Authentication (5.6.3)
New authentication features added to FortiOS 5.6.3.
Certificate Import page updates (267949)
The importation of a non-CA certificate into FortiGate CA store now shows a warning message showing why the import didn't work (as expected).
Improvements to the execute fortitoken import command (401979)
The execute fortitoken import
command has been removed and replaced by three new commands, allowing the importation of FortiToken seed files from either an FTP server, a TFTP server, or a USB drive:
execute fortitoken import ftp <file name> <ip>[:ftp port] <Enter> <user> <password>
execute fortitoken import tftp <file name> <ip>
execute fortitoken import usb <file name>
These commands allow seed files to be imported from an external source more easily.
Improved 2FA workflow in GUI (405487, 409100, 444430, 446856, 456752)
Various improvements to the two-factor authentication workflow in the GUI which addressed the following issues:
- No email was sent after creating an administrator account with a FortiToken.
- Inconsistent view on admin and user dialog.
- Empty activation codes would be sent.
- If Norway was selected as the country code for a user, the phone number was not recognized after saving.
- Couldn't select custom SMS server when setting the phone number.
- When a FortiToken from a non-management VDOM was selected for an admin, the activation code wouldn't be sent.
Support FTM Push when FortiAuthenticator is the authentication server (408273, 438314)
FortiGate supports when the FortiAuthenticator initiates FTM Push notifications, for when users are attempting to authenticate through a VPN and/or RADIUS (with FortiAuthenticator as the RADIUS server).
Support exact match for subject and CN fields in peer user (416359)
Administrators can now specify which way a peer user authenticates, in order to avoid any unintentional admin access by a regular user. When searching for a matching certificate, use the commands below to control
how to find matches in the certificate subject name (subject-match
) or the cn attribute (cn-match
) of the certificate subject name. This match can be any string (substring
) or an exact match (value
) of the cn attribute value.
Syntax
config vpn certificate setting
edit <name>
set subject-match {substring | value}
set cn-match {substring | value}
next
end
FortiToken GUI improvement (435229)
Various FortiToken import functionalities have been improved in the GUI, including the ability to import from serial number file correctly, validation of serial numbers once imported, and removing the Activate button once a token has already been activated.
Improve FTM Push notification workflow (436642, 448734)
Updated GUI and logincheck module to use a non-blocking version of the FTM Push notification procedure and periodically polls the device for any status updates from fam daemon.
FortiClient shares Social ID data with FortiOS (438610)
Support has been added to record the social ID data from FortiClient so that if an email or phone number is changed on FortiClient, the new values are updated on the FortiGate.
The data will be sent in KeepAlive messages in the following format:
USR_NAME|<full name for the service account>|USR_EMAIL|<email for the service account>|SERVICE|<os|custom|linkedin|google|salesforce>|
Wildcard certificate support/handling for SAN/CN reference identifiers (440307)
As a requirement of Network Device Collaborative Protection Profile (NDcPP), FortiOS supports and handles the use of wildcards for the following certificate reference parameters:
- Subject Alternative Name (SAN)
- Common Name (CN)
Support for FTP and TFTP to update certificates (441695)
Support has been added for FTP and TFTP servers to update the certificate bundle
using a new execute
command.
Syntax
execute vpn certificate ca import bundle <file-name.pkg> <ftp/tftp-server-ip>
Global option to enable/disable SHA1 algorithm inSSH key exchanges (444827)
Support has been added for a global option top enable/disable SHA1 algorithm in SSH key exchanges. The algorithm is enabled by default and provides administrators with the ability to disable the option for the purposes of security and compliance testing.
Syntax
config system global
set ssh-kex-sha1 {enable | disable}
end
Support for HTTP tunnel authentication (449406)
Support has been added for an option to trigger user authentication on HTTP CONNECT request at the policy level. A new CLI entry has been added under config firewall proxy-policy
which will trigger the authentication process get-user, even when there is no user or group configured.
Note that, as shown below, explicit web proxy must be set.
Syntax
config firewall proxy-policy
edit {policyid}
set proxy explicit-web
set http-tunnel-auth {enable | disable}
next
end
Authentication (5.6.1)
New authentication features added to FortiOS 5.6.1.
IPv6 RADIUS Support (309235, 402437, 439773)
RADIUS authentication is supported with IPv6, allowing administrators to configure an IPv6 RADIUS server on the FortiGate for IPv6 RADIUS authentication traffic to pass between the server and FortiGate.
Note that while you can set the primary RADIUS server's IPv6 address, the source IP address for communications to the RADIUS server cannot be configured as IPv6. |
Syntax
Allow IPv6 access on an interface:
config system interface
edit <name>
config ipv6
set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap}
set ip6-address <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>
next
next
end
Configure the IPv6 RADIUS server:
config user radius
edit <name>
set server <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>
...
next
end
Full certificate chain CRL checking (407988)
Certificate revocation/status check for peer certificates and intermediate CAs is now supported. Redesigned fnbam_auth_cert() API to use stack type of X509 instead of array for certificate chain. Removed obsolete fnbam API and parameters. Now authd, sslvpnd, and GUI send full certificate chains to fnbamd for verification.
New option under user > setting to allow/forbid SSL renegotiation in firewall authentication (386595)
A new option auth-ssl-allow-renegotiation
is now available under config user setting
to allow/forbid renegotiation. The default value is disable
, where a session would be terminated by authd once renegotiation is detected and this login would be recorded as failure. Other behavior follows regular auth settings.
Syntax
config user setting
set auth-ssl-allow-renegotiation {enable | disable}
end
New option to allow spaces in RADIUS DN format (422978)
Previously, IKEv2 RADIUS group authentication introduced a regression because it removed spaces from ASN.1 DN peer identifier string.
Reverted default DN format to include spaces. Added a new CLI option ike-dn-format
to allow the user to select either with-space
or no-space
. Customers using the group-authentication
option can select the ike-dn-format
setting to match the format used in their RADIUS user database.
Added LDAP filter when group-member-check is user-attr (403140)
Added LDAP filter when group-member-check
is user-attr
. LDAP filter is deployed when checking user attribute.
Syntax
config user ldap
edit <name>
set group-filter ?
next
end
group-filter
isnone
by default, where the process is the same as before.
When group-filter is set, the LDAP filter takes effect for retrieving the group information.
Added Refresh button to the LDAP browser (416649)
Previously, cached LDAP data was used even if the LDAP server configuration was updated.
In FortiOS 5.6.1, a Refresh button has been added in the LDAP browser. In the LDAP server dialog page, the user can delete the DN field to browse the root level tree when clicking the Fetch DN button.
Differentiate DN option for user authentication and membership searching (435791)
Previously, LDAP used the same DN option for user authentication and membership searching. New CLI commands are introduced to config user ldap
to resolve this issue:
group-member-check user-attr
For user attribute checking, a new attributegroup-search-base
is added, which indicates the starting point for the group search. If thegroup-search-base
is not set, binddn is used as the search base. Removedsearch-type
whengroup-member-check
isuser-attr
.group-member-check group-object
For group object checking, the group names in user group match rule will be picked up as the group search base. If there are multiple matching rules, each group name will trigger the ldapsearch query once.group-member-check posix-group-object
Changedgroup-object-search-base
togroup-search-base
forposix-group-object group-member-check
.
FTM Push when FAC is auth server (408273)
This feature adds support for FortiToken Mobile (FTM) push with FortiAuthenticator server in FortiOS. It also fixes a crash when adding a node to an RB tree, by checking if the same key has already been used in the tree. If yes, remove the node using the same key before adding a new node.
Non-blocking LDAP authentication (433700)
The previous LDAP authentication in fnbamd used openldap library. OpenLDAP supports non-blocking BIND but it is not event driven.
To support non-blocking LDAP in fnbamd, we stopped using the openLDAP library in fnbamd, instead using only liblber. Instead of using openLDAP, fnbamd will create its own event-driven connection with LDAP servers over LDAP/LDAPS/STARTTLS, make it non-blocking, do CRL checking if necessary, and compose all LDAP requests using liblber (including bind, unbind, search, password renewal, password query, send request and receive response, and parse response). The whole process is done in one connection.
This doesn't change any openLDAP implementation but moves some data structure definitions and API definitions from some internal header files to public header files.
Manual certificate SCEP renewal (423997)
Added support of manual certificate SCEP renewal besides the auto-regeneration feature that already exists.
More detailed RADIUS responses shown in connectivity test (434303)
Improved on-demand test connectivity for RADIUS servers. Test results show RADIUS server reachability, NAS client rejection, and invalid User/Password. Test also shows RADIUS Attributes returned from the RADIUS server.
Example
FG100D3G12807101 # diagnose test authserver radius-direct
<server_name or IP> <port no(0 default port)> <secret> <user> <password>
FG100D3G12807101 # diagnose test authserver radius-direct 1.1.1.1 0 dd
RADIUS server '1.1.1.1' status is Server unreachable
FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 dd
RADIUS server '172.18.5.28' status is Secret invalid
FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 fortinet jeff1 asdfasdf
RADIUS server '172.18.5.28' status is OK
Access-Reject
FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 fortinet ychen1 asdfasdf
RADIUS server '172.18.5.28' status is OK
Access-Accept
AVP: l=6 t=Framed-Protocol(7)
Value: 1
AVP: l=6 t=Service-Type(6)
Value: 2
AVP: l=46 t=Class(25)
Value: 9e 2a 08 6d 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 00 00 5e fe ac 12 05 1c 01 d2 cd b6 75 a6 80 56 00 00 00 00 00 00 00 1c
AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311)
VSA: l=6 t=MS-Link-Utilization-Threshold(14)
Value: 50
AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311)
VSA: l=6 t=MS-Link-Drop-Time-Limit(15)
Value: 120
User group authentication timeout range increased to 30 days (378085)
You can now use the following command to override the default user authentication timeout for users in a user group to up to 30 days.
config user group
edit <group-name>
set authtimeout 43200
end
Where authtimeout
is the length of the timeout in minutes. An authtimeout
of 43200 minutes is equivalent to 30 days. Set authtimeout
to 0 to use the default authentication timeout.
Authentication (5.6)
New authentication features added to FortiOS 5.6.
FortiToken Mobile Push (397912, 408273, 399839, 404872)
FortiToken Mobile push supports two-factor authentication without requiring users to enter a four-digit code to authenticate. Instead they can just accept the authentication request from their FortiToken Mobile app.
A new command has been added under config system ftm-push
allowing you to configure the FortiToken Mobile Push services server IP address and port number. The Push service is provided by Apple (APNS) and Google (GCM) for iPhone and Android smartphones respectively. This will help to avoid tokens becoming locked after an already enabled two-factor authentication user has been disabled.
CLI syntax
config system ftm-push
set server-ip <ip-address>
set server-port [1-65535] Default is 4433.
end
If an SSL VPN user authenticates with their token, then logs out and attempts to reauthenticate again within a minute, a new message will display showing "Please wait x seconds to login again." This replaces a previous error/permission denied message.
The "x" value will depend on the calculation of how much time is left in the current time step.
CLI syntax
config system interface
edit <name>
set allowaccess ftm
next
end
Support V4 BIOS certificate (392960)
FortiOS now supports backwards compatibility between new BIOS version 4 and old BIOS version 3.
New BIOS V4 certificates:
- Fortinet_CA
- Fortinet_Sub_CA
- Fortinet_Factory
Old BIOS V3 certificates:
- Fortinet_CA_Backup
- Fortinet_Factory_Backup
When FortiOS connects to FortiGuard, FortiCloud, FortiManager, FortiAnalyzer, FortiSandbox as a client, the new BIOS certificate Fortinet_Factory will be the default client certificate. When the server returns its certificate (chain) back, FortiOS looks up the issuer of the server certificate and either keeps client certificate as is or switches to the old BIOS certificate Fortinet_Factory_Backup. This process occurs in one handshake.
When FortiOS connects to FortiCare, the new BIOS certificate Fortinet_Factory is the only client certificate and Server Name Indication (SNI) is set. There is no switchover of certificate during SSL handshake.
When FortiOS acts as a server when connected by FortiExtender, FortiSwitch, FortiAP, etc., Fortinet_Factory is the default server certificate. FortiOS detects SNI in client hello, and if no SNI is found or if the CN in SNI is different from the CN of Fortinet_CA, it switches to use the old Fortinet_Factory_Backup.
Support extendedKeyUsage for x.509 certificates (390393)
As per Network Device Collaborative Protection Profile (NDcPP) v1.0 requirements, server certificates used for TLS connections between FortiGate and FortiAnalyzer should have the "Server Authentication" and "Client Authentication" extendedKeyUsage fields in FIPS/CC mode.
To implement this, a new CLI command has been added under log fortianalyzer setting
to allow you to specify the certificate used to communicate with FortiAnalyzer.
CLI syntax
config log fortianalyzer setting
set certificate <name>
end
Administrator name added to system event log (386395)
The administrator's name now appears in the system event log when the admin issues a user quarantine ban on a source address.
Support RSA-4096 bit key-length generation (380278)
In anticipation of quantum computers, RSA-4096 bit key-length CSRs can now be imported.
New commands added to config user ldap to set UPN processing method and filter name (383561)
Added two new commands to config user ldap
allowing you to keep or strip domain string of UPN in the token as well as the search name for this kind of UPN.
CLI syntax:
config user ldap
set account-key-processing
set account-key-name
end
User authentication max timeout setting change (378085)
To accommodate wireless hotspot users authenticated on the FortiGate, the user authentication max timeout setting has been extended to three days (from one day, previously).
Changes to Authentication Settings > Certificates GUI (374980)
Added new icons for certificate types and updated formatters to use these new icons.
Password for private key configurable in both GUI and CLI (374593)
FortiOS 5.4.1 introduced a feature that allowed you to export a local certificate and its private key in password protected p12, and later import them to any device. This option to set password for private key was available only in the CLI (when requesting a new certificate via SCEP or generating a CSR). This feature is now also configurable through the GUI.
The new Password for private key option is available under System > Certificates when generating a new CSR.
RADIUS password encoding (365145)
A new CLI command, under config user radius
, has been added to allow you to configure RADIUS password encoding to use ISO-8859-1 (as per RFC 2865).
Certain RADIUS servers use ISO-8859-1 password encoding instead of others such as UTF-8. In these instances, the server will fail to authenticate the user, if the user's password is using UTF-8.
CLI syntax
config user radius
edit <example>
set password-encoding <auto | ISO-8859-1>
end
This option will be skipped if the auth-type
is neither auto
nor pap
.
RSSO supports Delegated-IPv6-Prefix and Framed-IPv6-Prefix (290990)
Two attributes, Delegated-IPv6-Prefix and Framed-IPv6-Prefix, have been introduced for RSSO to provide a /56 prefix for DSL customers. All devices connected from the same location (/56 per subscriber) can be mapped to the same profile without the need to create multiple /64 or smaller entries.