SSL VPN (5.6.1)

New SSL VPN features added to FortiOS 5.6.1.

Added a button to send Ctrl-Alt-Delete to the remote host for VNC and RDP desktop connections (401807)

Previously, users were unable to send Ctrl-Alt-Delete to the host machine in an SSL VPN remote desktop connection.

FortiOS 5.6.1 adds a new button that allows users to send Ctrl-Alt-Delete in remote desktop tools (also fixes 412456, preserving the SSL VPN realm after session timeout prompts a logout).

Improved SSL VPN Realms page (0392184)

Implemented minor functional changes to the dialog on the SSL VPN > Realms page:

l URL preview uses info message similar to that seen on the SSL VPN settings dialog. l Virtual-Host input is now visible when set in the CLI. l Added help tooltip describing what the virtual-host property does.

Customizable FortiClient Download URL in SSL VPN Web Portal (437883)

A new attribute, customize-forticlient-download-url, is added to vpn.ssl.web.portal.

The added attribute indicates whether to support a customizable download URI for FortiClient. This attribute is disabled by default. If enabled, two other attributes, windows-forticlient-download-url and macosforticlient-download-url, will appear through which the user can customize the download URI for

FortiClient.

Syntax

config vpn ssl web portal edit <portal> set customize-forticlient-download-url {enable | disable} set windows-forticlient-download-url <custom URL for Windows> set macos-forticlient-download-url <custom URL for Mac OS>

next

end

Added split DNS support for SSL VPN (434512)

Split DNS is now supported for SSL VPN. This feature allows you to specify which domains will be resolved by the DNS server specified by the VPN while all other domains will be resolved by the locally specified DNS.

This feature is useful in both Enterprise and MSP scenarios (when hosting multiple SSL VPN portals).

Syntax config vpn ssl web portal

SSL VPN (5.6.1)

edit <name> config split-dns-domains edit 1 set domains “abc.com, cde.com” set dns-server1 192.168.1.1 set dns-server2 192.168.1.2 set ipv6-dns-server1 2000:2:3:4::5 set ipv6-dns-server2 2000:2:3:4::6

next …

end

end

Support SSL VPN function in browsers without plugins: Citrix/RDPNative/Port forward

(437886)

Syntax

config vpn ssl web user-bookmark edit <name> config bookmarks edit “rdpnative” set apptype rdpnative set description “rdpnative” set host “172.16.68.188” set additional-params ” unset full-screen-mode set screen-height 768 set screen-width 1024

next

end

next

end

SSL VPN SSO Support for HTML5 RDP (417248)

This feature adds support for SSO from the SSL VPN portal to an RDP bookmark. If SSO is used, then the credentials used to login to SSL VPN will be automatically used when connecting to a remote RDP server.

Syntax

conf vpn ssl web user-bookmark edit <name> config bookmarks edit <name> set apptype rdp set host “x.x.x.x” set port <value> set sso [disable | auto]

next

end

next end

(5.6)

SSL VPN (5.6)

New SSL VPN features added to FortiOS 5.6.

Remote desktop configuration changes (410648)

If NLA security is chosen when creating an RDP bookmark, a username and password must be provided. However there may be instances where the user might want to use a blank password, despite being highly unrecommended. If a username is provided but the password is empty, the CLI will display a warning. See example CLI below, where the warning appears as a caution before finishing the command:

config vpn ssl web user-group-bookmark edit <group-name> config bookmarks edit <bookmark-name> set apptype rdp set host 172.16.200.121 set security nla set port 3389 set logon-user <username>

next

end

Warning: password is empty. It might fail user authentication and remote desktop connection would be failed.

end

If no username (logon-user) is specified, the following warning message will appear:

Please enter user name for RDP security method NLA. object set operator error, -2010 discard the setting Command fail. Return code -2010

SSL VPN supports WAN link load balancing interface (396236)

New CLI command to set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

CLI syntax

config firewall policy edit <example> set dstintf virtual-wan-link

end

SSL VPN login timeout to support high latency (394583)

With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl settings have been added that allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.

SSL VPN (5.6)

CLI syntax

config vpn ssl settings edit <example> set login-timeout [10-180] Default is 30 seconds.

set dtls-hello-timeout [10-60] Default is 10 seconds.

end

SSL VPN supports Windows 10 OS check (387276)

A new CLI field has been added to the os-check-list under config vpn ssl web portal to allow OS checking for Windows 10.

CLI syntax

config vpn ssl web portal edit <example> set os-check enable config os-check-list windows-10 set action {deny | allow | check-up-to-date}

end

end

SSL VPN DNS suffix per portal and number of portals (383754)

A new CLI command under config vpn ssl web portal to implement a DNS suffix per SSL VPN portal. Each suffix setting for each specific portal will override the dns-suffix setting under config vpn ssl settings.

This feature also raises bookmark limits and the number of portals that can be supported, depending on what FortiGate series model is used:

l 650 portals on 1000D series l 1300 portals on 2000E series l 2600 portals on 3000D series

The previous limit for 1000D series models, for example, was 256 portals.

CLI syntax

config vpn ssl web portal edit <example> set dns-suffix <string>

end

New SSL VPN timeout settings (379870)

New SSL VPN timeout settings have been introduced to counter ‘Slowloris’ and ‘R-U-Dead-Yet’ vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.

The FortiGate solution is to add two attributes (http-request-header-timeout and http-requestbody-timeout).

(5.6)

CLI syntax

config vpn ssl settings set http-request-header-timeout [1-60] (seconds) set http-request-body-timeout [1-60] (seconds)

end

Personal bookmark improvements (377500)

You can now move and clone personal bookmarks in the GUI and CLI.

CLI syntax

config vpn ssl web user-bookmark edit ‘name’ config bookmarks move bookmark1 after/before clone bookmark1 to

next

end

New controls for SSL VPN client login limits (376983)

Removed the limitation of SSL VPN user login failure time, by linking SSL VPN user setting with config user settings and provided a new option to remove SSL VPN login attempts limitation. New CLI allows the administrator to configure the number of times wrong credentials are allowed before SSL VPN server blocks an IP address, and also how long the block would last.

CLI syntax

config vpn ssl settings set login-attempt-limit [0-10] Default is 2.

set login-block-time [0-86400] Default is 60 seconds. end

Unrated category removed from ssl-exempt (356428)

The “Unrated” category has been removed from the SSL Exempt/Web Category list.

Clipboard support for SSL VPN remote desktop connections (307465)

A remote desktop clipboard viewer pane has been added which allows user to copy, interact with and overwrite remote desktop clipboard contents.

System (5.6.1)

System (5.6.1)

New system administration features added to FortiOS 5.6.1.

Use self-sign as default GUI certificate if BIOS cert is using SHA-1 (403152)

For increased security, SHA-1 certificate has been replaced by self-sign certificate as the default GUI certificate, if the BIOS certificate is using SHA-1.

Administrator timeout override per access profile (413543)

The GUI is often used for central monitoring. To do this requires the inactivity timeout to be increased, to avoid an admin having to constantly log in over again. This new feature allows the admintimeout value, under config system accprofile, to be overridden per access profile.

Note that this can be achieved on a per-profile basis, to avoid the option from being unintentionally set globally.

CLI Syntax – Configure admin timeout

config system accprofile edit <name> set admintimeout-override {enable | disable} set admintimeout <0-480> – (default = 10, 0 = unlimited)

next

end

New execute script command (423159)

A new execute command has been introduced to merge arbitrary configlets into the running configuration from script. The command’s authentication can be carried out using either username and password or with a certificate. This command supports FTP/TFTP and SCP.

An important benefit of this feature is that if the configuration in the script fails (i.e. a syntax error), the system will revert back to running configurations without interrupting the network.

CLI Syntax – Load script from FTP/TFTP/SCP server to firewall

execute restore scripts <ftp | tftp | scp> <dir / filename in server> <server ip> <username> <password>

FortiCache as an external cache service for FortiOS (435830)

A CLI configuration was added to allow the FortiGateto use FortiCache as an external cache service.

Global configuration

config wanopt forticache-service set status enable set local-cache-id “100d-bhan” set remote-forticache-id “3kc-bhan” set remote-forticache-ip 192.99.1.99

System (5.6)

end (Help Text) status Enable/disable using FortiCache as web-cache storage. local-cache-id ID that this device uses to connect to the remote FortiCache. remote-forticache-id ID of the FortiCache to which the device connects. remote-forticache-ip IP address of the FortiCache to which the device connects. (status)

# set status disable Use local disks as web-cache storage. enable Use a remote FortiCache as web-cache storage.

(local-cache-id)

# set local-cache-id

<string> please input string value

(remote-forticache-id)

# set remote-forticache-id

<string> please input string value

(remote-forticache-ip)

# set remote-forticache-ip

<any_ip> Any ip xxx.xxx.xxx.xxx

(Help Text) config wanopt auth-group Configure WAN optimization authentication groups.

System (5.6)

New system administration features added to FortiOS 5.6.

Remove CLI commands from 1-CPU platforms (405321)

Two CLI commands that set CPU affinity have been removed from 1-CPU platforms since they do not have any impact on these platforms. The commands are config system global > set miglog-affinity and config system global > set av-affinity <string>.

New SNMP trap for bypass events (307329)

When bypass mode is enabled or disabled on FortiGate units that are equipped with bypass interfaces and support AMC modules, a new SNMP trap is generated and logs bypass events.

System

Implement SNMP support for NAT Session monitoring which includes new SNMP OIDs (383661)

FortiOS 5.6 implements a new feature providing SNMP support for NAT session monitoring. The resulting new SNMP object identifier (OID) is:

FORTINET-FORTIGATE-

MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwIppools.fgFwIppTables.fgFwIppStatsTable.fgFwIppStatsEntry 1.3.6.1.4.1.12356.101.5.3.2.1.1

Additionally, there are eight new items:

.fgFwIppStatsName .1

.fgFwIppStatsType .2

.fgFwIppStatsStartIp .3

.fgFwIppStatsEndIp .4

.fgFwIppStatsTotalSessions .5

.fgFwIppStatsTcpSessions .6

.fgFwIppStatsUdpSessions .7

.fgFwIppStatsOtherSessions .8

New extended database version OIDs for AV and IPS (402162)

New extended database version OIDs ensure accurate display of the AntiVirus and IPS databases in use when you go to System > FortiGuard.

Administrator password encryption hash upgraded from SHA1 to SHA256 (391576)

The encryption has for administrator passwords is upgraded from SHA1 to SHA256.

Downgrades from FortiOS 5.6->5.4->5.2->5.0 will keep the administrator password usable. If you need to downgrade to FortiOS 4.3, remove the password before the downgrade, then login after the downgrade and reset password.

Allow multiple FortiManager addresses when configuring central management (388083)

Central management configuration can now support multiple FortiManager addresses. This feature is mainly to help the case where the FortiGate unit is behind NAT.

FortiGuard can determine a FortiGate’s location from its public IP address (393972)

A new CLI command allows users to determine a FortiGate’s location from its public IP address through FortiGuard .

The new CLI command is diagnose system waninfo.

System (5.6)

Deletion of multiple saved configurations supported (308936)

The FortiGate will save multiple configurations and images when revision-backup-on-logout and revision-image-auto-backup are enabled in config system global.

The deletion of multiple saved configurations is now possible due to changes in the CLI command execute revision delete config <revision ID>. Where the command only allowed for one revision ID at a time, it now allows almost ten.

New CLI option to limit script output size (388221)

The new CLI command set output-size limits the size of an auto script in megabytes and prevents the memory from being used up by the script’s output.

CLI Syntax

config system auto-script edit <script name> set output-size <integer>

next

end

Enter an integer value from 10 to 1024. Default is 10.

Enable / disable logging of SSL connection events (375582)

New CLI commands are added to give the user the option to enable or disable logging of SSL connection events.

CLI Syntax

config system global set log-ssl-connection {enable | disable}

end

Default is disable.

Enabling or disabling static key ciphers (379616)

There is a new option in system global to enable or disable static key ciphers in SSL/TLS connections (e.g,. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). The default is enable.

CLI Syntax

config system global set ssl-static-key-ciphers {enable | disable}

end

Enhancements to IPS Signatures page (285543)

The IPS signatures list page now shows which IPS package is currently deployed. You can also change the IPS package by hovering over the information icon next to the IPS package name. Text appears that links directly to System

the FortiGate’s System > FortiGuard page from the IPS Signatures list page.

Combine multiple commands into a CLI alias (308921)

You can add one or more CLI command to a CLI alias, then use the alias command to run the alias that you have created to execute the stored commands. For example, create the following alias to run the get system status command:

config system alias edit “version” set command “get system status”

end

Then you can use the following command to run the alias:

alias version

You can use command abbreviations (for example: g sys stat instead of get system status). Use quotes around the syntax if there are spaces (there usually are).

You can enter alias followed by a ? to view the aliases that you have added.

You can add multiple commands to an alias by pressing Ctrl-Enter after the first line. Press enter at the end of subsequent lines. And the end of the last line add second quote and press Enter to end the command.

config system alias edit “debug_flow” set command “diag debug enable diag debug flow show console enable”

end

You can include config commands in an alias as well, for example, create the following alias to bring the port1 and port2 interfaces down:

config system alias edit port12down set command “config system interface edit port1 set status down next edit port2 set status down

end”

end

You can combine config, execute, get, and diagnose commands in the same alias, for example:

config system alias edit “show-info” set command “show full-configuration alertemail setting get sys status dia sys top” end

VDOMs (5.6.1)

This section describes new VDOM features added to FortiOS 5.6.1.

Create a virtual switch that allows multiple VDOMs to use the same physical interface or

VLAN (436206)

This feature allows multiple VDOMs to access the same network or the Internet using the same physical interface rather than requiring each VDOM to have its own Internet-facing interface.

To create this configuration, consider a FortiGate with three VDOMs:

config vdom edit root

next edit vdom1

next edit vdom2

end

Create inter-VDOM links for vdom1 and vdom2. The inter-VDOM links should have their type set to ethernet.

config system vdom-link edit “vlnk1” set type ethernet

next edit “vlnk2” set type ethernet

end

These commands create the following four interfaces:

• vlnk1 creates the interfaces vlnk10 and vlnk11 l vlnk2 creates the interfaces vlnk20 and vlnk21

Then create a virtual switch, add it to the root VDOM, and add the first interface created for each inter-VDOM link to it along with the physical interface or VLAN that the VDOMs will use to connect to the external network. In this example, the VDOMs will all connect to the Internet through the wan1 interface.

config system switch-interface edit “vs1” set vdom “root”

set member “wan1” “vlnk10” “vlnk20”

end

Then distribute the interfaces in the virtual switch to the respective VDOMs and configure the required IP settings. In this example:

• wan1, vlnk10, and vlnk20 are added to the root VDOM l vlnk11 is added to vdom1 l vlnk21 is added to vdom2 l wan1, vlnk11 and vlnk21 are configured with IP addresses on the same subnet. The example uses internal IP addresses that may not be appropriate for your network.

config system interface edit “wan1”

VoIP/SIP

set vdom “root”

set ip 10.1.1.101 255.255.255.0

next edit “vlnk10” set vdom “root” set type vdom-link

next edit “vlnk20” set vdom “root” set type vdom-link

next edit “vlnk11” set vdom “vdom1”

set ip 10.1.1.102 255.255.255.0 set type vdom-link

next edit “vlnk21” set vdom “vdom2”

set ip 10.1.1.103 255.255.255.0 set type vdom-link

end

VoIP/SIP (5.6)

This chapter describes new VoIP and SIP features added to FortiOS 5.6.

SIP strict-register enabled by default in VoIP Profiles (380830)

If strict-register is disabled, when REGISTER is received by a FortiGate, the source address (usually the IP address of PBX) and ports (usually port 5060) are translated by NAT to the external address of the FortiGate and port 65476. Pinholes are then opened for SIP and RTP. This tells the SIP provider to send incoming SIP traffic to the external address of the FortiGate on port 65476.

This creates a security hole since the port is open regardless of the source IP address so an attacker who scans all the ports by sending REGISTER messages to the external IP of the FortiGate will eventually have one register go through.

When strict-register is enabled (the new default) the pinhole is smaller because it will only accept packets from the SIP server.

Enabling strict-register can cause problems when the SIP registrar and SIP proxy server are separate entities with separate IP addresses.

SIP diagnose command improvements (376853)

A diagnose command has been added to the CLI that outputs VDOM data located in the voipd daemon.

diagnose sys sip-proxy vdom

Example

(global) # diagnose sys sip-proxy vdom VDOM list by id:

VoIP/SIP (5.6)

vdom 0 root (Kernel: root) vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 4 vdoma2 (Kernel: vdoma2) vdom 5 vdomb2 (Kernel: vdomb2) vdom 6 vdomc2 (Kernel: vdomc2) vdom 7 vdoma (Kernel: vdoma) vdom 8 vdomb (Kernel: vdomb) vdom 9 vdomc (Kernel: vdomc) VDOM list by name: vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 0 root (Kernel: root) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 7 vdoma (Kernel: vdoma) vdom 4 vdoma2 (Kernel: vdoma2) vdom 8 vdomb (Kernel: vdomb) vdom 5 vdomb2 (Kernel: vdomb2) vdom 9 vdomc (Kernel: vdomc) vdom 6 vdomc2 (Kernel: vdomc2)

WiFi (5.6.1)

New WiFi features added to FortiOS 5.6.1.

Support for various FortiAP models (416177) (435638)

FortiAP units FAP-U321EV, FAP-U323EV, FAP-S221E, FAP-S223E, and FAP-222E are supported by FortiOS

5.6.1.

As part of this support, new CLI attributes have been added under config wireless-controller wtpprofile to manage their profiles.

CLI syntax

config wireless-controller wtp-profile edit <model> config platform set type <model>

end set ap-country <code> config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end

New Managed AP Groups and Dynamic VLAN Assignment (436267)

The FortiGate can create FortiAP Groups, under WiFi & Switch Controller > Managed Devices > Managed FortiAPs by selecting Create New > Managed AP Group, where multiple APs can be managed. AP grouping allows specific profile settings to be applied to many APs all at once that belong to a certain AP group, simplifying the administrative workload.

Note that each AP can only belong to one group.

In addition, VLANs can be assigned dynamically based on the group which an AP belongs. When defining an SSID, under WiFi & Switch Controlller > SSID, a setting called VLAN Pooling can be enabled where you can either assign the VLAN ID of the AP group the device is connected to, to each device as it is detected, or to always assign the same VLAN ID to a specific device. Dynamic VLAN assignment allows the same SSID to be deployed to many APs, avoiding the need to produce multiple SSIDs.

GUI support for configuring multiple pre-shared keys for SSID interfaces (406321)

Multiple pre-shared keys can be created per SSID. When creating a new SSID, enable Multiple Pre-shared Keys under WiFi Settings.

(5.6.1)

FortiAP Bluetooth Low Energy (BLE) Scan (438274)

The FortiGate can configure FortiAP Bluetooth Low Energy (BLE) scan, incorporating Google’s BLE beacon profile known as Eddystone, used to identify groups of devices and individual devices.

As part of this support, new CLI attributes have been added under config wireless-controller timers and config wireless-controller wtp-profile, including a new CLI command, config wireless-controller ble-profile.

CLI syntax – Configure BLE report intervals

config wireless-controller timers set ble-scan-report-intv – (default = 30 sec)

end

CLI syntax – Assign BLE profiles to WTP profiles

config wireless-controller wtp-profile edit <name> set ble-profile <name>

next

end

CLI syntax – Configure BLE profiles

config wireless-controller ble-profile edit <name> set comment <comment>

set advertising {ibeacon | eddystone-uid | eddystone-url} set ibeacon-uuid <uuid> set major-id <0 – 65535> – (default = 1000) set minor-id <0 – 65535> – (default = 1000) set eddystone-namespace <10-byte namespace> set eddystone-instance <device id> set eddystone-url <url> set txpower <0 – 12> – (default = 0) set beacon-interval <40 – 3500> – (default = 100) set ble-scanning {enable | disable} – (default = disable)

next

end

Note that txpower determines the transmit power level on a scale of 0-12:

• 0: -21 dBm l 1: -18 dBm l 2: -15 dBm l 3: -12 dBm l 4: -9 dBm
• 5: -6 dBm l 6: -3 dBm l 7: 0 dBm l 8: 1 dBm l 9: 2 dBm l 10: 3 dBm l 11: 4 dBm l 12: 5 dBm

WiFi client monitor page search enhanced (440709)

WiFi Cient Monitor page (Monitor > WiFi Client Monitor) now supports search function.

WiFi (5.6)

New WiFi features added to FortiOS 5.6.

Captive Portal Authentication with FortiAP in Bridge Mode (408915)

The FortiGate can operate as a web captive portal server to serve the captive portal local bridge mode.

A new CLI command has been added under config wireless-controller vap to set the captive portal type to CMCC, a wireless cipher.

CLI syntax

config wireless-controller vap edit <name> set portal-type { … | cmcc}

next

end

802.11kv(r) support (405498, 395037)

New CLI commands have been added under config wireless-controller vap to set various 802.11kvr settings, or Voice Enterprise (802.11kv) and Fast Basic Service Set (BSS) Transition (802.11r), to provide faster and more intelligent roaming for the client.

CLI syntax

config wireless-controller vap edit <name> set voice-enterprise {enable | disable} set fast-bss-transition {enable | disable} set ft-mobility-domain set ft-r0-key-lifetime [1-65535] set ft-over-ds {enable | disable}

next end

External Captive Portal authentication with FortiAP in Bridge Mode (403115, 384872)

New CLI commands have been added under config wireless-controller vap to set various options for external captive portal with FortiAP in Bridge Mode. The commands set the standalone captive portal server category, the server’s domain name or IP address, secret key to access the RADIUS server, and the standalone captive portal Access Controller (AC) name.

Note that these commands are only available when local-standalone is set to enable and security is set to captive-portal.

CLI syntax

config wireless-controller vap edit <name> set captive-portal-category {FortiCloud | CMCC} Default is FortiCloud. set captive-portal-radius-server <server> set captive-portal-radius-secret <password> set captive-portal-ac-name <name>

next

end

Japan DFS support for FAP-421E/423E/S421E/S423E (402287, 401434)

Korea and Japan Dynamic Frequency Selection (DFS) certification has been added for FAP-

421E/423E/S421E/S423E. DFS is a mechanism that allows WLANs to select a frequency that does not interfere with certain radar systems while operating in the 5 GHz band.

802.3az support on WAVE2 WiFi APs (400558)

A new CLI command has been added under config wireless-controller wtp-profile to enable or disable use of Energy-Efficient Ethernet (EEE) on WTP, allowing for less power consumption during periods of low data activity.

CLI syntax

config wireless-controller wtp-profile edit <profile-name> set energy-efficient-ethernet {enable|disable}

end

CLI command update made in wids-profile (400263)

The CLI command rogue-scan under config wireless-controller wids-profile has been changed to sensor-mode and allows easier configuration of radio sensor mode. Note that while foreign enables radio sensor mode on foreign channels only, both enables the feature on foreign and home channels.

CLI syntax

config wireless-controller wids-profile edit <example> set sensor-mode {disable|foreign|both}

end

Channel utilization, FortiPresence support on AP mode, QoS enhancement for voice

(399134, 377562)

A new CLI command has been added, config wireless-controller qos-profile, to configure

quality of service (QoS) profiles where you can add WiFi multi-media (WMM) control and Differentiated Services Code Point (DSCP) mapping.

Note that:

• call-capacity and bandwidth-admission-control are only available when call-admissioncontrol is set to enable. l bandwidth-capacity is only available when bandwidth-admission-control is set to enable. l All DSCP mapping options are only available when dscp-wmm-mapping is set to enable.
• wmm is already set to enable by default. If wmm is set to disable, the following entries are not available: wmm-

uapsd, call-admission-control, and dscp-wmm-mapping.

CLI syntax

config wireless-controller qos-profile edit <example> set comment <comment> set uplink [0-2097152] Default is 0 Kbps. set downlink [0-2097152] Default is 0 Kbps. set uplink-sta [0-2097152] Default is 0 Kbps. set downlink-sta [0-2097152] Default is 0 Kbps. set burst {enable|disable} Default is disable. set wmm {enable|disable} Default is enable. set wmm-uapsd {enable|disable} Default is enable.

set call-admission-control {enable|disable} Default is disable. set call-capacity [0-60] Default is 10 phones. set bandwidth-admission-control {enable|disable} Default is disable. set bandwidth-capacity [1-600000] Default is 2000 Kbps. set dscp-wmm-mapping {enable|disable} Default is disable. set dscp-wmm-vo [0-63] Default is 48 56. set dscp-wmm-vi [0-63] Default is 32 40. set dscp-wmm-be [0-63] Default is 0 24. set dscp-wmm-bk [0-63] Default is 8 16.

QoS profiles can be assigned under the config wireless-controller vap command using qosprofile.

FortiCloud managed APs can now be applied a bandwidth restriction or rate limitation based on SSID. For instance if guest and employee SSIDs are available, you can rate limit guest access to a certain rate to accommodate for employees. This feature also applies a rate limit based on the application in use, as APs are application aware.

FAP-U421E and FAP-U423E support (397900)

Two Universal FortiAP models support FortiOS 5.6. Their default profiles are added under config wirelesscontroller wtp-profiles, as shown below:

CLI syntax

config wireless-controller wtp-profile edit “FAPU421E-default” config platform set type U421E

end set ap-country US config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end

config wireless-controller wtp-profile edit “FAPU423E-default” config platform set type U423E

end set ap-country US config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end

Minor reorganization of WiFi GUI entries (396497)

WiFi & Switch Controller GUI entries Managed FortiAPs, SSID, FortiAP Profiles, and WIDS Profiles have been reorganized.

Multiple PSK support for WPA personal (393320, 264744)

New CLI commands have been added, under config wireless-controller vap, to configure multiple WiFi Protected Access Pre-Shared Keys (WPA-PSKs), as PSK is more secure without all devices having to share the same PSK.

Note that, for the following multiple PSK related commands to become available, vdom, ssid, and passhphrase all have to be set first.

CLI syntax

config wireless-controller vap edit <example> set mpsk {enable|disable} set mpsk-concurrent-clients [0-65535] Default is 0. config mpsk-key edit key-name <example>

set passphrase <wpa-psk> set concurrent-clients [0-65535] Default is empty. set comment <comments>

next

end

end

Use the mpsk-concurrent-clients entry to set the maximum number of concurrent connected clients for each mpsk entry. Use the mpsk-key configuration method to configure multiple mpsk entries.

Table size of qos-profile has VDOM limit (388070)

The command config wireless-controller qos-profile now has VDOM table limit; there is no longer an unlimited number of entries within each VDOM.

Add “dhcp-lease-time” setting to local-standalone-nat VAP (384229)

When a Virtual Access Point (VAP) has been configured for a FortiAP, a DHCP server is automatically configured on the FortiAP side with a hard lease time. A new CLI command under config wireless-controller vap has been added to customize the DHCP lease time for NAT IP address. This is to solve issues where the DHCP IP pool was exhausted when the number of clients grew too large for the lease time span.

Note that the new command, dhcp-lease-time, is only available when local-standalone is set to enable, then setting local-standalone-nat to enable.

CLI syntax

config wireless-controller vap edit <example> set local-standalone {enable|disable} set local-standalone-nat {enable|disable} set dhcp-lease-time [300-8640000] Default is 2400 seconds.

end

New CLI command to configure LDPC for FortiAP (383864)

Previously, LDPC value on FortiAP could only be changed on FortiAP local CLI. Syntax has been added in FortiOS CLI under the ‘wireless-controller.vap’ entry to configure the LDPC value on FortiAP.

CLI Syntax

configure wireless-controller vap edit 1 set ldpc [enable|rx|tx|disable]

end

New region code/SKU for Indonesia (382926)

A new country region code, F, has been added to meet Indonesia’s WiFi channel requirements. Indonesia previously belonged to region code W.

FortiAP RMA support added (381936)

New CLI command fortiap added under exe replace-device to replace an old FortiAP’s serial number with a new one.

CLI Syntax execute replace-device fortiap <old-fortiap-id> <new-fortiap-id>

Support fixed-length 64-hex digit for WPA-Personal passphrase (381030)

WPA-Personal passphrase now supports a fixed-length of 64 hexadecimal digits.

Allow FortiGates to manage cloud-based FortiAPs (380150)

FortiGates can now manage cloud-based FortiAPs using the new fapc-compatibility command under wireless-controller setting.

If enabled, default FAP-C wtp-profiles will be added. If disabled, FAP-C related CMDB configurations will be removed: wtp-group in vap’s vlan-pool, wtp-group, ws, wtp, wtp-profile.

CLI syntax

config wireless-controller setting set country CN

set fapc-compatibility [enable|disable] end

You will receive an error message when trying to change country while fapccompatibility is enabled. You need to disable fapc-compatibility before changing to an FAPC unsupported country.

Use IPsec instead of DTLS to protect CAPWAP tunnels (379502)

This feature is to utilize FortiAP hardware to improve the throughput of tunneled data traffic by using IPsec when data security is enabled.

“AES-256-CBC & SHA256” algorithm and “dh_group 15” are used for both CAPWAP IPsec phase1 and phase 2.

FAP320B will not support this feature due to its limited capacity of free flash.

New option added to support only one IP per one endpoint association (378207)

When users change configuration, the radiusd will reset all configurations and refresh all logons in the kernel. All these actions are done in the one loop. A CLI option has been added to enable/disable replacement of an old IP address with a new IP address for the same endpoint on RADIUS accounting start.

CLI Syntax

configure user radius edit radius-root

set rsso-ep-one-ip-only [enable|disable]

next

end

FAP-222C-K DFS support (377795)

Dynamic Frequency Selection (DFS) bands can now be configured for FortiAP 222C-K.

Note that this FortiAP model has the Korean region code (K), but ap-country under config wirelesscontroller wtp-profile still needs to be set to KR.

CLI syntax

config wireless-controller wtp-profile edit <K-FAP222C> config platform set type <222C>

end set ap-country KR config radio-2 set band <802.11ac> set vap-all <disable> set vaps “vap-vd-07”

set channel “52” “56” “60” “64” “100” “104” “108” “112” “116” “120” “124” “128”

“132” “136” “140” end

next

end

Dynamic VLAN support in standalone mode (377298)

Dynamic VLAN is now supported in standalone mode. Previously, dynamic VLAN only worked in local bridge mode.

CLI-only features added to GUI (376891)

Previously CLI-only features have been added to the GUI under FortiAP Profiles, Managed FortiAPs, and SSID. Also fixed issue where the correct value is displayed when viewing the WIDS Profile notification icon under FortiAP Profiles.

Managed AP GUI update (375376)

Upgraded Managed FortiAPs dialog page to a newer style, including icons for SSID and LAN port.

Bonjour gateway support (373659)

Bonjour gateway now supported for WiFi networks.

Syntax

config wireless-controller bonjour-profile edit 0 set comment “comment” config policy-list

edit 1 set description “description” set from-vlan [0-4094] Default is 0. set to-vlan [0-4094|all] Default is all.

set services [all|airplay|afp|bittorrent|ftp|ichat|itunes|printers|samba|scanners|ssh|chromecast]

next

end

next

end

FAP421E/423E wave2 support (371374)

Previously removed wave2 FAP421E and FAP423E models have been reinstated and are now supported again. The models are available again through the CLI and GUI. These models are listed under the Platform dropdown menu when creating a new FortiAP Profile under WiFi & Switch Controller > FortiAP Profiles.

CLI syntax

config wireless-controller wtp-profile edit <example> config platform set type <…|421E|423E>

end

end

WiFi Health Monitor GUI changes (308317)

The Wifi Health Monitor page has been improved, including the following changes:

• Flowchart used for diagrams l Chart used for interference and AP clients l Removed spectrum analysis l Added functionality to upgrade FortiAP firmware
• Added option to view both 2.4GHz and 5GHz data simultaneously

AP Profile GUI page updates (298266)

The AP Profile GUI page has been upgraded to a new style including AngularJS code.

1+1 Wireless Controller HA (294656)

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

You can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was previously decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.

Syntax

config wireless-controller inter-controller set inter-controller-mode {disable | l2-roaming | 1+1} Default is disable. set inter-controller-key <password> set inter-controller-pri {primary | secondary} Default is primary. set fast-failover-max [3-64] Default is 10. set fast-failover-wait [10-86400] Default is 10. config inter-controller-peer edit <name> set peer-ip <ip-address> set peer-port [1024-49150] Default is 5246.

set peer-priority {primary | secondary} Default is primary. next

end

end

Support for duplicate SSID names on tunnel and bridge mode interfaces (278955)

When duplicate-ssid is enabled in the CLI, this feature allows VAPs to use the same SSID name in the same VDOM. When disabled, all SSIDs in WLAN interface will be checked—if duplicate SSIDs exist, an error message will be displayed. When duplicate-ssid is enabled in the CLI, duplicate SSID check is removed in “Edit SSID” GUI page.

Syntax

config wireless-controller setting set duplicate-ssid [enable|disable] next

end

Controlled failover between wireless controllers (249515)

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

Administrators can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.

Executive Summary

This chapter briefly highlights some of the higher profile new FortiOS 5.6 features, some of which have been enhanced for FortiOS 5.6.2.

Security Fabric enhancements

Security Fabric features and functionality continue to evolve. New features include improved performance and integration, a security audit function that finds possible problems with your network and recommends solutions, security fabric dashboard widgets, improved device detection, and the remote login to other FortiGates on the fabric. See New Security Fabric features on page 20.

Security Fabric Audit

The Security Fabric Audit allows you to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance. See Security Fabric Audit and Fabric Score on page 32.

Re-designed Dashboard

The Dashboard has been enhanced to show more information with greater flexibility and more functionality. See New Dashboard Features on page 40 for details.

NGFW Policy Mode

You can operate your FortiGate in NGFW policy mode to simplify applying Application control and Web Filtering to firewall traffic. See NGFW Policy Mode (371602) on page 57.

Flow-based inspection with profile-based NGFW mode is the default inspection mode in FortiOS 5.6.

Transparent web proxy

In addition to the Explicit Web Proxy, FortiOS now supports a Transparent web proxy. You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy. See Transparent web proxy (386474) on page 49.

Controlled failover between wireless controllers

Administrators can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects a FortiGate unit and how the FortiAP unit fails over to a backup FortiGate unit if the primary FortiGate Fails. See Controlled failover between wireless controllers on page 68.

FortiView Endpoint Vulnerability chart

A new FortiView chart that tracks vulnerability events detected by the FortiClients running on all devices registered with the FortiGate. See New FortiView Endpoint Vulnerability Scanner chart (378647) on page 61.

FortiClient Profile changes

FortiClient profiles have been re-organized and now use the FortiGate to warn or quarantine endpoints that are not compliant with a FortiClient profile. See FortiClient Profile changes (386267, 375049).

Adding Internet services to firewall policies

Internet service objects can be added to firewall policies instead of destination addresses and services. See Adding Internet services to firewall policies (389951).

Source and destination NAT in a single Firewall policy

Extensions to VIPs support more NAT options and other enhancements. See Combining source and destination NAT in the same policy (388718).

Other highlights

l Application Control is a free service l Real time logging to FortiAnalyzer and FortiCloud l Multiple PSK for WPA Personal (393320) l VXLAN support (289354) l NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398) l FortiGate Logs can be sent to syslog servers in Common Event Format (CEF) (300128) l New PPPoE features

Introduction

Welcome and thank you for selecting Fortinet products for your network protection.

This chapter contains the following topics:

l Before you begin l How this guide is organized

Before you begin

Before you begin using this guide, please ensure that:

l You have administrative access to the web-based manager and/or CLI. l The FortiGate unit is integrated into your network. l The operation mode has been configured. l The system time, DNS settings, administrator password, and network interfaces have been configured. l Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed. l Any third-party software or servers have been configured using their documentation.

While using the instructions in this guide, note that administrators are assumed to be super_admin administrators unless otherwise specified. Some restrictions will apply to other administrators.

How this guide is organized

This Handbook chapter contains the following sections:

Introduction to authentication describes some basic elements and concepts of authentication.

Authentication servers describes external authentication servers, where a FortiGate unit fits into the topology, and how to configure a FortiGate unit to work with that type of authentication server.

Users and user groups describes the different types of user accounts and user groups. Authenticated access to resources is based on user identities and user group membership. Two-factor authentication methods, including FortiToken, provide additional security.

Managing Guest Access explains how to manage temporary accounts for visitors to your premises.

Configuring authenticated access provides detailed procedures for setting up authenticated access in security policies and authenticated access to VPNs.

Captive portals describes how to authenticate users through a web page that the FortiGate unit presents in response to any HTTP request until valid credentials are entered. This can be used for wired or WiFi network interfaces.

Certificate-based authentication describes authentication by means of X.509 certificates.

Single Sign-On using a FortiAuthenticator unit describes how to use a FortiAuthenticator unit as an SSO agent that can integrate with external network authentication systems such as RADIUS and LDAP to gather user logon information and send it to the FortiGate unit. Users can also log on through a FortiAuthenticator-based web portal or the FortiClient SSO Mobility Agent.

Single Sign-On to Windows AD describes how to set up Single Sign-On in a Windows AD network by configuring the FortiGate unit to poll domain controllers for information user logons and user privileges.

Agent-based FSSO describes how to set up Single Sign-On in Windows AD, Citrix, or Novell networks by installing Fortinet Single Sign On (FSSO) agents on domain controllers. The FortiGate unit receives information about user logons and allows access to network resources based on user group memberships.

SSO using RADIUS accounting records describes how to set up Single Sign-On in a network that uses RADIUS authentication. In this configuration, the RADIUS server send RADIUS accounting records to the FortiGate unit when users log on or off the network. The record includes a user group name that can be used in FortiGate security policies to determine which resources each user can access.

Monitoring authenticated users describes FortiOS authenticated user monitor screens.

Examples and Troubleshooting provides configuration examples and troubleshooting suggestions.

Whats New in FortiOS 5.6

The following section describes new authentication features added to FortiOS 5.6.0. and 5.6.1.

FortiOS 5.6.1

These features first appeared in FortiOS 5.6.1.

IPv6 RADIUS Support (309235, 402437, 439773)

RADIUS authentication is supported with IPv6, allowing administrators to configure an IPv6 RADIUS server on the FortiGate for IPv6 RADIUS authentication traffic to pass between the server and FortiGate.

Syntax

Allow IPv6 access on an interface:

config system interface edit <name> config ipv6 set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap} set ip6-address <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>

next

next

end

Configure the IPv6 RADIUS server:

config user radius edit <name> set server <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> …

next

end

Full certificate chain CRL checking (407988)

Certificate revocation/status check for peer certificates and intermediate CAs is now supported. Redesigned fnbam_auth_cert() API to use stack type of X509 instead of array for certificate chain. Removed obsolete fnbam API and parameters. Now authd, sslvpnd, and GUI send full certificate chains to fnbamd for verification.

5.6.1

New option under user > setting to allow/forbid SSL renegotiation in firewall authentication (386595)

A new option auth-ssl-allow-renegotiation is now available under config user setting to allow/forbid renegotiation. The default value is disable, where a session would be terminated by authd once renegotiation is detected and this login would be recorded as failure. Other behavior follows regular auth settings.

Syntax

config user setting set auth-ssl-allow-renegotiation {enable | disable}

end

New option to allow spaces in RADIUS DN format (422978)

Previously, IKEv2 RADIUS group authentication introduced a regression because it removed spaces from ASN.1 DN peer identifier string.

Reverted default DN format to include spaces. Added a new CLI option ike-dn-format to allow the user to select either with-space or no-space. Customers using the group-authentication option can select the ike-dn-format setting to match the format used in their RADIUS user database.

Added LDAP filter when group-member-check is user-attr (403140)

Added LDAP filter when group-member-check is user-attr. LDAP filter is deployed when checking user attribute.

Syntax

config user ldap edit <name> set group-filter ?

next

end

l group-filter is none by default, where the process is the same as before.

When group-filter is set, the LDAP filter takes effect for retrieving the group information.

Added Refresh button to the LDAP browser (416649)

Previously, cached LDAP data was used even if the LDAP server configuration was updated.

In FortiOS 5.6.1, a Refresh button has been added in the LDAP browser. In the LDAP server dialog page, the user can delete the DN field to browse the root level tree when clicking the Fetch DN button.

Differentiate DN option for user authentication and membership searching (435791)

Previously, LDAP used the same DN option for user authentication and membership searching. New CLI commands are introduced to config user ldap to resolve this issue:

• group-member-check user-attr

For user attribute checking, a new attribute group-search-base is added, which indicates the starting point for

5.6.1

the group search. If the group-search-base is not set, binddn is used as the search base. Removed searchtype when group-member-check is user-attr.

• group-member-check group-object

For group object checking, the group names in user group match rule will be picked up as the group search base. If there are multiple matching rules, each group name will trigger the ldapsearch query once. l group-member-check posix-group-object

Changed group-object-search-base to group-search-base for posix-group-object groupmember-check.

FTM Push when FAC is auth server (408273)

This feature adds support for FortiToken Mobile (FTM) push with FortiAuthenticator server in FortiOS. It also fixes a crash when adding a node to an RB tree, by checking if the same key has already been used in the tree. If yes, remove the node using the same key before adding a new node.

Non-blocking LDAP authentication (433700)

The previous LDAP authentication in fnbamd used openldap library. OpenLDAP supports non-blocking BIND but it is not event driven.

To support non-blocking LDAP in fnbamd, we stopped using the openLDAP library in fnbamd, instead using only liblber. Instead of using openLDAP, fnbamd will create its own event-driven connection with LDAP servers over LDAP/LDAPS/STARTTLS, make it non-blocking, do CRL checking if necessary, and compose all LDAP requests using liblber (including bind, unbind, search, password renewal, password query, send request and receive response, and parse response). The whole process is done in one connection.

This doesn’t change any openLDAP implementation but moves some data structure definitions and API definitions from some internal header files to public header files.

Manual certificate SCEP renewal (423997)

Added support of manual certificate SCEP renewal besides the auto-regeneration feature that already exists.

More detailed RADIUS responses shown in connectivity test (434303)

Improved on-demand test connectivity for RADIUS servers. Test results show RADIUS server reachability, NAS client rejection, and invalid User/Password. Test also shows RADIUS Attributes returned from the RADIUS server.

Example

FG100D3G12807101 # diagnose test authserver radius-direct

<server_name or IP> <port no(0 default port)> <secret> <user> <password>

FG100D3G12807101 # diagnose test authserver radius-direct 1.1.1.1 0 dd RADIUS server ‘1.1.1.1’ status is Server unreachable

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 dd

RADIUS server ‘172.18.5.28’ status is Secret invalid

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 fortinet jeff1 asdfasdf

5.6.0

RADIUS server ‘172.18.5.28’ status is OK Access-Reject

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 fortinet ychen1 asdfasdf

RADIUS server ‘172.18.5.28’ status is OK

Access-Accept

AVP: l=6 t=Framed-Protocol(7) Value: 1

AVP: l=6 t=Service-Type(6) Value: 2

AVP: l=46 t=Class(25)

Value: 9e 2a 08 6d 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 00 00 5e fe ac 12 05

1c 01 d2 cd b6 75 a6 80 56 00 00 00 00 00 00 00 1c

AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311) VSA: l=6 t=MS-Link-Utilization-Threshold(14) Value: 50

AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311)

VSA: l=6 t=MS-Link-Drop-Time-Limit(15) Value: 120

Firewall user authentication timeout range increased (378085)

The firewall user authentication timeout max value has increased from 3 days to 30 days.

Syntax

config user group set authtimeout <0 – 43200>

end

FortiOS 5.6.0

These features first appeared in FortiOS 5.6.0.

FortiToken Mobile Push (397912, 408273, 399839, 404872)

FortiToken Mobile push supports two-factor authentication without requiring users to enter a four-digit code to authenticate. Instead they can just accept the authentication request from their FortiToken Mobile app.

A new command has been added under config system ftm-push allowing you to configure the FortiToken

Mobile Push services server IP address and port number. The Push service is provided by Apple (APNS) and Google (GCM) for iPhone and Android smartphones respectively. This will help to avoid tokens becoming locked after an already enabled two-factor authentication user has been disabled. In addition, FortiOS supports FTM Push when FortiAuthenticator is the authentication server.

CLI syntax

config system ftm-push set server-ip <ip-address> set server-port [1-65535] Default is 4433. end

5.6.0

In addition, FTM Push is supported on administrator login and SSL VPN login for both iOS and Android. If an SSL VPN user authenticates with their token, then logs out and attempts to reauthenticate again within a minute, a new message will display showing “Please wait x seconds to login again.” This replaces a previous error/permission denied message.

The “x” value will depend on the calculation of how much time is left in the current time step.

CLI syntax

config system interface edit <name> set allowaccess ftm

next

end

Support V4 BIOS certificate (392960)

FortiOS now supports backwards compatibility between new BIOS version 4 and old BIOS version 3.

New BIOS V4 certificates:

• Fortinet_CA l Fortinet_Sub_CA l Fortinet_Factory

Old BIOS V3 certificates:

• Fortinet_CA_Backup l Fortinet_Factory_Backup

When FortiOS connects to FortiGuard, FortiCloud, FortiManager, FortiAnalyzer, FortiSandbox as a client, the new BIOS certificate Fortinet_Factory will be the default client certificate. When the server returns its certificate (chain) back, FortiOS looks up the issuer of the server certificate and either keeps client certificate as is or switches to the old BIOS certificate Fortinet_Factory_Backup. This process occurs in one handshake.

When FortiOS connects to FortiCare, the new BIOS certificate Fortinet_Factory is the only client certificate and Server Name Indication (SNI) is set. There is no switchover of certificate during SSL handshake.

When FortiOS acts as a server when connected by FortiExtender, FortiSwitch, FortiAP, etc., Fortinet_Factory is the default server certificate. FortiOS detects SNI in client hello, and if no SNI is found or if the CN in SNI is different from the CN of Fortinet_CA, it switches to use the old Fortinet_Factory_Backup.

Support extendedKeyUsage for x.509 certificates (390393)

As per Network Device Collaborative Protection Profile (NDcPP) v1.0 requirements, server certificates used for TLS connections between FortiGate and FortiAnalyzer should have the “Server Authentication” and “Client Authentication” extendedKeyUsage fields in FIPS/CC mode.

To implement this, a new CLI command has been added under log fortianalyzer setting to allow you to specify the certificate used to communicate with FortiAnalyzer.

CLI syntax config log fortianalyzer setting

5.6.0

set certificate <name>

end

Administrator name added to system event log (386395)

The administrator’s name now appears in the system event log when the admin issues a user quarantine ban on a source address.

Support RSA-4096 bit key-length generation (380278)

In anticipation of quantum computers, RSA-4096 bit key-length CSRs can now be imported.

New commands added to config user ldap to set UPN processing method and filter name (383561)

Added two new commands to config user ldap allowing you to keep or strip domain string of UPN in the token as well as the search name for this kind of UPN.

CLI syntax:

config user ldap set account-key-processing set account-key-name

end

User authentication max timeout setting change (378085)

To accommodate wireless hotspot users authenticated on the FortiGate, the user authentication max timeout setting has been extended to three days (from one day, previously).

Changes to Authentication Settings > Certificates GUI (374980)

Added new icons for certificate types and updated formatters to use these new icons.

Password for private key configurable in both GUI and CLI (374593)

FortiOS 5.4.1 introduced a feature that allowed you to export a local certificate and its private key in password protected p12, and later import them to any device. This option to set password for private key was available only in the CLI (when requesting a new certificate via SCEP or generating a CSR). This feature is now also configurable through the GUI.

The new Password for private key option is available under System > Certificates when generating a new CSR.

RADIUS password encoding (365145)

A new CLI command, under config user radius, has been added to allow you to configure RADIUS password encoding to use ISO-8859-1 (as per RFC 2865).

Certain RADIUS servers use ISO-8859-1 password encoding instead of others such as UTF-8. In these instances, the server will fail to authenticate the user, if the user’s password is using UTF-8.

5.6.0

CLI syntax

config user radius edit <example> set password-encoding <auto | ISO-8859-1>

end

This option will be skipped if the auth-type is neither auto nor pap.

RSSO supports Delegated-IPv6-Prefix and Framed-IPv6-Prefix (290990)

Two attributes, Delegated-IPv6-Prefix and Framed-IPv6-Prefix, have been introduced for RSSO to provide a /56 prefix for DSL customers. All devices connected from the same location (/56 per subscriber) can be mapped to the same profile without the need to create multiple /64 or smaller entries.

What is authentication?

Businesses need to authenticate people who have access to company resources. In the physical world this may be a swipe card to enter the building, or a code to enter a locked door. If a person has this swipe card or code, they have been authenticated as someone allowed in that building or room.

Authentication is the act of confirming the identity of a person or other entity. In the context of a private computer network, the identities of users or host computers must be established to ensure that only authorized parties can access the network. The FortiGate unit enables controlled network access and applies authentication to users of security policies and VPN clients.

Methods of authentication

FortiGate unit authentication is divided into three basic types: password authentication for people, certificate authentication for hosts or endpoints, and two-factor authentication for additional security beyond just passwords. An exception to this is that FortiGate units in an HA cluster and FortiManager units use password authentication.

Password authentication verifies individual user identities, but access to network resources is based on membership in user groups. For example, a security policy can be configured to permit access only to the members of one or more user groups. Any user who attempts to access the network through that policy is then authenticated through a request for their username and password.

Methods of authentication include:

l Local password authentication l Server-based password authentication l Certificate-based authentication l Two-factor authentication

Local password authentication

The simplest authentication is based on user accounts stored locally on the FortiGate unit. For each account, a username and password is stored. The account also has a disable option so that you can suspend the account without deleting it.

Local user accounts work well for a single-FortiGate installation. If your network has multiple FortiGate units that will use the same accounts, the use of an external authentication server can simplify account configuration and maintenance.

You can create local user accounts in the web-based manager under User & Device > User Definition. This page is also used to create accounts where an external authentication server stores and verifies the password.

Server-based password authentication

Using external authentication servers is desirable when multiple FortiGate units need to authenticate the same users, or where the FortiGate unit is added to a network that already contains an authentication server. FortiOS supports the use of LDAP, RADIUS, TACACS+, AD or POP3 servers for authentication.

When you use an external authentication server to authenticate users, the FortiGate unit sends the user’s entered credentials to the external server. The password is encrypted. The server’s response indicates whether the supplied credentials are valid or not.

You must configure the FortiGate unit to access the external authentication servers that you want to use. The configuration includes the parameters that authenticate the FortiGate unit to the authentication server.

You can use external authentication servers in two ways:

• Create user accounts on the FortiGate unit, but instead of storing each user’s password, specify the server used to authenticate that user. As with accounts that store the password locally, you add these users to appropriate user groups.
• Add the authentication server to user groups. Any user who has an account on the server can be authenticated and have the access privileges of the FortiGate user group. Optionally, when an LDAP server is a FortiGate user group member, you can limit access to users who belong to specific groups defined on the LDAP server.

Certificate-based authentication

An RSA X.509 server certificate is a small file issued by a Certificate Authority (CA) that is installed on a computer or FortiGate unit to authenticate itself to other devices on the network. When one party on a network presents the certificate as authentication, the other party can validate that the certificate was issued by the CA. The identification is therefore as trustworthy as the Certificate Authority (CA) that issued the certificate.

To protect against compromised or misused certificates, CAs can revoke any certificate by adding it to a Certificate Revocation List (CRL). Certificate status can also be checked online using Online Certificate Status Protocol (OCSP).

RSA X.509 certificates are based on public-key cryptography, in which there are two keys: the private key and the public key. Data encrypted with the private key can be decrypted only with the public key and vice versa. As the names suggest, the private key is never revealed to anyone and the public key can be freely distributed. Encryption with the recipient’s public key creates a message that only the intended recipient can read. Encryption with the sender’s private key creates a message whose authenticity is proven because it can be decrypted only with the sender’s public key.

Types

Server certificates contain a signature string encrypted with the CA’s private key. The CA’s public key is contained in a CA root certificate. If the signature string can be decrypted with the CA’s public key, the certificate is genuine. Certificate authorities

A certificate authority can be:

l an organization, such as VeriSign Inc., that provides certificate services l a software application, such as Microsoft Certificate Services or OpenSSH

For a company web portal or customer-facing SSL VPN, a third-party certificate service has some advantages. The CA certificates are already included in popular web browsers and customers trust the third-party. On the other hand, third-party services have a cost.

For administrators and for employee VPN users, the local CA based on a software application provides the required security at low cost. You can generate and distribute certificates as needed. If an employee leaves the organization, you can simply revoke their certificate.

Certificates for users

FortiGate unit administrators and SSL VPN users can install certificates in their web browsers to authenticate themselves. If the FortiGate unit uses a CA-issued certificate to authenticate itself to the clients, the browser will also need the appropriate CA certificate.

FortiGate IPsec VPN users can install server and CA certificates according to the instructions for their IPsec VPN client software. The FortiClient Endpoint Security application, for example, can import and store the certificates required by VPN connections.

FortiGate units are also compatible with some Public Key Infrastructure systems. For an example of this type of system, see RSA ACE (SecurID) servers on page 48.

Two-factor authentication

A user can be required to provide both something they know (their username and password combination) and something they have (certificate or a random token code). Certificates are installed on the user’s computer.

Two-factor authentication is available for PKI users. For more information, see Certificate on page 58.

Another type of two-factor authentication is to use a randomly generated token (multi-digit number) along with the username and password combination. One method is a FortiToken — a one time passcode (OTP) generator that generates a unique code every 60 seconds. Others use email or SMS text messaging to deliver the random token code to the user or administrator.

When one of these methods is configured, the user enters this code at login after the username and password have been verified. The FortiGate unit verifies the token code after as well as the password and username. For more information, see Two-factor authentication on page 57

Types of authentication

FortiOS supports two different types of authentication based on your situation and needs.

Security policy authentication is easily applied to all users logging on to a network, or network service. For example if a group of users on your network such as the accounting department who have access to sensitive Types of authentication

data need to access the Internet, it is a good idea to make sure the user is a valid user and not someone trying to send company secrets to the Internet. Security policy authentication can be applied to as many or as few users as needed, and it supports a number of authentication protocols to easily fit with your existing network.

Virtual Private Network (VPN) authentication enables secure communication with hosts located outside the company network, making them part of the company network while the VPN tunnel is operating. Authentication applies to the devices at both ends of the VPN and optionally VPN users can be authenticated as well.

Security policy authentication

Security policies enable traffic to flow between networks. Optionally, the policy can allow access only to specific originating addresses, device types, users or user groups. Where access is controlled by user or user group, users must authenticate by entering valid username and password credentials.

The user’s authentication expires if the connection is idle for too long, five minutes by default but that can be customized.

Security policies are the mechanism for FSSO, NTLM, certificate based, and RADIUS SSO authentication.

FSSO

Fortinet Single Sign on (FSSO) provides seamless authentication support for Microsoft Windows Active Directory (AD) and Novell eDirectory users in a FortiGate environment.

On a Microsoft Windows or Novell network, users authenticate with the Active Directory or Novell eDirectory at logon. FSSO provides authentication information to the FortiGate unit so that users automatically get access to permitted resources. See Introduction to agent-based FSSO on page 142.

NTLM

The NT LAN Manager (NTLM) protocol is used when the MS Windows Active Directory (AD) domain controller can not be contacted. NTLM is a browser-based method of authentication.

The FSSO software is installed on each AD server and the FortiGate unit is configured to communicate with each

FSSO client. When a user successfully logs into their Windows PC (and is authenticated by the AD Server), the

FSSO client communicates the user’s name, IP address, and group login information to the FortiGate unit. The FortiGate unit sets up a temporary access policy for the user, so when they attempt access through the firewall they do not need to re-authenticate. This model works well in environments where the FSSO client can be installed on all AD servers.

In system configurations where it is not possible to install FSSO clients on all AD servers, the FortiGate unit must be able to query the AD servers to find out if a user has been properly authenticated. This is achieved using the NTLM messaging features of Active Directory and Internet Explorer.

Even when NTLM authentication is used, the user is not asked again for their username and password. Internet Explorer stores the user’s credentials and the FortiGate unit uses NTLM messaging to validate them in the Windows AD environment.

Note that if the authentication reaches the timeout period, the NTLM message exchange restarts. For more information on NTLM, see NTLM authentication on page 88 and FSSO NTLM authentication support on page 148.

Certificates

Certificates can be used as part of a policy. All users being authenticated against the policy are required to have the proper certificate. See Certificate-based authentication on page 107

RADIUS SSO

RADIUS Single Sign-On (RSSO) is a remote authentication method that does not require any local users to be configured, and relies on RADIUS Start records to provide the FortiGate unit with authentication information. That information identifies the user and user group, which is then matched using a security policy. See SSO using RADIUS accounting records on page 186.

FortiGuard Web Filter override authentication

Optionally, users can be allowed the privilege of overriding FortiGuard Web Filtering to view blocked web sites. Depending on the override settings, the override can apply to the user who requested it, the entire user group to which the user belongs, or all users who share the same web filter profile. As with other FortiGate features, access to FortiGuard overrides is controlled through user groups. Firewall and Directory Services user groups are eligible for the override privilege. For more information about web filtering and overrides, see the UTM chapter of this FortiOS Handbook.

VPN authentication

Authentication involves authenticating the user. In IPsec VPNs authenticating the user is optional, but authentication of the peer device is required. This section includes:

l Authenticating IPsec VPN peers (devices) l Authenticating IPsec VPN users l Authenticating SSL VPN users l Authenticating PPTP and L2TP VPN users

Authenticating IPsec VPN peers (devices)

A VPN tunnel has one end on a local trusted network, and the other end is at a remote location. The remote peer (device) must be authenticated to be able to trust the VPN tunnel. Without that authentication, it is possible for a malicious hacker to masquerade as a valid VPN tunnel device and gain access to the trusted local network.

The three ways to authenticate VPN peers are with a preshared key, RSA X.509 certificate, or a specific peer ID value.

The simplest way for IPsec VPN peers to authenticate each other is through the use of a preshared key, also called a shared secret. The preshared key is a text string used to encrypt the data exchanges that establish the VPN tunnel. The preshared key must be six or more characters. The VPN tunnel cannot be established if the two peers do not use the same key. The disadvantage of preshared key authentication is that it can be difficult to securely distribute and update the preshared keys.

RSA X.509 certificates are a better way for VPN peers to authenticate each other. Each peer offers a certificate signed by a Certificate Authority (CA) which the other peer can validate with the appropriate CA root certificate.

For more information about certificates, see Certificate-based authentication on page 107.

You can supplement either preshared key or certificate authentication by requiring the other peer to provide a specific peer ID value. The peer ID is a text string configured on the peer device. On a FortiGate peer or FortiClient Endpoint Security peer, the peer ID provided to the remote peer is called the Local ID.

Authenticating IPsec VPN users

An IPsec VPN can be configured to accept connections from multiple dynamically addressed peers. You would do this to enable employees to connect to the corporate network while traveling or from home. On a FortiGate unit, you create this configuration by setting the Remote Gateway to Dialup User.

It is possible to have an IPsec VPN in which remote peer devices authenticate using a common preshared key or a certificate, but there is no attempt to identify the user at the remote peer. To add user authentication, you can do one of the following:

l require a unique preshared key for each peer l require a unique peer ID for each peer l require a unique peer certificate for each peer l require additional user authentication (XAuth)

The peer ID is a text string configured on the peer device. On a FortiGate peer or FortiClient Endpoint Security peer, the peer ID provided to the remote peer is called the Local ID.

Authenticating SSL VPN users

SSL VPN users can be l user accounts with passwords stored on the FortiGate unit l user accounts authenticated by an external RADIUS, LDAP or TACACS+ server l PKI users authenticated by certificate

You need to create a user group for your SSL VPN. Simply create a firewall user group, enable SSL VPN access for the group, and select the web portal the users will access.

SSL VPN access requires an SSL VPN security policy that permits access to members of your user group.

Authenticating PPTP and L2TP VPN users

PPTP and L2TP are older VPN tunneling protocols that do not provide authentication themselves. FortiGate units restrict PPTP and L2TP access to users who belong to one specified user group. Users authenticate themselves to the FortiGate unit by username/password. You can configure PPTP and L2TP VPNs only in the CLI. Before you configure the VPN, create a firewall user group and add to it the users who are permitted to use the VPN. Users are authenticated when they attempt to connect to the VPN. For more information about configuring PPTP or L2TP VPNs, see the FortiGate CLI Reference.

Single Sign-On authentication for users

“Single Sign-On” means that users logged on to a computer network are authenticated for access to network resources through the FortiGate unit without having to enter their username and password again. FortiGate units directly provide Single Sign On capability for:

• Microsoft Windows networks using either Active Directory or NTLM authentication
• Novell networks, using eDirectory

In combination with a FortiAuthenticator unit, the FortiGate unit can provide Single Sign-On capability that integrates multiple external network authentication systems such as Windows Active Directory, Novell eDirectory, RADIUS and LDAP. The FortiAuthenticator unit gathers user logon information from all of these sources and sends it to the FortiGate unit.

Through the SSO feature, the FortiGate unit knows the username, IP address, and external user groups to which the user belongs. When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups, the connection is allowed.

User’s view of authentication

From the user’s point of view, they see a request for authentication when they try to access a protected resource, such as an FTP repository of intellectual property or simply access a website on the Internet. The way the request is presented to the user depends on the method of access to that resource.

VPN authentication usually controls remote access to a private network.

Web-based user authentication

Security policies usually control browsing access to an external network that provides connection to the Internet. In this case, the FortiGate unit requests authentication through the web browser.

The user types a username and password and then selects Continue or Login. If the credentials are incorrect, the authentication screen is redisplayed with blank fields so that the user can try again. When the user enters valid credentials, access is granted to the required resource. In some cases, if a user tries to authenticate several times without success, a message appears, such as: “Too many bad login attempts. Please try again in a few minutes.” This indicates the user is locked out for a period of time. This prevents automated brute force password hacking attempts. The administrator can customize these settings if required.

After a defined period of user inactivity (the authentication timeout, defined by the FortiGate administrator), the user’s access expires. The default is 5 minutes. To access the resource, the user will have to authenticate again.

VPN client-based authentication

A VPN provides remote clients with access to a private network for a variety of services that include web browsing, email, and file sharing. A client program such as FortiClient negotiates the connection to the VPN and manages the user authentication challenge from the FortiGate unit.

FortiClient can store the username and password for a VPN as part of the configuration for the VPN connection and pass them to the FortiGate unit as needed. Or, FortiClient can request the username and password from the user when the FortiGate unit requests them.

SSL VPN is a form of VPN that can be used with a standard Web browser. There are two modes of SSL VPN operation (supported in NAT/Route mode only):

l web-only mode, for remote clients equipped with a web-browser only l tunnel mode, for remote computers that run a variety of client and server applications.

After a defined period of user inactivity on the VPN connection (the idle timeout, defined by the FortiGate administrator), the user’s access expires. The default is 30 minutes. To access the resource, the user will have to authenticate again.

FortiGate administrator’s view of authentication

Authentication is based on user groups. The FortiGate administrator configures authentication for security policies and VPN tunnels by specifying the user groups whose members can use the resource. Some planning is required to determine how many different user groups need to be created. Individual user accounts can belong to multiple groups, making allocation of user privileges very flexible.

A member of a user group can be:

• a user whose username and password are stored on the FortiGate unit l a user whose name is stored on the FortiGate unit and whose password is stored on a remote or external authentication server
• a remote or external authentication server with a database that contains the username and password of each person who is permitted access

The general process of setting up authentication is as follows:

1. If remote or external authentication is needed, configure the required servers.
2. Configure local and peer (PKI) user identities. For each local user, you can choose whether the FortiGate unit or a remote authentication server verifies the password. Peer members can be included in user groups for use in security policies.
3. Create user groups.
4. Add local/peer user members to each user group as appropriate. You can also add an authentication server to a user group. In this case, all users in the server’s database can authenticate. You can only configure peer user groups through the CLI.
5. Configure security policies and VPN tunnels that require authenticated access.

For authentication troubleshooting, see the specific chapter for the topic or for general issues see Troubleshooting on page 213.

General authentication settings

Go to User & Device > Authentication Settings to configure authentication timeout, protocol support, and authentication certificates.

When user authentication is enabled within a security policy, the authentication challenge is normally issued for any of the four protocols (depending on the connection protocol):

General authentication settings

• HTTP (can also be set to redirect to HTTPS) l HTTPS l FTP
• Telnet

The selections made in the Protocol Support list of Authentication Settings control which protocols support the authentication challenge. Users must connect with a supported protocol first so they can subsequently connect with other protocols. If HTTPS is selected as a method of protocol support, it allows the user to authenticate with a customized Local certificate.

When you enable user authentication within a security policy, the security policy user will be challenged to authenticate. For user ID and password authentication, users must provide their user names and passwords. For certificate authentication (HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on the unit and the users can also have customized certificates installed on their browsers. Otherwise, users will see a warning message and have to accept a default Fortinet certificate.

Authentication servers

FortiGate units support the use of external authentication servers. An authentication server can provide password checking for selected FortiGate users or it can be added as a member of a FortiGate user group.

If you are going to use authentication servers, you must configure the servers before you configure FortiGate users or user groups that require them.

This section includes the following topics:

l FortiAuthenticator servers l RADIUS servers l LDAP servers l TACACS+ servers l POP3 servers l SSO servers l RSA ACE (SecurID) servers

FortiAuthenticator servers

FortiAuthenticator is an Authentication, Authorization, and Accounting (AAA) server, that includes a RADIUS server, an LDAP server, and can replace the FSSO Collector Agent on a Windows AD network. Multiple FortiGate units can use a single FortiAuthenticator for FSSO, remote authentication, and FortiToken management.

For more information, see the FortiAuthenticator Administration Guide.

RADIUS servers

Remote Authentication and Dial-in User Service (RADIUS) is a broadly supported client-server protocol that provides centralized authentication, authorization, and accounting functions. RADIUS clients are built into gateways that allow access to networks such as Virtual Private Network servers, Network Access Servers (NAS), as well as network switches and firewalls that use authentication. FortiGate units fall into the last category.

RADIUS servers use UDP packets to communicate with the RADIUS clients on the network to authenticate users before allowing them access to the network, to authorize access to resources by appropriate users, and to account or bill for those resources that are used. RADIUS servers are currently defined by RFC 2865 (RADIUS) and RFC 2866 (Accounting), and listen on either UDP ports 1812 (authentication) and 1813 (accounting) or ports 1645 (authentication) and 1646 (accounting) requests. RADIUS servers exist for all major operating systems.

You must configure the RADIUS server to accept the FortiGate unit as a client. FortiGate units use the authentication and accounting functions of the RADIUS server.

FortiOS does not accept all characters from auto generated keys from MS Windows 2008. These keys are very long and as a result RADIUS authentication will not work. Maximum key length for MS Windows 2008 is 128 bytes. In older versions of FSAE, it was 40 bytes.

Microsoft RADIUS servers

Microsoft Windows Server 2000, 2003, and 2008 have RADIUS support built-in. Microsoft specific RADIUS features are defined in RFC 2548. The Microsoft RADIUS implementation can use Active Directory for user credentials.

For details on Microsoft RADIUS server configurations, refer to Microsoft documentation.

RADIUS user database

The RADIUS user database is commonly an SQL or LDAP database, but can also be any combination of:

l usernames and passwords defined in a configuration file l user account names and passwords configured on the computer where the RADIUS server is installed.

If users are members of multiple RADIUS groups, then the user group authentication timeout value does not apply. See Membership in multiple groups on page 69.

RADIUS authentication with a FortiGate unit

To use RADIUS authentication with a FortiGate unit l configure one or more RADIUS servers on the FortiGate unit l assign users to a RADIUS server

When a configured user attempts to access the network, the FortiGate unit will forward the authentication request to the RADIUS server which will match the username and password remotely. Once authenticated the RADIUS server passes the authorization granted message to the FortiGate unit which grants the user permission to access the network.

The RADIUS server uses a “shared secret” key along with MD5 hashing to encrypt information passed between RADIUS servers and clients, including the FortiGate unit. Typically only user credentials are encrypted. Additional security can be configured through IPsec tunnels by placing the RADIUS server behind another VPN gateway.

RADIUS attribute value pairs

RADIUS packets include a set of attribute value pairs (AVP) to identify information about the user, their location and other information. The FortiGate unit sends the following RADIUS attributes.

FortiOS supported RADIUS attributes

The following table describes the supported authentication events and the RADIUS attributes that are sent in the RADIUS accounting message.

RADIUS attributes sent in RADIUS accounting message

External captive portal POST message

In external RADIUS captive portal, the captive portal web page is a script that gathers the user’s logon credentials and sends it back to the FortiGate as a POST message. Session URL parameters are sent from the client in a POST messages, and in the redirect. These parameters are separated by & characters (see examples below):

POST message to redirect server:

http://<redirectserver>/index2.php/?login&post=http://192.168.200.1:1000/fgtau th&magic=02050f889bc21644&usermac=54:26:96:16:a2:45&apmac=00:09:0f:b9:f4:c0&ap ip=127.0.0.1&userip=192.168.200.2

POST message back to the FortiGate: http://FGT_IP_addr:1000/fgtauth

The magic text data, provided in the initial FortiGate request to the web server, contains the username, password paramaters:

magic=00050c839182f095&username=<username>&password=<password>

Vendor-specific attributes

Vendor specific attributes (VSA) are the method RADIUS servers and client companies use to extend the basic functionality of RADIUS. Some major vendors, such as Microsoft, have published their VSAs, however many do not.

In order to support vendor-specific attributes (VSA), the RADIUS server requires a dictionary to define which VSAs to support. This dictionary is typically supplied by the client or server vendor.

The Fortinet RADIUS vendor ID is 12356.

The FortiGate unit RADIUS VSA dictionary is supplied by Fortinet and is available through the Fortinet Knowledge Base (http://kb.forticare.com) or through Technical Support. Fortinet’s dictionary for FortiOS 4.0 and up is configured this way:

##

Fortinet’s VSA’s

#

VENDOR fortinet 12356

BEGIN-VENDOR fortinet

ATTRIBUTE Fortinet-Group-Name   1   string

ATTRIBUTE Fortinet-Client-IP-Address   2   ipaddr

ATTRIBUTE Fortinet-Vdom-Name   3   string

ATTRIBUTE Fortinet-Client-IPv6-Address   4   octets

ATTRIBUTE Fortinet-Interface-Name   5   string

ATTRIBUTE Fortinet-Access-Profile   6   string

#

# Integer Translations

#

END-VENDOR Fortinet

Note that using the Fortinet-Vdom-Name, users can be tied to a specific VDOM on the FortiGate unit. See the documentation provided with your RADIUS server for configuration details.

RADIUS CoA support

As of FortiOS 5.4, RADIUS Change of Authorization (CoA) settings can be configured via the CLI. CoA is a common feature in user authentication that provides the ability to change authentication attributes for sessions even after they have authenticated.

User, user group, and captive portal authentication supports RADIUS CoA, when the back end authentication server is RADIUS. The main use case of this feature is with external captive portal, where it can be used to disconnect hotspot users when their time, credit, or bandwidth has been used up.

The commands below control CoA settings.

1. Set the name of the FortiAP connected to the FortiGate as a location identifier.

config system global set alias <name>

2. Set URL of external authentication logout server.

config vdom edit root config wireless-controller vap edit <example> set security captive-portal set external-logout

3. Set URL of external authentication logout server config vdom edit root config system interface edit <example> set security captive-portal set security-external-logout
4. Set class name(s) included in an Access-Accept message.

config vdom edit root config user radius edit accounting set class <“A1=aaa” “B2=bbb” “C3=ccc”>

Role Based Access Control

In Role Based Access Control (RBAC), network administrators and users have varying levels of access to network resources based on their role, and that role’s requirement for access specific resources. For example, a junior accountant does not require access to the sales presentations, or network user account information.

There are three main parts to RBAC: role assignment, role authorization, and transaction authorization. Role assignment is accomplished when someone in an organization is assigned a specific role by a manager or HR. Role authorization is accomplished when a network administrator creates that user’s RADIUS account and assigns them to the required groups for that role. Transaction authorization occurs when that user logs on and authenticates before performing a task.

RBAC is enforced when FortiOS network users are remotely authenticated via a RADIUS server. For users to authenticate, a security policy must be matched. That policy only matches a specific group of users. If VDOMs are enabled, the matched group will be limited to a specific VDOM. Using this method network administrators can separate users into groups that match resources, protocols, or VDOMs. It is even possible to limit users to specific FortiGate units if the RADIUS servers serve multiple FortiOS units.

For more information on security policies, see Authentication in security policies on page 83.

RADIUS password encoding

Certain RADIUS servers use ISO-8859-1 password encoding instead of others such as UTF-8. In these instances, the server will fail to authenticate the user, if the user’s password is using UTF-8.

CLI syntax

config user radius edit <example> set password-encoding <auto | ISO-8859-1>

end

This option will be skipped if the auth-type is neither auto nor pap.

Users and user groups

FortiGate authentication controls system access by user group. By assigning individual users to the appropriate user groups you can control each user’s access to network resources. The members of user groups are user accounts, of which there are several types. Local users and peer users are defined on the FortiGate unit. User accounts can also be defined on remote authentication servers.

This section describes how to configure local users and peer users and then how to configure user groups. For information about configuration of authentication servers see Authentication servers on page 29.

This section contains the following topics:

• Users
• User groups

Users

A user is a user account consisting of username, password, and in some cases other information, configured on the FortiGate unit or on an external authentication server. Users can access resources that require authentication only if they are members of an allowed user group. There are several different types of user accounts with slightly different methods of authentication:

This section includes:

• Local and remote users
• PKI or peer users
• Two-factor authentication
• FortiToken
• Monitoring users

Local and remote users

Local and remote users are defined on the FortiGate unit in User & Device > User Definition.

To create a local or remote user account – web-based manager:

1. Go to User & Device > User Definition and select Create New.
2. On the Choose User Type page select:

3. Select Next and provide user authentication information. For a local user, enter the User Name and Password.

For a remote user, enter the User Name and the server name.

4. Select Next and enter Contact Information.

If email or SMS is used for two-factor authentication, provide the email address or SMS cell number at which the user will receive token password codes. If a custom SMS service is used, it must already be configured. See FortiToken on page 60.

5. Select Next, then on the Provide Extra Info page enter

6. Select Create.

To create a local user – CLI example:

Locally authenticated user

config user local edit user1 set type password set passwd ljt_pj2gpepfdw end

To create a remote user – CLI example:

config user local edit user2 set type ldap set ldap_server ourLDAPsrv

end

For a RADIUS or TACACS+ user, set type to radius or tacacs+, respectively.

To create a user with FortiToken Mobile two-factor authentication – CLI example:

config user local edit user5 set type password set passwd ljt_pj2gpepfdw set two_factor fortitoken set fortitoken 182937197

end

Remote users are configured for FortiToken two-factor authentication similarly.

To create a user with SMS two-factor authentication using FortiGuard messaging Service – CLI example:

config user local edit user6 set type password set passwd 3ww_pjt68dw set two_factor sms set sms-server fortiguard set sms-phone 1365984521

end

Removing users

Best practices dictate that when a user account is no longer in use, it should be deleted. Removing local and remote users from FortiOS involve the same steps.

If the user account is referenced by any configuration objects, those references must be removed before the user can be deleted. See Removing references to users on page 57.

To remove a user from the FortiOS configuration – web-based manager:

1. Go to User & Device > User Definition.
2. Select the check box of the user that you want to remove.
3. Select Delete.
4. Select OK.

To remove a user from the FortiOS configuration – CLI example:

config user local delete user4444 end

Removing references to users

You cannot remove a user that belongs to a user group. Remove the user from the user group first, and then delete the user.

To remove references to a user – web-based manager

1. Go to User & Device > User Definition.
2. If the number in the far right column for the selected user contains any number other than zero, select it.
3. A more detailed list of object references to this user is displayed. Use its information to find and remove these references to allow you to delete this user.