Authentication
New authentication features include:
- Captive Portal
- User Authentication via a POP3 Server
- Limiting Guest User Accounts
- Nested Group Search in LDAP Authentication
- Password Length for User Authentication
- Certificates for Policy Authentication
- Authentication Blackouts
- Single Sign-On for Guest Accounts
Captive Portal
There have been several changes made to authentication using a captive portal. Additional captive portal options have also been added for wireless networks. For more information, see Captive Portal for WiFi.
External Captive Portals
An external captive portal can be used to configure each FortiGate interface as an independent, external web URL. To configure an interface, go to System > Network > Interfaces and edit the desired interface. Select Captive Portal as the Security Mode, then set Authentication Portal to External and configure the other settings as required.
Once a client has been authenticated by the portal, by default they will be sent to original URL that was requested. The portal can also be configured to send the client to a hard coded URL that contains a replacement message.
Syntax
In the following example, the LAN interface is configured with external captive portal that has a specified URL (http://10.6.2.218/?Auth=Success) to redirect clients to after successful authentication.
config system interface
edit "lan"
set security-mode captive-portal
set security-external-web "http://10.6.2.218/portal"
set security-redirect-url "http://10.6.2.218/?Auth=Success"
set security-groups "rug1"
end
Using Groups from the Security Policy
Portal interfaces can now be configured to use the user groups set in the security policies. This will happen by default if no user group is configured on the interface.
Exempting a Policy
Security policies can now be exempt from captive portals, using the command captive-portal-exempt enable
.
Replacement Messages
The captive portal-specific replacement messages have been removed. Authentication replacement messages will be used for portals.
User Authentication via a POP3 Server
A POP3 server can now be used to verify user credentials when they authenticate through a web portal or any supported authentication method.
The following maximum values are associated with POP3 authentication:
- A maximum of 10 pop3/pop3s servers can be defined per box
- A single user group can have up to a pool of 6 POP3 servers assigned
POP3 authentication can be configured using the CLI:
Configuring a POP3 user
config user pop3
edit name
set server "pop3.fortinet.com"
set secure {starttls | pop3s | none}
set port 110
end
Configuring a POP3 user group
config user group
edit pop3_grp1
set member "pop3_server1" "pop3_server2"
end
Limiting Guest User Accounts
A new option to has been added to the guest user group where the administrator can restrict the maximum number of guest accounts that can be created. After the limit is reached, the portal administrator will need to remove some expired accounts. The number of accounts can be set from 1-1024 or left as unlimited (0 in the CLI), which is the default setting.
In the web-based manager, the lower limit is restricted if there are existing group members. In order to set a lower number, guest accounts must be removed prior to the limit being set. |
Syntax
config user group
edit guest-group
set group-type guest
set max-accounts [0-1024]
end
Nested Group Search in LDAP Authentication
Nested group search is a new feature added to Windows AD server when the LDAP server’s settings have group-member-check
set to user-attr
. After authentication succeeds, fnbamd
gets groups from user attributes and repeats LDAP queries on the groups until reaches the top layer.
Syntax
config user ldap
edit <ldap-server-name>
set search-type nested
end
Password Length for User Authentication
In FortiOS 5.2, the length for all passwords connected to user authentication features has been changed to support a maximum of 128 characters.
Certificates for Policy Authentication
The CA certificate used for policy authentication can now be configured, instead of being restricted to the built-in Fortinet certificate. By doing this, the authenticated user can be presented with a certificate that is already trusted by their browser and certificate errors can be avoided.
Syntax
config user setting
set auth-ca-cert <name>
end
Authentication Blackouts
If five failed logins are made from an IP within one minute, the IP is put on a blackout list. Future logins from this IP are rejected as long as the IP is on this list. The IP remains on the blackout list for auth-blackout-time seconds. The amount of time an IP is blacklisted can be configured through the CLI:
Syntax
config user setting
set auth-blackout-time 300
end
This feature only applies to IP-based authentication schemes. |
Single Sign-On for Guest Accounts
The default FSSO_Guest_Users group has changed to SSO_Guest_Users. This group supports guests using both Fortinet Single Sign-On (FSSO) and RADIUS Single Sign-On (RSSO). Users can also now be added to this group SSO_Guest_group using the CLI.
Syntax
config user group
edit SSO_Guest_group
set member <names>
end
end