filters on the Collector agent. This differs from Advanced mode where Group filters are configured from the FortiProxy unit. Fortinet strongly encourages users to create filters from CA.
    • Advanced mode supports nested or inherited groups. This means that a user can be a member of multiple monitored groups. Standard mode does not support nested groups so a user must be a direct member of the group being monitored.
    Users/Groups If you selected Fortinet Single-Sign-On Agent, select Apply & Refresh to update the Collector agent group filters and then select View to see the Collector agent group filters.

    This option is only available if you selected the Standard mode.
    LDAP Server If you selected Fortinet Single-Sign-On Agent, select an LDAP server from the drop-down list to access the Directory Service. After you select an LDAP server, you can view or edit the users, groups, and organizational units associated with the server.

    This option is available only if you selected the Advanced mode.
    RADIUS Single-Sign-On Agent
    Name If you selected RADIUS Single Sign-On Agent, enter the name of the RADIUS single-sign-on agent.
    Use RADIUS Shared Secret If you selected RADIUS Single Sign-On Agent, enable Use RADIUS Shared Secret to use the RADIUS shared secret and then enter the shared secret in the field.
    Send RADIUS Responses If you selected RADIUS Single Sign-On Agent, enable Send RADIUS Responses to send RADIUS responses.
  4. Select OK to create the new single sign-on server.
To edit an SSO server:
  1. Select the server you want to edit and then select Edit from the toolbar or double-click on the address group. The Edit Single Sign-On Server window opens.
  2. Edit the server information as required and select OK to apply your changes.
To delete a server or servers:
  1. Select the server or servers that you want to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected server or servers.

LDAP servers

LDAP is an Internet protocol used to maintain authentication data that can include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network.

To manage LDAP servers, go to User & Device > LDAP Servers.

Right-click on any column heading to select which columns are displayed or to reset all the columns to their default settings. You can also drag column headings to change their order.

The following options are available:

Create New Create a new LDAP server. See To add a new LDAP server:.
Edit Edit an LDAP server. See To edit an LDAP server:.
Clone Make a copy of an LDAP server. See To clone an LDAP server:.
Delete Delete a server or servers. See To delete a server or servers:.
Search Enter a search term to search the LDAP server list.
Name The name that identifies the LDAP server on the Fortinet unit.
Server The domain name or IP address of the LDAP server.
Port The TCP port used to communicate with the LDAP server. By default, LDAP uses port 389.
Common Name Identifier The common name identifier for the LDAP server.
Distinguished Name The base distinguished name for the server using the correct X.500 or LDAP format. The unit passes this distinguished name unchanged to the server.
Ref. Displays the number of times the object is referenced to other objects.

To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object.
To add a new LDAP server:
  1. In the LDAP server list, select Create New from the toolbar.
    The Create LDAP Server window opens.

  2. Configure the following:
    3. Name Enter the name that identifies the LDAP server on the FortiProxy unit.
    Server IP/Name Enter the domain name or IP address of the LDAP server.
    Server Port Enter the TCP port used to communicate with the LDAP server. By default, LDAP uses port 389.
    If you use a secure LDAP server, the default port changes if you select Secure Connection.
    Common Name Identifier Enter the common name identifier for the LDAP server. The maximum number of characters is 20.
    Distinguished Name Enter the base distinguished name for the server using the correct X.500 or LDAP format. The unit passes this distinguished name unchanged to the server. The maximum number of characters is 512. You can also select Browse to contact and retrieve the specified LDAP server.
    Bind Type

    Select the type of binding for LDAP authentication.

    • Simple: Connect directly to the LDAP server with user name/password authentication.
    • Anonymous: Connect as an anonymous user on the LDAP server and then retrieve the user name/password and compare them to given values.
    • Regular: Connect to the LDAP server directly with user name and password and then receive acceptance or rejection based on search of given values. Enter the user name and password of the user to be authenticated in the Username and Password fields.
    Secure Connection Enable to use a secure LDAP server connection for authentication.
    Protocol

    If you enabled Secure Connection, select a secure LDAP protocol to use for authentication, either STARTTLS or LDAPS.
    Depending on your selection, the server port changes to the default port for the selected protocol:

    • STARTTLS: port 389
    • LDAPS: port 636
    Certificate If you enabled Secure Connection,select a certificate to use for authentication from the list.
    Test Connectivity Select Test Connectivity to test if the LDAP server can be contacted.
  3. Select OK to create the new LDAP server.
To edit an LDAP server:
  1. Select the LDAP server you want to edit and then select Edit from the toolbar or double-click on the address in the address table.
    The Edit LDAP Server window opens.
  2. Edit the server information as required and select OK to apply your changes.
To clone an LDAP server:
  1. Select the LDAP server that you want to clone.
  2. Select Clone from the toolbar.
  3. Enter a name for the cloned LDAP server in the dialog box and then select OK.
    The LDAP server list opens with the clone added.
  4. Edit the clone as needed.
To delete a server or servers:
  1. Select the server or servers that you want to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected server or servers.

RADIUS servers

RADIUS is a broadly supported client server protocol that provides centralized authentication, authorization, and accounting functions. RADIUS clients are built into gateways that allow access to networks such as Virtual Private Network (VPN) servers, Network Access Servers (NASs), as well as network switches and firewalls that use authentication. FortiProxy units fall into the last category.

RADIUS servers use UDP packets to communicate with the RADIUS clients on the network to do the following:

RADIUS servers are currently defined by RFC 2865 (RADIUS) and RFC 2866 (Accounting). They listen on either UDP ports 1812 (authentication) and 1813 (accounting) or ports 1645 (authentication) and 1646 (accounting) requests. RADIUS servers exist for all major operating systems.

You must configure the RADIUS server to accept the FortiProxy unit as a client. FortiProxy units use the authentication and accounting functions of the RADIUS server.

When a configured user attempts to access the network, the FortiProxy unit forwards the authentication request to the RADIUS server, which then matches the user name and password remotely. After authentication succeeds, the RADIUS server passes the Authorization Granted message to the FortiProxy unit, which then grants the user permission to access the network.

The RADIUS server uses a “shared secret” key, along with MD5 hashing, to encrypt information passed between RADIUS servers and clients, including the FortiProxy unit. Typically, only user credentials are encrypted.

To manage RADIUS servers, go to User & Device > RADIUS Servers.

Right-click on any column heading to select which columns are displayed or to reset all the columns to their default settings. You can also drag column headings to change their order.

The following options are available:

Create New Create a new RADIUS server. See To add a new RADIUS server:.
Edit Edit a RADIUS server. See To edit a RADIUS server:.
Clone Make a copy of a RADIUS server. See To clone a RADIUS server:.
Delete Delete a server or servers. See To delete a server or servers:.
Search Enter a search term to search the RADIUS server list.
Name The name that identifies the RADIUS server on the unit.
Server IP/Name The domain name or IP address of the primary and, if applicable, secondary, RADIUS server.
Ref. Displays the number of times the object is referenced to other objects.

To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object.
To add a new RADIUS server:
  1. In the RADIUS server list, select Create New from the toolbar.
    The New RADIUS Server window opens.

  2. Configure the following:
    3. Name Enter the name that is used to identify the RADIUS server on the FortiProxy unit.
    Primary Server IP/Name Enter the domain name or IP address of the primary RADIUS server.
    Primary Server Secret Enter the RADIUS server secret key for the primary RADIUS server. The primary server secret key length can be up to a maximum of 16 characters.
    For security reason, it is recommended that the server secret key be the maximum length.
    Test Connectivity Select Test Connectivity to test if the primary and secondary RADIUS servers can be contacted using the domain name or IP address and secret provided.
    Secondary Server IP/Name Enter the domain name or IP address of the secondary RADIUS server, if applicable.
    Secondary Server Secret Enter the RADIUS server secret key for the secondary RADIUS server. The secondary server secret key can be up to a maximum length of 16 characters.
    Authentication Method Select Default to authenticate with the default method.

    Select Specify to override the default authentication method and then select the protocol from the list: MSCHAP-v2, MS-CHAP, CHAP, or PAP.
    NAS IP Optionally, enter the NAS IP address (RADIUS Attribute 31, outlined in RFC 2548).

    In this configuration, the FortiProxy unit is the NAS, which is how the RADIUS server registers all valid servers that use its records.

    If you do not enter an IP address, the IP address that the Fortinet interface uses to communicate with the RADIUS server is applied.
    Include in every User Group Enable to have the RADIUS server automatically included in all user groups.
  3. Select OK to create the new RADIUS server.
To edit a RADIUS server:
  1. Select the RADIUS server you want to edit and then select Edit from the toolbar or double-click on the address in the address table.

    The Edit RADIUS Server window opens.
  2. Edit the server information as required and select OK to apply your changes.
To clone a RADIUS server:
  1. Select the RADIUS server that you want to clone.
  2. Select Clone from the toolbar.
  3. Enter a name for the cloned RADIUS server in the dialog box and then select OK.
    The RADIUS server list opens with the clone added.
  4. Edit the clone as needed.
To delete a server or servers:
  1. Select the server or servers that you want to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected server or servers.

TACACS+ servers

TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices through one or more centralized servers. TACACS+ allows a client to accept a user name and password and send a query to a TACACS+ authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies the user access to the network.

TACACS+ offers fully encrypted packet bodies and supports both IP and AppleTalk protocols. TACACS+ uses TCP port 49, which is seen as more reliable than RADIUS’s UDP.

By default, the TACACS+ Servers option is not visible unless you add a server using the following CLI commands:



config user tacacs+

   edit <name>

      set server <IP>

   next

end

Right-click on any column heading to select which columns are displayed or to reset all the columns to their default settings. You can also drag column headings to change their order.

To manage TACACS+ servers, go to User & Device > TACACS+ Servers.

The following options are available:

Create New Create a new TACACS+ server. See To add a new TACACS+ server:.
Edit Edit a TACACS+ server. See To edit a TACACS+ server:.
Clone Make a copy of a TACACS+ server. See To clone a TACACS+ server:.
Delete Delete a server or servers. See To delete a TACACS+ server or servers:.
Search Enter a search term to search the TACACS+ server list.
Name The name that identifies the TACACS+ server on the unit.
Server The domain name or IP address of the TACACS+ server.
Authentication Type The authentication protocol used by the server.
Ref. Displays the number of times the object is referenced to other objects.

To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object.

There are several different authentication protocols that TACACS+ can use during the authentication process.

ASCII Machine-independent technique that uses representations of English characters. Requires user to type a user name and password that are sent in clear text (unencrypted) and matched with an entry in the user database, which is stored in ASCII format.
PAP Password Authentication Protocol (PAP). Used to authenticate PPP connections. Transmits passwords and other user information in clear text.
CHAP Challenge-Handshake Authentication Protocol (CHAP). Provides the same functionality as PAP but is more secure because it does not send the password and other user information over the network to the security server.
MSCHAP MS-CHAP MicroSoft Challenge-Handshake Authentication Protocol v1(MSCHAP). Microsoft-specific version of CHAP.
Auto The default protocol configuration, Auto, uses PAP, MSCHAP, and CHAP, in that order.
To add a new TACACS+ server:
  1. In the TACACS+ server list, select Create New from the toolbar.

    The New TACACS+ Server window opens.

Configure the following:

    Name Enter the name of the TACACS+ server.
    Server IP/Name Enter the server domain name or IP address of the TACACS+ server.
    Server Secret Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length.
    Authentication Type Select the authentication type to use for the TACACS+ server: Auto, MSCHAP, CHAP, PAP, or ASCII.

    Auto authenticates using PAP, MSCHAP, and CHAP, in that order.
  1. Select OK to create the new TACACS+ server.
To edit a TACACS+ server:
  1. Select the TACACS+ server you want to edit and then select Edit from the toolbar or double-click on the address in the address table.

    The Edit TACACS+ Server window opens.
  2. Edit the server information as required and select OK to apply your changes.
To clone a TACACS+ server:
  1. Select the TACACS+ server that you want to clone.
  2. Select Clone from the toolbar.
  3. Enter a name for the cloned TACACS+ server in the dialog box and then select OK.

    The TACACS+ server list opens with the clone added.
  4. Edit the clone as needed.
To delete a TACACS+ server or servers:
  1. Select the TACACS+ server or servers that you want to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected TACACS+ server or servers.

Kerberos authentication service

Kerberos authentication is a method for authenticating both explicit web proxy and transparent web proxy users. It has several advantages over NTLM challenge response:

To configure Kerberos authentication service, go to User & Device > Kerberos.

Right-click on any column heading to select which columns are displayed or to reset all the columns to their default settings. You can also drag column headings to change their order.

The following options are available:

Create New Create a new Kerberos authentication service. See To add a new Kerberos authentication service:.
Edit Edit a Kerberos authentication service. See To edit the Kerberos authentication service:.
Delete Delete a Kerberos authentication service or services. See To delete the Kerberos authentication service or services:.
Name The name of the Kerberos authentication service.
Principal The server domain name of the Kerberos authentication service.
LDAP Server The name of the LDAP server used for authorization.
Ref. Displays the number of times the object is referenced to other objects.

To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object.
To add a new Kerberos authentication service:
  1. In the Kerberos service list, select Create New from the toolbar.
    The New Kerberos window opens.

  1. Configure the following:
    2. Name Enter the name of the Kerberos authentication service.
    Principal Enter the server domain name of the Kerberos authentication service.
    LDAP Server Enter the name of the LDAP server used for authorization.
    Keytab File Select Upload and then navigate to the file that contains the shared secret.

    Use the ktpass command (found on Windows servers and many domain workstations) to generate the Kerberos keytab.
  1. Select OK to create the new Kerberos authentication service.
To edit the Kerberos authentication service:
  1. Select the Kerberos authentication service you want to edit and then select Edit from the toolbar or double-click on the service in the service table.
    The Edit Kerberos window opens.
  2. Edit the service information as required and select OK to apply your changes.
To delete the Kerberos authentication service or services:
  1. Select the Kerberos service or services that you want to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected Kerberos service or services.

Authentication schemes

When you combine authentication rules and schemes, you have granular control over users and IP addresses, creating an efficient process for users to successfully match a criteria before matching the policy.

To manage authentication schemes, go to User & Device > Scheme.

Right-click on any column heading to select which columns are displayed or to reset all the columns to their default settings. You can also drag column headings to change their order.

The following options are available:

Create New Create a new authentication scheme. See To create an authentication scheme:.
Edit Edit an authentication scheme. See To edit an authentication scheme:.
Delete Delete an authentication scheme or schemes. See To delete an authentication scheme or schemes:.
Name The name of the authentication scheme.
Method The authentication method: NTLM, Basic, Digest, Form-based, Negotiate, saml, or Fortinet Single Sign-On (FSSO).
User Database The name of the user database or local.
Ref. Displays the number of times the object is referenced to other objects.

To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object.
To create an authentication scheme:
  1. In the authentication scheme list, select Create New from the toolbar.
    The Create Authentication Scheme window opens.

  1. Configure the following:
    2. Name Enter the name of the authentication scheme.
    Method Select the authentication method: NTLM, Basic, Digest, Form-based, Negotiate, saml, or Fortinet Single Sign-On (FSSO).

    For agentless NTML authentication, see Agentless NTLM support.
  1. Select OK to create the new authentication scheme.
To edit an authentication scheme:
  1. Select the authentication scheme you want to edit and then select Edit from the toolbar or double-click on the scheme in the scheme table.
    The Edit Kerberos window opens.
  2. Edit the scheme information as required and select OK to apply your changes.
To delete an authentication scheme or schemes:
  1. Select the scheme or schemes that you want to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected scheme or schemes.
To create an authentication scheme in the CLI:

config authentication scheme

edit <name>

set method {basic|digest|ntlm|form|negotiate|fsso|rsso|saml|ssh-publickey}

set fsso-guest {enable | disable}

set user-database {name | local}

next

end

 

The following methods are available:

Agentless NTLM support

Agentless NTLM authentication can be configured directly from the FortiProxy unit to the Domain Controller using the SMB protocol (no agent is required).

This authentication method is only supported for proxy policies.

Syntax

The set domain-controller command is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.

config authentication scheme

edit <name>

set method ntlm

set domain-controller <dc-setting>

next

end

 

config user domain-controller

edit <name>

set ip-address <dc-ip>

set port <port> - default = 445

set domain-name <dns-name>

set ldap-server <name>

next

end

Authentication rules

Authentication rules are used to receive user identity, based on the values set for the protocol and source address. If a rule fails to match based on the source address, there will be no other attempt to match the rule; however, the next policy will be attempted. This occurs only when:

After a rule is positively matched through the protocol and/or source address, the authentication is checked (with active-auth-method and sso-auth-method). These methods point to schemes, as defined under config authentication scheme.

To manage authentication rules, go to User & Device > Authentication Rule.

Right-click on any column heading to select which columns are displayed or to reset all the columns to their default settings. You can also drag column headings to change their order.

The following options are available:

Create New Create a new authentication rule. See To create an authentication scheme:.
Edit Edit an authentication rule. See To edit an authentication scheme:.
Delete Delete an authentication rule or rules. See To delete an authentication scheme or schemes:.
Name The name of the authentication rule.
Status Whether the rule is enabled or disabled.
Original Address The source address.
Ref. Displays the number of times the object is referenced to other objects.



To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object.
To create an authentication rule:
  1. In the authentication rule list, select Create New from the toolbar.
    The Create Authentication Rule window opens.

  1. Configure the following:
    2. Name The name of the authentication rule.
    Status Enable or disable the authentication rule.
    Protocol Select which protocol is matched for the rule.
    Original Address Select the source IPv4 address or addresses, all, or none.
    Source Address IPv6 Select the source IPv6 address or addresses, all, or none.
    IP Based Enable or disable IP-based authentication.
    Default Authentication Method If you want to use the default authentication method, enable the slider and then select the authentication scheme.

    To create an authentication scheme, see To create an authentication scheme:.
    Web Authentication Cookie Enable or disable the web authentication cookie.
    Transaction Based Enable or disable transaction-based authentication.
    Comments Optionally enter a description of the rule.
  1. Select OK to create the new authentication rule.
To edit an authentication rule:
  1. Select the authentication rule you want to edit and then select Edit from the toolbar or double-click on the rule in the rule table.
    The Edit Authentication Rule window opens.
  2. Edit the rule information as required and select OK to apply your changes.
To delete an authentication rule or rules:
  1. Select the rule or rules that you want to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected rule or rules.
To set the authentication rule in the CLI:

config authentication rule

edit <name of rule>

set status [enable|disable]

set protocol [http|ftp|socks|ssh]

set srcaddr <name of address object>

set srcaddr6 <name of address object>

set ip-based [enable|disable]

set active-auth-method <string>

set sso-auth-method <string>

set comments <string>

next

end

 

Proxy authentication settings

This submenu provides settings for configuring authentication timeout, protocol support, authentication certificates, authentication schemes, and captive portals. When user authentication is enabled within a security policy, the authentication challenge is normally issued for any of the four protocols (depending on the connection protocol):

The selections control which protocols support the authentication challenge. Users must connect with a supported protocol first so that they can subsequently connect with other protocols. If HTTPS is selected as a method of protocol support, the user can authenticate with a customized local certificate.

When you enable user authentication within a security policy, the security policy user is challenged to authenticate. For user ID and password authentication, users must provide their user names and passwords. For certificate authentication (HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on the unit, and the users can also have customized certificates installed on their browsers. Otherwise, users will see a warning message and have to accept a default Fortinet certificate.

To configure proxy authentication settings, go to User & Device > Proxy Authentication Settings.

Configure the following settings and then select Apply to save your changes:

Authentication Timeout Enter the amount of time, in minutes, that an authenticated firewall connection can be idle before the user must authenticate again. From 1 to 480 minutes. The default is 5.
Protocol Support

Select the protocols to challenge during firewall user authentication from the following:

  • HTTP
  • HTTPS
  • FTP
  • Telnet
Certificate If you want to use a local certificate for authentication, enable Certificate and then select the certificate. The default is Fortinet_Factory.
Active Auth Scheme If you want to use an active authentication scheme, enable Active Auth Scheme and then select which scheme to use.

To create an authentication scheme, see To create an authentication scheme:.
SSO Auth Scheme If you want to use a single-sign-on authentication scheme, enable SSO Auth Scheme and then select which scheme to use.

To create an authentication scheme, see To create an authentication scheme:.
Captive Portal If you want use a captive portal to authenticate web users, enable Captive Portal and then select which web page to use and enter the port number.
To configure the authentication settings in the CLI:

config authentication setting

set active-auth-scheme <string>

set sso-auth-scheme <string>

set captive-portal <string>

set captive-portal-port <integer value from 1 to 65535; default is 0>

end

 

FortiTokens

FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user’s username and password as two-factor authentication. The code displayed changes every 60 seconds, and, when not in use, the LCD screen is blanked to extend the battery life.

There is also a mobile phone application, FortiToken Mobile, that performs much the same function.

FortiTokens have a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and must be treated with similar care.

Any time information about the FortiToken is transmitted, it is encrypted. When the FortiProxy unit receives the code that matches the serial number for a particular FortiToken, it is delivered and stored encrypted. This is in keeping with the Fortinet’s commitment to keeping your network highly secured.

FortiTokens can be added to user accounts that are local, IPsec VPN, SSL VPN, and even Administrators. See Associating FortiTokens with accounts.

A FortiToken can be associated with only one account on one FortiProxy unit.

If a user loses the FortiToken, it can be locked out using the FortiProxy unit so it will not be used to falsely access the network. Later if found, that FortiToken can be unlocked on the FortiProxy unit to allow access once again. See FortiToken maintenance.

There are three tasks to complete before FortiTokens can be used to authenticate accounts:

  1. Adding FortiTokens to the FortiProxy unit
  2. Activating a FortiToken on the FortiProxy unit
  3. Associating FortiTokens with accounts

 

In addition, this section includes the following:

The FortiToken authentication process

The following are the steps during FortiToken two-factor authentication:

  1. The user attempts to access a network resource.
  2. The FortiProxy unit matches the traffic to an authentication security policy, and the FortiProxy unit prompts the user for user name and password.
  3. The user enters the user name and password.
  4. The FortiProxy unit verifies the information, and, if valid, prompts the user for the FortiToken code.
  5. The user gets the current code from their FortiToken device.
  6. The user enters current code at the prompt.
  7. The FortiProxy unit verifies the FortiToken code, and, if valid, allows access to the network resources such as the Internet.
    The following steps are needed only if the time on the FortiToken has drifted and needs to be re-synchronized with the time on the FortiProxy unit.
  8. If time on FortiToken has drifted, the FortiProxy unit will prompt the user to enter a second code to confirm.
  9. User gets the next code from their FortiToken device.
  10. User enters the second code at the prompt.
  11. The FortiProxy unit uses both codes to update its clock to match the FortiToken and then proceeds as in step 7.

When configured, the FortiProxy unit accepts the user name and password, authenticates them either locally or remotely, and prompts the user for the FortiToken code. The FortiProxy unit then authenticates the FortiToken code. When FortiToken authentication is enabled, the prompt field for entering the FortiToken code is automatically added to the authentication screens.

Even when an Administrator is logging in through a serial or Telnet connection and their account is linked to a FortiToken, that Administrator will be prompted for the token’s code at each login.

note icon If you have attempted to add invalid FortiToken serial numbers, there will be no error message. The serial numbers will simply not be added to the list.

Adding FortiTokens to the FortiProxy unit

Before one or more FortiTokens can be used to authenticate logons, they must be added to the FortiProxy unit. The import feature is used to enter many FortiToken serial numbers at one time. The serial number file must be a text file with one FortiToken serial number per line.

caution icon Both FortiToken Mobile and physical FortiTokens store their encryption seeds on the cloud; therefore, you will only be able to register them to a single FortiProxy unit or FortiAuthenticator unit.

Because FortiToken-200CD seed files are stored on the CD, these tokens can be registered on multiple FortiProxy units and/or FortiAuthenticator units, but not simultaneously.
To manually add a FortiToken to the FortiProxy using the web-based manager:
  1. Go to User & Device > FortiTokens.
  2. Select Create New.
  3. In Type, select Hard Token or Mobile Token.
  4. Enter one or more FortiToken serial numbers (hard token) or activation codes (mobile token).
  5. Select OK.
note icon For mobile token, you receive the activation code in the license certificate after you purchase a license.
To import multiple FortiTokens to the FortiProxy unit using the web-based manager:
  1. Go to User & Device > FortiTokens.
  2. Select Create New.
  3. In Type, select Hard Token.
  4. Select Import.
  5. Select Serial Number File or Seed File, depending on which file you have.
  6. Select Upload and browse to the local file location on your local computer.
  7. Select Open.
    The file is imported.
  8. Select OK.
To import FortiTokens to the FortiProxy unit from external Sources using the CLI:

FortiToken seed files (both physical and mobile versions) can be imported from either FTP or TFTP servers, or a USB drive, allowing seed files to be imported from an external source more easily:

execute fortitoken import ftp <file name> <ip>[:ftp port] <Enter> <user> <password>

execute fortitoken import tftp <file name> <ip>

execute fortitoken import usb <file name>

 

note icon To import seed files for FortiToken Mobile, replace fortitoken with fortitoken-mobile.
To add two FortiTokens to the FortiProxy unit using the CLI:

config user fortitoken

edit <serial_number>

next

edit <serial_number2>

next

end

Activating a FortiToken on the FortiProxy unit

After one or more FortiTokens have been added to the FortiProxy unit, they must be activated before being available to be associated with accounts. The process of activation involves the FortiProxy unit querying FortiGuard servers about the validity of each FortiToken. The serial number and information is encrypted before it is sent for added security.

note icon A FortiProxy unit requires a connection to FortiGuard servers to activate a FortiToken.
To activate a FortiToken on the FortiProxy unit using the web-based manager:
  1. Go to User & Device > FortiTokens.
  2. Select one or more FortiTokens with a status of Available.
  3. Right-click the FortiToken entry and select Activate.
  4. Select Refresh.
    The status of selected FortiTokens will change to Activated.

The selected FortiTokens are now available for use with user and admin accounts.

To activate a FortiToken on the FortiProxy unit using the CLI:

config user fortitoken

edit <token_serial_number>

set status active

next

end

Associating FortiTokens with accounts

The final step before using the FortiTokens to authenticate logons is associating a FortiToken with an account. The accounts can be local user or administrator accounts.

You cannot delete a FortiToken from the FortiToken list page if it is associated with a user account.

To add a FortiToken to a local user account using web-based manager:
  1. Ensure that your FortiToken serial number has been added to the FortiProxy unit successfully, and its status is Available.
  2. Go to User & Device > User Definition, select the user account, and then select Edit User.
  3. Enter the userʼs Email Address.
  4. Enable Two-factor Authentication.
  5. Select the user's FortiToken serial number from the Token list.
  6. Select OK.
note icon For mobile token, select Send Activation Code to be sent to the email address configured previously. The user will use this code to activate the mobile token. An Email Service has to be set under System > Advanced to send the activation code.
To add a FortiToken to a local user account using the CLI:

config user local

edit <username>

set type password

set passwd "myPassword"

set two-factor fortitoken

set fortitoken <serial_number>

set email-to "username@example.com"

set status enable

next

end

To add a FortiToken to an administrator account using the web-based manager:
  1. Ensure that your FortiToken serial number has been added to the FortiProxy unit successfully, and its status is Available.
  2. Go to System > Administrators , select admin, and then select Edit.
    This account is assumed to be configured except for two-factor authentication.
  3. Enter admin's Email Address.
  4. Enable Two-factor Authentication.
  5. Select the user's FortiToken serial number from the Token list.
  6. Select OK.
note icon For mobile token, select Send Activation Code to be sent to the email address configured previously. The admin will use this code to activate the mobile token. An Email Service has to be set under System > Advanced to send the activation code.
To add a FortiToken to an administrator account using the CLI:

config system admin

edit <username>

set password "myPassword"

set two-factor fortitoken

set fortitoken <serial_number>

set email-to "username@example.com"

next

end

 

The fortitoken keyword is not visible until fortitoken is selected for the two-factor option.

note icon Before a new FortiToken can be used, you might need to synchronize it due to clock drift.

FortiToken maintenance

After FortiTokens are entered into the FortiProxy unit, there are only two tasks to maintain them—changing the status and synchronizing them if they drift.

To change the status of a FortiToken between Activated and Locked using the CLI:

config user fortitoken

edit <token_serial_num>

set status lock

next

end

 

Any user attempting to login using this FortiToken will not be able to authenticate.

To list the drift on all FortiTokens configured on this FortiProxy unit using the CLI:

# diag fortitoken info

FORTITOKEN DRIFT STATUS

FTK2000BHV1KRZCC 0 token already activated, and seed won't be returned

FTK2001C5YCRRVEE 0 token already activated, and seed won't be returned

FTKMOB4B94972FBA 0 provisioned

FTKMOB4BA4BE9B84 0 new

Total activated token: 0

Total global activated token: 0

Token server status: reachable

 

This command lists the serial number and drift for each FortiToken configured on this FortiProxy unit. This command is useful to check if it is necessary to synchronize the FortiProxy unit with any particular FortiTokens.

FortiToken Mobile Push

A command under config system ftm-push allows you to configure the FortiToken Mobile Push services server IP address and port number. The Push service is provided by Apple (APNS) and Google (GCM) for iPhone and Android smartphones respectively. This service prevents tokens from becoming locked after an already enabled two-factor authentication user has been disabled.

CLI syntax

config system ftm-push

set server-ip <ip-address>

set server-port [1-65535] Default is 4433.

set status <enable | disable>

end

 

The server-ip is the public IP address of the FortiProxy interface that the FTM will call back to; it is the IP address used by the FortiProxy for incoming FTM calls.

In addition, FTM Push is supported on administrator login and SSL VPN login for both iOS and Android. If an SSL VPN user authenticates with their token, then logs out and attempts to reauthenticate again within a minute, a new message displays showing “Please wait x seconds to login again.” This replaces a previous error/permission denied message.

The “x” value depends on the calculation of how much time is left in the current time step.

CLI syntax

config system interface

edit <name>

set allowaccess ftm

next

end

note icon The FortiProxy unit supports FTM Push notifications initiated by FortiAuthenticator when users are attempting to authenticate through a VPN and/or RADIUS (with FortiAuthenticator as the RADIUS server).

Open topic with navigation