Authentication

This chapter describes new authentication features added to FortiOS 5.4.

Support RSA-4096 bit key-length generation (380278)

In anticipation of quantum computers, RSA-4096 bit key-length CSRs can now be imported.

User authentication max timeout setting change (378085)

To accommodate wireless hotspot users authenticated on the FortiGate, the user authentication max timeout setting has been extended to 3 days (from 1 day, previously).

Changes to Authentication Settings > Certificates GUI (374980)

Added new icons for certificate types and updated formatters to use these new icons.

Support for changing a local certificate's password (297660)

Administrators can set a password through the CLI when generating a certificate request.

RADIUS CoA support (309499)

The following RADIUS CoA (Change of Authorization) CLI syntax has been added:

  • Set the name of the FortiAP connected to the FortiGate as a location identifier.
CLI syntax

config system global

set alias

 

  • Set URL of external authentication logout server.
CLI syntax

config vdom

edit root

config wireless-controller vap

edit <example>

set security captive-portal

set external-logout

 

  • Set URL of external authentication logout server.
CLI syntax

config vdom

edit root

config system interface

edit <example>

set security captive-portal

set security-external-logout

 

  • Set class name(s) included in an Access-Accept message.
CLI syntax

config vdom

edit root

config user radius

edit accounting

set class <"A1=aaa" "B2=bbb" "C3=ccc">

You can now import PKCS12 certificates from the CLI (309934)

The following CLI syntax can be entered to import a local certificate file:

CLI Syntax

execute vpn certificate local import tftp <file name> <tftp ip address> <file type> <Enter for 'cer'>|<password for 'p12'>

 

For example:

execute vpn certificate local import tftp FGTF-extern.p12 10.1.100.253 p12 123456

RADIUS Framed-IP into accounting packets (234003 189828)

RADIUS attributes, including NAS-IP-Address, Called-Station-ID, Framed-IP-Address, and Event-Timestamp, are supported.

Include RADIUS attribute CLASS in all accounting requests (290577)

RADIUS attribute CLASS in accounting requests for firewall, WiFi, and proxy authentication is now supported. RADIUS attribute CLASS is returned in Access-Accept message and it is added to all accounting requests.

  • If updating to 5.4.1, see above (309499).

Certificate-related changes (263368)

Fortinet_factory certificate has been re-signed with an expiration date of 2038 and it is used instead of fortinet_factory2, which has been removed.

Improvements and changes to per-VDOM certificates (276403 267362)

The CA and local certificate configuration is now available per-VDOM. When an admin uploads a certificate to a VDOM, it will only be accessible inside that VDOM. When an admin uploads a certificate to global, it will be accessible to all VDOMs and global.

There are factory default certificates such as Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, and Fortinet_Factory, these certificates are moved to per-VDOM and automatically generated when a new VDOM is created.

The Fortinet_Firmware certificate has been removed and all the attributes that use Fortinet_Firmware now use Fortinet_Factory.

CLI Changes

Two new attributes range and source have been added:

range can be global or per-VDOM, if the certificate file is imported from global, it is a global certificate. If the certificate file is imported from a VDOM, it is VDOM certificate.

source can be factory, user or fortiguard:

factory: The factory certificate file with FortiOS version, this includes: Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, Fortinet_Factory.

user: Certificate file imported by the user.

fortiguard: Certificate file imported from FortiGuard.

config certificate local

edit Fortinet_Factory

set range global/vdom

set source factory/user/fortiguard

end

end

 

GUI Changes

Global and per-VDOM certificate configuration includes view details, download, delete, and import certificate.

A Source and a Status columns have been added.

A global icon for Name column when VDOMs are enabled is added to show that the certificate is global.

A new VDOM now has the following default certificates: Fortinet_CA_SSL, Fortinet_Factory, Fortinet_SSL, Fortinet_Wifi, Fortinet_CA, and PositiveSSL_CA. These certificates are created automatically when the VDOM is created and every VDOM will have its own individual versions of these certificates.

The Fortinet_firmware certificate has been removed. All default configurations that formerly used the Fortinet_firmware certificate now use the Fortinet_Factory certificate.

Default root VDOM certificates

Certificates with the same names are also available from the global configuration. These are generated when you turn on VDOMs.

Default global certificates

Adding certificates to VDOMs and to the global configuration

If an administrator adds a certificate to a VDOM the certificate will only be available for that VDOM. If an administrator adds a certificate to the global configuration it will available for all VDOMs.

Guest user enhancements (291042)

The password policy profile for guest Admin is improved. This is a CLI only configuration as following:

config system password-policy-guest-admin

status enable/disable Enable/disable password policy.

apply-to guest-admin-password Guest admin to which this password policy applies.

minimum-length Minimum password length.

min-lower-case-letter Minimum number of lowercase characters in password.

min-upper-case-letter Minimum number of uppercase characters in password.

min-non-alphanumeric Minimum number of non-alphanumeric characters in password.

min-number Minimum number of numeric characters in password.

change-4-characters enable/disable Enable/disable changing at least 4 characters for new password.

expire-status enable/disable Enable/disable password expiration.

reuse-password enable/disable Enable/disable reuse of password.

end

 

RADIUS CoA for user, user-group and captive-portal authentication (RFC 5176) (274813 270166)

RADIUS Change of Authorization (CoA) is a common feature in user authentication. User, user-group and captive-portal authentication now supports RADIUS CoA, when the back end authentication server is RADIUS.

The main use case of this feature is with external captive portal, it can be used to disconnect hotspot users when their time, credit or bandwidth had been used up.

  • If updating to 5.4.1, see above (309499).

RSSO: Enable or disable overriding old attribute value when a user logs in again (possibly on a different device) (278471)

When receiving a new start message with different group name for the same user and different IP address such as the scenario of a mobile device roaming, the original design is to override all group name information to the latest group name received from the latest start message.

This new feature adds an option to disable this override when needed. The default behavior keeps the original design.

CLI changes

Add an option to enable or disable overriding SSO attribute value.

Syntax

config user radius

edit <My_Rsso>

set rsso enable

set sso-attribute-value-override enable/disable // Enable/Disable override old attribute value with new value for the same endpoint.

end

FSSO supports Microsoft Exchange Server (270174)

FSSO supports monitoring Microsoft Exchange Server. This is useful for situation that the user use the domain account to access their email, but client device might or might not be in the domain. Support for Exchange server is configured on the Back-end FSSO collector agent under Advanced Settings > Exchange Server.

Select Add and enter the following information and select OK.

Domain Name Enter your domain name.
Server IP/Hostname Enter the IP address or the hostname of your exchange server.
Polling forwarded event log This option for scenarios when you do not want that CA polls the Exchange Server logs directly. In this case you need to configure event log forwarding on the Exchange server. Exchange event logs can be forwarded to any member server.
If you enable this, instead of the IP of the Exchange server configured in the previous step, you must then configure the IP of this member server. CA will then contact the member server.
Ignore Name Because CA will also check Windows log files for logon events and when a user authenticates to Exchange Server there is also a logon event in Windows event log, which CA will read and this will overwrite the Exchange Server logon event (ES-EventLog) on CA. So it is recommended to set the ignore list to the domain the user belongs to.
To do so, enter the domain name in the Ignore Name field and select Add.