Logo Passei Direto
Buscar
Material
páginas com resultados encontrados.
páginas com resultados encontrados.

Escolha uma das opções e acesse esse e outros materiais sem bloqueio. 🤩

Cadastre-se ou realize login

Ao continuar, você aceita os Termos de Uso e Política de Privacidade

Escolha uma das opções e acesse esse e outros materiais sem bloqueio. 🤩

Cadastre-se ou realize login

Ao continuar, você aceita os Termos de Uso e Política de Privacidade

Escolha uma das opções e acesse esse e outros materiais sem bloqueio. 🤩

Cadastre-se ou realize login

Ao continuar, você aceita os Termos de Uso e Política de Privacidade

Escolha uma das opções e acesse esse e outros materiais sem bloqueio. 🤩

Cadastre-se ou realize login

Ao continuar, você aceita os Termos de Uso e Política de Privacidade

Escolha uma das opções e acesse esse e outros materiais sem bloqueio. 🤩

Cadastre-se ou realize login

Ao continuar, você aceita os Termos de Uso e Política de Privacidade

Escolha uma das opções e acesse esse e outros materiais sem bloqueio. 🤩

Cadastre-se ou realize login

Ao continuar, você aceita os Termos de Uso e Política de Privacidade

Escolha uma das opções e acesse esse e outros materiais sem bloqueio. 🤩

Cadastre-se ou realize login

Ao continuar, você aceita os Termos de Uso e Política de Privacidade

Escolha uma das opções e acesse esse e outros materiais sem bloqueio. 🤩

Cadastre-se ou realize login

Ao continuar, você aceita os Termos de Uso e Política de Privacidade

Escolha uma das opções e acesse esse e outros materiais sem bloqueio. 🤩

Cadastre-se ou realize login

Ao continuar, você aceita os Termos de Uso e Política de Privacidade

Escolha uma das opções e acesse esse e outros materiais sem bloqueio. 🤩

Cadastre-se ou realize login

Ao continuar, você aceita os Termos de Uso e Política de Privacidade

Prévia do material em texto

<p>FortiAuthenticator</p><p>Study Guide</p><p>for FortiAuthenticator 6.4</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Fortinet Training Institute - Library</p><p>https://training.fortinet.com</p><p>Fortinet Product Documentation</p><p>https://docs.fortinet.com</p><p>Fortinet Knowledge Base</p><p>https://kb.fortinet.com</p><p>Fortinet Fuse User Community</p><p>https://fusecommunity.fortinet.com/home</p><p>Fortinet Forums</p><p>https://forum.fortinet.com</p><p>Fortinet Product Support</p><p>https://support.fortinet.com</p><p>FortiGuard Labs</p><p>https://www.fortiguard.com</p><p>Fortinet Training Program Information</p><p>https://www.fortinet.com/nse-training</p><p>Fortinet | Pearson VUE</p><p>https://home.pearsonvue.com/fortinet</p><p>Fortinet Training Institute Helpdesk (training questions, comments, feedback)</p><p>https://helpdesk.training.fortinet.com/support/home</p><p>7/15/2022</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>https://training.fortinet.com/course/index.php</p><p>https://docs.fortinet.com/</p><p>https://kb.fortinet.com/</p><p>https://fusecommunity.fortinet.com/home</p><p>https://forum.fortinet.com/</p><p>https://support.fortinet.com/</p><p>https://www.fortiguard.com/</p><p>https://www.fortinet.com/nse-training</p><p>https://home.pearsonvue.com/fortinet</p><p>https://helpdesk.training.fortinet.com/support/home</p><p>TABLE OF CONTENTS</p><p>01 Introduction and Initial Configuration 4</p><p>02 Administrative Users and High Availability 39</p><p>03 Administering and Authenticating Users 73</p><p>04 Managing Users and Troubleshooting Authentication 112</p><p>05 Two-Factor Authentication 149</p><p>06 FSSO Process and Methods 196</p><p>07 FSSO Deployment and Troubleshooting 230</p><p>08 Portal Services 260</p><p>09 PKI and FortiAuthenticator as a CA 311</p><p>10 Certificate Management 340</p><p>11 802.1X Authentication 376</p><p>12 SAML 414</p><p>13 FIDO2 Authentication 460</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the key features and concepts of FortiAuthenticator and how to configure</p><p>the FortiAuthenticator for initial setup.</p><p>FortiAuthenticator is the central device for any authentication infrastructure.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 4</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the topics shown on this slide.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 5</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in authentication and the role of FortiAuthenticator, you will be able to define</p><p>authentication and understand the role of FortiAuthenticator in your own network.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 6</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Authentication is the act—or process—of verifying the validity of a claimed identity. Confirmation of identity is</p><p>necessary in the digital world, because granting access to a resource, approving a transaction request,</p><p>trusting the validity of a document, and so on, before verifying a person is who they say they are, can lead to a</p><p>serious network security breach.</p><p>So how do you confirm the identity of a digital user? You can confirm user identities based on something the</p><p>user knows (for example, a password or PIN), or something the user has (for example, a digital certificate or</p><p>token), or a combination of both methods.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 7</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator is a device that provides standards-based secure authentication to the entire network</p><p>infrastructure. That is, it verifies the validity of a claimed identity. FortiAuthenticator accepts many different</p><p>user identification methods (token, digital certificate, and so on) through different access points (local, remote,</p><p>wireless, guest, and so on).</p><p>FortiAuthenticator also centralizes the management and storage of user identity information, increasing the</p><p>efficiency of administration, and increasing control over who accesses the network.</p><p>The example shown on this slide demonstrates the advantage of two-factor authentication. The user’s</p><p>username and password have been compromised by a bad actor (this is often done using phishing or spear</p><p>phishing attacks), but because the bad actor does not possess the token, access will still be denied.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 8</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide covers all of the hardware and virtual models available.</p><p>The virtual machine (VM) version of FortiAuthenticator is popular with customers that have existing virtual</p><p>infrastructure. One of the main benefits of the VM version is that you can add CPU and RAM to your systems</p><p>as your needs grow. You then purchase user licenses for the VMs to suit your customers needs. These</p><p>licenses are stackable, which makes them ideal for customers who are looking to expand over time.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 9</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 10</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand authentication and the role of FortiAuthenticator.</p><p>Now, you will learn about the key features of FortiAuthenticator, and the comparisons between</p><p>FortiAuthenticator and FortiGate.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 11</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in understanding the key features of FortiAuthenticator, and the comparisons</p><p>between FortiAuthenticator and FortiGate, you will be able to use the device effectively in your own network.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 12</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator is a user authentication and identity management device. Some of the key features include:</p><p>two-factor authentication, wired or wireless authentication using the 802.1X standard, certificate management,</p><p>portal services, and Fortinet single sign-on (FSSO).</p><p>Multi-factor authentication increases network security by requiring multiple pieces of identification (known as</p><p>factors). It combines something you know with something you have to reliably confirm your identity.</p><p>FortiAuthenticator supports wired and wireless networking with the IEEE 802.1X standard. 802.1X</p><p>authentication provides an additional security barrier for your intranet. Just as an authenticated wireless client</p><p>must submit a set of credentials to be validated before being allowed access, an 802.1X wired client must also</p><p>perform authentication before being able to send traffic over its switch port.</p><p>FortiAuthenticator has several roles that involve digital certificates, including acting as a certificate authority</p><p>(CA), a SCEP server, authenticating users against an external LDAP server, and authenticating users using</p><p>Extensible Authentication Protocol (EAP). You will explore certificate management further in the Certificate</p><p>Management lesson.</p><p>FSSO enables FortiAuthenticator to leverage your network’s existing authentication system for firewall</p><p>authentication. After a user logs in, they can access other network resources without having to authenticate</p><p>again—authentication is transparent. You will explore FSSO further in the Fortinet Single Sign-On lesson.</p><p>Portal services allows you to grant remote users access to specific portions of your network, using delegated</p><p>authentication. In this scenario, authentication requires the user to associate their device with the guest SSID,</p><p>as published by the FortiGate wireless controller.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 13</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The table on this slide shows some of the key differences in RADIUS capabilities between FortiGate and</p><p>FortiAuthenticator.</p><p>As a RADIUS server, FortiAuthenticator provides authentication and authorization both as a server and as a</p><p>proxy. RADIUS rules can be used for FSSO updates.</p><p>Introduction and Initial</p><p>FortiAuthenticator permanently disables locked-</p><p>out users until an administrator (with appropriate permissions) manually re-enables them.</p><p>Finally, you can disable user accounts if there is no login activity for a specified number of days. If you enable</p><p>this setting, you must specify the number of days a user account can be inactive before being locked out. The</p><p>inactive user lockout period must be between 1 and 1825 days.</p><p>You can monitor your top locked-out users on the dashboard, in the Top User Lockouts widget. You can</p><p>view currently locked-out users on the Locked-out Users page.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 116</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>For security purposes, you may also want to enforce password complexity for user passwords, as well as</p><p>force users to change their passwords after a specified time has passed.</p><p>You can configure the password policy settings on the Edit Password Policy page.</p><p>User Password Complexity settings include:</p><p>• Specifying a minimum length for users passwords.</p><p>• Configuring password requirements, such as the minimum number of upper-case letters, lower-case</p><p>letters, numeric characters, and non-alphanumeric characters.</p><p>User Password Change Policy settings include:</p><p>• Configuring whether users are required to change their password after a set period of time. Users are</p><p>notified through an email, when their password is expiring. Accounts with expired passwords are disabled.</p><p>• Configuring whether to prevent users from creating a new password that is the same as the current</p><p>password or recently used ones.</p><p>• Configuring whether to force random generated passwords to expire after a set number of hours. Random</p><p>passwords are meant to be temporary, and as such, the active period is generally low, for security</p><p>purposes.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 117</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator allows you to create custom fields that you can use to gather user information not</p><p>represented by the default fields.</p><p>You can configure the custom fields on the Custom User Fields page. Click the Edit icon associated with the</p><p>custom field and enter your custom field in the text box that appears. The custom field will appear in the User</p><p>Information portion of local user records, and can be populated by users during self-registration.</p><p>You can add a maximum of three custom fields.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 118</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 119</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to configure user account policies and management settings.</p><p>Now, you will learn about configuring the self-service portal.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 120</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in configuring the self-service portal, you will be able to configure the self-</p><p>service portal and replacement messages, and set up user self-registration.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 121</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In order to allow users to self register, you must first configure the self-service portal. Users must access the</p><p>portal to complete various self-service tasks. You can configure the general settings of the portal on the portal</p><p>page. These include:</p><p>• Name: The name of the portal</p><p>• Description: An optional field to add information</p><p>• SMS gateway: Designate an SMS gateway for self-registration users</p><p>• Pre-Login Services: Available options before user registration or login</p><p>• Post-Login Services: Services provided to the user after login</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 122</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Pre-Login services allow you to define the services available to a user before login. A disclaimer can be</p><p>presented to the end user, and they must accept it before proceeding to the login page. The disclaimer can be</p><p>customized in the Login Disclaimer Page under the Replacement Messages view. You can also provide the</p><p>users with a password reset link in the event they have forgotten their password.</p><p>To enable users to request registration through the FortiAuthenticator login page, you must enable the</p><p>Account Registration pre-login service option.</p><p>After you enable self-registration, you are presented with configuration options for the self-registration</p><p>process. For example, you can:</p><p>• Specify mandatory administrator approval for every self-registration.</p><p>• Set the account to expire after a specified period of time.</p><p>• Set the user’s mobile number as their user name.</p><p>• Place users in a pre-defined group.</p><p>• Specify how the user password is created (user defined or randomly generated).</p><p>• Specify how the account information is sent to the user (SMS or email).</p><p>o If administrator approval is not required, you have the option to display the account information on</p><p>the browser page.</p><p>In the Required Field Configuration section, you can also specify which information-gathering fields are</p><p>required when a user registers (for example, first name, last name, and email address), and can include any</p><p>custom user fields.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 123</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can grant users the ability to perform self-revocation and reprovisioning of tokens, directly from the user</p><p>portal. The user portal includes a link for this capability. Users can revoke FortiToken and FIDO tokens and</p><p>use other OTP options.</p><p>The Usage Extension Notifications option allows a user who has exceeded their allowed time or data usage</p><p>settings to request an extension.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 124</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Post-login services provide the users the ability to manage many aspects of their account. They include the</p><p>following:</p><p>• Profile: Allow authenticated users to view or edit their account information.</p><p>• Password Change: Allow local and/or remote users to change their passwords.</p><p>• Token Registration: Allows you to grant users the ability to self-provision the different types of</p><p>FortiTokens or FIDO tokens directly from the user portal, and can be restricted to the group level.</p><p>• Smart Connect: Assign a Smart Connect connection profile for automated wireless configuration.</p><p>• Device Tracking and Management: Require users to register their devices, and also place registered</p><p>devices in a MAC device user group.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 125</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Replacement messages are customized messages FortiAuthenticator sends to users upon self-registration.</p><p>You can view and customize the default messages on the Replacement Messages page. You may need to</p><p>do this based on your self-service configuration. For example, on the pre-login services view you learned that</p><p>administrators can specify which information-gathering fields they want to display to the user when they self-</p><p>register. The default self-registration message may include fields asking for information you didn’t ask for from</p><p>the user. As such, you have to remove those fields from the message.</p><p>To customize, select the default message and edit the plain text or HTML code. You can always restore the</p><p>default message, if required.</p><p>On this page, you can also manage images you want to include in the message. For example, you can</p><p>manage your company logo or images containing links to your company’s social media pages.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 126</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>On the Policy type page, you specify a name for the portal policy, an optional description, and the portal to</p><p>associate with the policy.</p><p>On the Identity sources page, you can configure which users or groups can access the network. You must</p><p>specify:</p><p>• The input format for the user name. Options include username@realm, realm\username,</p><p>realm/username. The realm name is optional when authenticating against the default realm.</p><p>• The realm(s) with which the user will be associated. This is the default realm for this client. You can add</p><p>additional realms by clicking Add a realm. Note that you must have preconfigured these realms.</p><p>• Whether to allow local users to override remote users.</p><p>You can use the group filter to filter users based on group membership.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 127</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The Authentication factors page is where you specify which authentication factors to verify by selecting one</p><p>of the following options:</p><p>• Mandatory password and OTP: Requires two-factor authentication.</p><p>• All configured password and OTP factors: Two-factor authentication is necessary if it is enabled on the</p><p>user’s account.</p><p>• Password-only: Does not require two-factor authentication.</p><p>• OTP-only: Token verification only.</p><p>• Adaptive Authentication: Users can bypass OTP validation if they belong to a trusted subnet.</p><p>• FIDO authentication (effective once a token has been registered): Once a user has a Fast ID Online</p><p>(FIDO) token registered they can be required to log in with only the FIDO token or both a password and the</p><p>FIDO token.</p><p>The Advanced options provide the option to leverage FortiToken push notifications, resolve users’</p><p>geolocation based on their IP address, and reject usernames containing uppercase letters.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 128</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The post-login options you configured on the portal appears after a user successfully authenticates. By</p><p>default, the options appear as buttons. The example shown on this slide is a portal with each of the five post-</p><p>login options enabled:</p><p>• Profile</p><p>• Password Change</p><p>• Token Registration</p><p>• Device Tracking and Management</p><p>• Smart Connect</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 129</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After you configure the self-service portal, users can self-register.</p><p>Step 1: A user must connect HTTP or HTTPS to the FortiAuthenticator GUI. When self-registration is enabled,</p><p>the access login page shows a Register link.</p><p>Step 2: After clicking Register, the user is presented with a form with information-gathering fields, such as</p><p>username, name, email and so on. If you did not configure FortiAuthenticator to randomly generate</p><p>passwords, the user must also specify a password.</p><p>Step 3a: If FortiAuthenticator is configured so that administrator approval is required for self-registrations, the</p><p>administrator receives an email that contains a link to the new user request (with filled-out form) and the</p><p>option to either approve or deny the registration.</p><p>Step 3b: After the account is approved (whether by an administrator or automatically), the user will receive a</p><p>confirmation through the medium you specified while configuring the self-service portal. This could be email,</p><p>SMS, or, if no administrator approval is required, on the browser page. If you configured FortiAuthenticator to</p><p>use randomly generated passwords, the email or SMS confirmation will contain the user password.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 130</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 131</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to configure the self-service portal.</p><p>Now, you will learn about troubleshooting.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 132</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in troubleshooting, you will be able to debug using the FortiAuthenticator logs</p><p>and extended logs.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 133</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>On the Logs page on the GUI, you can find the normal level of debugging required for everyday use. Log</p><p>types include:</p><p>• Admin Configuration, for changes in the configuration</p><p>• Authentication, for successful or unsuccessful authentication events</p><p>• System, for system events such system restarts and firmware upgrades</p><p>• High Availability, for high availability sync and failover events</p><p>• User Portal, for logins for the user portal</p><p>You can also download a debug report, which is encrypted, and send it to the FortiAuthenticator team for</p><p>further investigation, if necessary.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 134</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows some example logs for portal login and RADIUS login, with both user name and password as</p><p>well as token.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 135</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can find more detailed debug logs at https://<FortiAuthenticator_IP>/debug.</p><p>In the Service drop-down list, you can select the service from which you want to gather logs. The RADIUS</p><p>authentication service allows you to enable verbose logging by clicking Enter debug mode. This has a</p><p>performance impact, so remember to turn it off.</p><p>The max log file size can be selected from a list ranging from 200 KB and 500 MB. The logs is displayed in</p><p>pages, with the number of entries defined by the user. Clicking the download icon will download log.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 136</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>If your logs do not go back as far as you want, check the Log Settings page for your log configuration. You</p><p>may have set them to automatically delete. However, if you configured your logs to remotely back up to an</p><p>FTP server or syslog server, you may be able to find your history logs there.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 137</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When debugging RADIUS issues, ensure you verify the user configuration on the User Management page.</p><p>Check whether the account has been accidentally disabled. Also check whether the correct token is assigned</p><p>to the user. You may want to disable the token to rule out any issues.</p><p>By default, RADIUS authentication is enabled, but you can disable it per user.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 138</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Another thing to check is the RADIUS client configuration. Verify that the secret and RADIUS client IP are</p><p>correct? Remember, the IP could be changed if you are using NAT.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 139</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Another thing to check is the RADIUS policy configuration. Here are some things to consider:</p><p>• Is the correct realm being authenticated? Try allowing local user override and testing with a local user.</p><p>• Are there any group filters in place? Try removing and testing again.</p><p>• Are you using MSCHAPv2 in place of PAP, and an external active directory (AD)? If so, make sure to</p><p>enable Use Windows AD domain authentication.</p><p>• Are you using RADIUS attributes to assign different RADIUS policies? It’s often helpful to walk through</p><p>each step of the policy to validate settings.</p><p>• Is two-factor authentication enforced when the user has no token?</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 140</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>If you are still experiencing issues with RADIUS, there are three steps that you should take.</p><p>The first step is to verify whether traffic is reaching FortiAuthenticator. Use the various tcpdump commands in</p><p>the CLI. Then, if no traffic is reaching FortiAuthenticator, validate the intervening firewall policies and the</p><p>RADIUS client configuration.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 141</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The second step is to check the log files. Try the following recommendations if any of the following scenarios</p><p>occur:</p><p>• Authentication attempt fails with no log entry: In this case, check that your RADIUS client is correctly</p><p>configured to send authentication to FortiAuthenticator. Also verify traffic is reaching FortiAuthenticator and</p><p>is not prevented by a firewall policy.</p><p>• Authentication attempt fails with “Invalid Password”: In this case, reset the user password and try again. If</p><p>it still fails, verify the network access server shared secret.</p><p>• Authentication attempt fails with two-factor authentication enabled: In this case, verify the user is not trying</p><p>to use a previously used token passcode (for example, a one-time password token). Also verify the time</p><p>and time zone on FortiAuthenticator is correct and preferably synchronized using NTP. Finally, verify the</p><p>token is correctly synched with FortiAuthenticator (that is, it hasn’t drifted).</p><p>You may also want to check the extended logs as well at http://<FortiAuthenticator_IP>/debug.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 142</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The third step is to reduce the complexity of the RADIUS configuration. Usually this is not required, because</p><p>the logs provide enough information for troubleshooting purposes. However, just in case try, the following:</p><p>• Remove two-factor authentication from the equation by disabling the token in the user account</p><p>• Remove any group filters</p><p>After the complexity is reduced, test authentication using a simple client tool, such as NTRADPing, from a</p><p>laptop. Don’t forget to add the laptop as an allowed RADIUS client in the FortiAuthenticator configuration!</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 143</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The following slides show some common issues for RADIUS login failures. In the scenario shown on this</p><p>slide, the user exists on the system, but RADIUS authentication fails. Logs say Authentication failed,</p><p>user not found.</p><p>To debug, verify the user has RADIUS authentication enabled and that the account is not disabled.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 144</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In the scenario shown on this slide, the user exists on the system, but RADIUS authentication fails. Logs show</p><p>no success or failure.</p><p>To debug, verify that a RADIUS client entry exists for the authenticating system and that the traffic is really</p><p>sourced from the IP of the network access server and is not being NATed. Also check the RADIUS log for</p><p>errors and sniff the traffic.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 145</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 146</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 147</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you learned how to administer user account policies and</p><p>management settings, and how to authenticate users through LDAP and RADIUS as well as the self-service</p><p>portal.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 148</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about two-factor authentication and FortiTokens. Specifically, you will learn how to</p><p>provision, create, and administer FortiTokens for use as your step-up authentication solution.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 149</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the topics shown on this slide.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 150</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating knowledge of password tokens and validation servers, you will be able to use them in your</p><p>network.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 151</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Typically, an OTP token is not used as a standalone solution, but as an additional authentication mechanism on</p><p>top of a user name and static password—the something you have in two-factor authentication.</p><p>OTP tokens generate passwords that can be used only once. They are more secure than static passwords</p><p>because they are not vulnerable to replay attacks. For example, even if an attacker obtains an OTP, the</p><p>password invalidates after a short interval (usually 60 seconds).</p><p>Because memorizing OTP passwords is practically impossible, you need something that can generate OTPs for</p><p>you. There are three main ways of acquiring one-time passwords:</p><p>• Hardware tokens, which are physical devices, such as the FortiToken 200 series</p><p>• Software tokens, which are software applications on a smart phone, such as FortiToken Mobile</p><p>• FortiToken Cloud uses cloud-based token validation using FortiToken Mobile</p><p>• Tokenless (email or SMS)</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 152</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>There are two main standards, governed by OATH, to generate one-time password tokens: time-based and</p><p>event-based.</p><p>TOTPs generate passcodes using a combination of time (time passed since an epoch) and a secret key. The</p><p>passcode changes at regular intervals and, because they are OTPs, are single use only. FortiAuthenticator</p><p>validates the entered passcode using time and the secret key. Fortinet products that use TOTP include</p><p>FortiToken 200 (hardware token) and FortiToken Mobile (software token). With time-based tokens, it is important</p><p>to have FortiAuthenticator’s system clock accurately adjusted. Therefore, it is highly recommended that you use</p><p>an NTP server for system time synchronization.</p><p>HOTPs generate passcodes using a combination of a counter (an input to a cryptographic hash function) and a</p><p>secret key. Whenever a new passcode is generated, the counter value is incremented, and therefore the</p><p>passcodes are different each time. They remain valid until used. Because they are OTPs, the passcodes are</p><p>single use only.</p><p>TOTP is considered more secure because the passcode keeps changing and is only valid for a short period of</p><p>time. HOTP passcodes can be valid for an unknown amount of time (they remain valid until used).</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 153</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the details of how tokens are used within a two-factor authentication environment.</p><p>1. The token generates a passcode. The passcode is based on a seed, which is a randomly-generated number</p><p>that does not change in time, and a time, obtained from an internal, accurate clock. The seed and time go through</p><p>an algorithm that generates a passcode. A single passcode is valid for only a short interval (usually 60 seconds)</p><p>and then a new one generates. The cycle of generating passwords repeats over and over again.</p><p>2. The user authenticates through a username and static password (first factor), and then the one-time passcode</p><p>provided by the token (second factor).</p><p>3. A validation server receives the username and static password and validates those credentials.</p><p>4. The validation</p><p>server then validates the OTP. The validation server knows the seed used by the token and its</p><p>system time is synchronized with the time in the token. By using the same algorithm, the validation server can</p><p>generate the code again and compare it with the one received from the user. If the static password is valid and</p><p>the one-time passwords match, the user is successfully authenticated. Again, both the token and the validation</p><p>server must have the same seed. Also, both system clocks must be synchronized (this is why an NTP server is</p><p>highly recommended).</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 154</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>RADIUS authentication is a method used by a RADIUS client delegating authentication (and sometimes</p><p>authorization) to a third-party user database; that is, the RADIUS server. In RADIUS authentication there are</p><p>usually three parties: the user, the RADIUS client or NAS (which is usually a FortiGate or another network access</p><p>device), and the RADIUS server. When the user authenticates, the RADIUS client requests the users credentials</p><p>and passes them to the RADIUS server for validation.</p><p>In most cases, the RADIUS client will support a RADIUS challenge-response. The RADIUS challenge-response</p><p>method is the preferred mechanism for two-factor authentication, because it is most natural for the end user.</p><p>If the RADIUS client supports the use of the RADIUS challenge packet, the remote user authenticates by entering</p><p>the username and password first, which is then forwarded by the RADIUS client to the RADIUS server. The</p><p>credentials are validated and, if correct and two-factor authentication is required, the RADIUS server replies with</p><p>an access challenge message indicating to the RADIUS client that it must ask the user for the token passcode.</p><p>The user now sends the one-time passcode, which is also forwarded to the RADIUS server for validation. The</p><p>RADIUS server also calculates the one-time passcode, compares it with what is provided, and replies with</p><p>“access accept” or “access reject”.</p><p>OTP passcode appended method can be used when the RADIUS client does not support the RADIUS challenge</p><p>packets, which is sometimes the case in old or legacy systems, the user must type and send the static password</p><p>and the token code all together. The user must know to append their OTP passcode to the end of their password.</p><p>The RADIUS client forwards those credentials to the RADIUS server, which replies with an answer indicating if</p><p>the password and the token code are valid or not.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 155</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator supports FortiToken OTP push notifications, or FTMv4 push notifications.</p><p>PUSH notifications are used to send alerts to the end user’s device each time a login request is made.</p><p>The alert contains information about the login attempt, for example the location from which the attempt originated.</p><p>Using FTMv4, when required to authenticate themselves, FortiToken Mobile users don't have to look up a code in</p><p>FortiToken and enter the code into their browser.</p><p>Instead, FortiToken Mobile is queried and the user simply taps to approve or deny the request.</p><p>If approved, a new OTP is automatically generated and sent by FortiToken Mobile to transparently authenticate</p><p>the end-user in the background.</p><p>If denied, FortiToken Mobile automatically sends an alert to the system administrator.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 156</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To some extent, FortiGate (without FortiAuthenticator) does support two-factor authentication. So, what are the</p><p>benefits of using FortiAuthenticator for two-factor authentication?</p><p>FortiGate has a built-in validation server and can also integrate with an existing AD/LDAP infrastructure.</p><p>However, and by design, the scope of two-factor authentication without FortiAuthenticator is specific and limited</p><p>to one instance of FortiGate (or HA pairs). So, it works well only in cases where tokens are stored on only one</p><p>FortiGate device.</p><p>FortiAuthenticator can support multiple FortiGate devices or other third-party vendor devices. With</p><p>FortiAuthenticator, one FortiToken can be used to authenticate to multiple systems.</p><p>Other advantages are that FortiAuthenticator has a built-in LDAP server and an API for integrating authentication</p><p>services within a corporate Web site or application. It also supports wireless authentication through social</p><p>channels, extends guest management capabilities, and delivers certificate management.</p><p>FortiToken Cloud provides a high availability managed service for two factor authentication that allows</p><p>administrators to easily deploy and manage their token inventory. Support for FortiToken Mobile Push simplifies</p><p>end user interaction during two factor authentication. FortiToken Cloud also adds the benefit of two factor</p><p>authentication across multiple FortiGates with a single token.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 157</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 158</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand OTP tokens.</p><p>Now, you will learn about the different OTP products.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 159</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in explaining hardware and software tokens, you will be able to use them</p><p>knowledgeably in your network.</p><p>Fortinet has a USB smart card token that can be used for two-factor authentication as well. However, since the</p><p>USB smart card token uses an x.509 certificate for authentication (rather than an OTP), it is described in the</p><p>Certificate Management lesson.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 160</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the FortiToken hardware device options: FortiToken 200B and FortiToken 220. They each</p><p>generate tokens that expire after 60 seconds. After the current interval expires, the devices transition to sleep</p><p>mode to save battery life.</p><p>The benefits of the FortiToken 200B and 220, compared to third-party devices, is that the tokens are perpetual</p><p>and will function for as long as the battery remains functional (unlike RSA tokens, for example, which expire after</p><p>a fixed period).</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 161</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The FortiToken 200B is a small keychain-sized hardware token that provides easy-to-use single-button token</p><p>generation. The token is displayed on a large easy-to-read LCD screen, with an indicator that shows the time</p><p>remaining before the next token is generated.</p><p>The FortiToken 220 is a mini credit card format FortiToken, that like the FortiToken 200B, provides easy-to-use</p><p>single-button token generation. The token is displayed on a easy-to-read LCD screen, with an indicator that</p><p>shows the time remaining before the next token is generated.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 162</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiToken Mobile is installed on any Android or iOS mobile device as an app. It is a PIN-protected application</p><p>that displays the 6-digit or 8-digit code on the user’s mobile phone in 30-second or 60-second timesteps (the</p><p>default is 60 seconds). The application stores the seed encrypted, and it can be configured to erase the seed</p><p>when the number of failed PIN attempts exceeds a threshold.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 163</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 164</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand the different OTP products.</p><p>Now, you will learn about how to provision OTP tokens.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 165</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing</p><p>this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in provisioning both hardware and software tokens, and configuring users for two-</p><p>factor authentication, you will be able to use both in your network.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 166</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>These are the steps that an administrator must follow to provision any new token:</p><p>1. Obtain token data which consists of the serial number and seed.</p><p>2. Register or add the tokens on the validation server.</p><p>3. Assign tokens to users.</p><p>4. Configure users for two-factor authentication.</p><p>Remember, the validation server can be either FortiGate or FortiAuthenticator, depending on your requirements.</p><p>You will learn about these steps in detail in this lesson, using FortiAuthenticator as the validation server.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 167</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Because the first step involves obtaining the token data, which includes the seeds, let’s quickly examine token</p><p>seeds. A seed is a factory-encoded random key, which, along with the built-in clock, generates the authentication</p><p>code.</p><p>The seed for the FortiToken 200 is generated randomly and is 160 bits long. After the seed is generated, it is</p><p>encrypted using 2048-bit RSA and stored in a secure database. The system automatically injects the seeds into</p><p>the tokens, so the seed number is never exposed to human operators. Upon request from a customer, the seed</p><p>can be destroyed.</p><p>FortiToken Mobile includes seeds as well. FortiToken Mobile seeds are generated on demand when the token is</p><p>provisioned to the user on the FortiGate or FortiAuthenticator. When a provisioning request is received, a random</p><p>data source is used to generate the seed and store it, encrypted, until it is securely retrieved by FortiAuthenticator</p><p>and the user’s FortiToken Mobile application. After it is retrieved, the seed is irretrievably destroyed on</p><p>FortiGuard. If the seed is not downloaded within the designated time frame (up to 30 days), it is automatically</p><p>destroyed.</p><p>When you use FortiAuthenticator, FortiAuthenticator generates the seed and then pushes it to the cloud.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 168</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Once the token is seeded, the token data (serial number and seed) must be delivered to the validation server</p><p>administrator.</p><p>You can receive the token data in the following two ways. The second method is the more secure of the two.</p><p>• Activate encrypted seeds online through the FortiGuard network. To reduce the impact of entering all token</p><p>seeds, all tokens associated with a purchase order can be imported in bulk by entering a single token serial</p><p>number. Alternatively, you can scan the barcode on the back of each token using a barcode scanner.</p><p>• Generate and provision the seeds in-house using a token provisioning tool. This in-house method is intended</p><p>for high-security organizations that want to have full control of the seeds as soon as they are generated. With</p><p>this method, Fortinet ships blank tokens with no seeds. You must inject the seeds within your secure</p><p>premises, which requires a seed-injection system and a hardware token seed-burning system. This can be a</p><p>time-consuming process, but it is highly customizable and secure.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 169</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You must register any new token—either the FortiToken hardware or FortiToken Mobile—with FortiAuthenticator.</p><p>You can do this through the FortiToken page.</p><p>There are two ways you can add tokens to FortiAuthenticator: manually create them or import them.</p><p>To manually create tokens, click Create New. If you are registering a FortiToken hardware, you need to enter the</p><p>serial number. If you are registering FortiToken Mobile, you need to enter the activation code. If you have multiple</p><p>tokens, you must add them one at a time, or you can add all tokens from the same purchase order by enabling</p><p>Add all FortiTokens from the same Purchase Order.</p><p>To import tokens, click Import. You can import by serial number file (CSV), seed file (CSV), or FortiGate</p><p>configuration file.</p><p>The Serial number file is a CSV file that contains the token serial numbers. FortiToken devices have a serial</p><p>number barcode on them that is used to create the import file.</p><p>The Seed File is a CSV file that contains the token serial numbers, encrypted seeds, and IV values.</p><p>The FortiGate configuration file provides you the ability to import FortiToken Hardware only, FortiToken</p><p>Hardware and only their associated users, or Import all FortiToken Hardware and users. The selected</p><p>option will be extracted from the uploaded FortiGate configuration file.</p><p>Each time you register new FortiTokens, the connectivity between FortiAuthenticator and FortiGuard must be up,</p><p>because FortiAuthenticator needs to validate each FortiToken against the FortiGuard servers. FortiAuthenticator</p><p>requires full Internet connectivity (through port 443) and proper DNS resolution. After the FortiTokens are</p><p>registered, the connection to FortiGuard is no longer essential.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 170</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can assign a token to a local user or remote user on the User Management page. Enable Token-based</p><p>authentication and select FortiToken. From here, you can select Hardware, Mobile, or Cloud. For hardware or</p><p>mobile you select the token from a drop-down list, remember, the token must first be registered with</p><p>FortiAuthenticator.</p><p>For local users only, you can choose to send a temporary passcode for a FortiToken Hardware or FortiToken</p><p>Mobile over email, SMS, or both. This allows you to assign a temporary authentication method, should a user</p><p>temporarily misplace their token or leave it at home without the need to de-provision the old token method.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 171</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Once you assign a FortiToken hardware to a user, that FortiToken is ready to use. It should be delivered to the</p><p>user safely and your company should have a vetting process in place to ensure the correct person is receiving</p><p>the assigned token. An organization’s policy for hardware token delivery is outside the scope of this training.</p><p>Once the user physically has the token and attempts to access a protected resource on the network, the user is</p><p>prompted to enter their token code. The user must press the button on the FortiToken hardware to display the</p><p>code.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 172</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>If you assign a FortiToken Mobile (soft-token) to a user, the process of user activation is as follows:</p><p>1. The administrator assigns a soft token to a user.</p><p>2. FortiAuthenticator sends a provisioning request to FortiGuard, shown on the slide as 2a, then</p><p>FortiAuthenticator sends an email or SMS to the user notifying them of the token delivery, shown on the slide</p><p>as 2b. This message also contains the activation code.</p><p>3. The user enters the activation code and the FortiToken Mobile app contacts FortiGuard to activate the soft</p><p>token.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 173</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Before provisioning the first FortiToken Mobile app, go to the FortiGuard page and select the required activation</p><p>timeout, token size, PIN length, and algorithm. The default Token algorithm is TOTP (Time-based One-time</p><p>Password) with default time step of 60 seconds. The time step defines the time between token generation. The</p><p>Hash-based One-time Password (HOTP) algorithm option will generate a single use token.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 174</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can also customize the FortiToken Mobile app with your organization’s logo. First, you must configure your</p><p>organization’s</p><p>logo on the Logos page. Then, you can assign it to the user. Edit the user entry on the User</p><p>Management page (either local or remote user), and, in the User Information section, select the logo in the</p><p>FortiToken Logo drop-down list. The logo will then appear on the FortiToken Mobile app.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 175</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>As mentioned, once you assign a FortiToken Mobile to a user, the user receives an SMS or email with</p><p>instructions. Note that the user account must include a valid mobile phone number or email address.</p><p>This slide shows an example of the email that is sent. The email includes a link to the FortiToken Mobile User</p><p>Guide for either iOS or Android, the activation code, and a QR code containing the activation code for easier</p><p>activation. The email also includes a time by which the user must activate the token. If not activated before expiry,</p><p>the user must contact the administrator to receive a new activation code. In this lesson, you will learn how to</p><p>modify the passcode validity time.</p><p>The user must open the FortiToken Mobile application on their iOS or Android mobile device and enter the</p><p>activation code. The application will then contact FortiGuard to validate the activation code.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 176</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiToken Cloud provides Authentication as a Service (AaaS), centralizing management, provisioning, and token</p><p>authentication in the cloud. This provides you an additional option, beyond local, for two-factor authentication as</p><p>well as cloud-based SSO. It provides FTM push without the need to open firewall ports, and cross-platform token</p><p>transfer. FortiToken Cloud works with FortiAuthenticator and does not interfere with the initial user name and</p><p>password login process. No additional hardware or software is required. The cloud-based service offers high</p><p>availability.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 177</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>If you assign a FortiToken Cloud to a user, the process of user activation is as follows:</p><p>1. The administrator assigns a soft token to a user.</p><p>2. FortiAuthenticator sends a provisioning request to FortiToken Cloud</p><p>3. FortiToken Cloud sends an email or SMS to the user notifying them of the token delivery. This message also</p><p>contains the activation code.</p><p>4. The user enters the activation code and the FortiToken Mobile app contacts FortiToken Cloud to activate the</p><p>soft token.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 178</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In addition to the hardware and software tokens, FortiAuthenticator can deliver a one-time password (or token</p><p>code) by either email, SMS or both. If email is used as a delivery method, you need to ensure you have</p><p>configured the user account to include a valid email address. If SMS is used as a delivery method, you need to</p><p>ensure you have configured the user account to include a valid mobile phone number. This slide shows an</p><p>example of the delivery of a token code by email.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 179</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Just because a user is assigned a FortiToken and they have registered or activated it, does not mean they must</p><p>use it as their step-up authentication method. You must enable two-factor authentication on FortiAuthenticator</p><p>first. You can do this on the User Management page by enabling both Password-based authentication (this</p><p>will be used as the first factor) and One-Time Password (OTP) authentication (this will be used as the second-</p><p>factor).</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 180</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can configure two-factor authentication for RADIUS authentication requests from a RADIUS client. There are</p><p>four authentication methods available. They are:</p><p>Mandatory password and OTP: If the user does not have a token, they cannot be authenticated for this client.</p><p>This is the most common method used to enforce secure authentication.</p><p>All configured password and OTP factors: If the user has a provisioned token, it must be used. If the user</p><p>does not have a token, they can still log in. This authentication method is used in a mixed environment where</p><p>only certain high-risk users need to authenticate with two-factor authentication. You can also use it in combination</p><p>with RADIUS attributes, where RADIUS attributes are used to elevate user permissions and only those users</p><p>require secure authentication.</p><p>Password-only: Removes the need for use of the token passcode even if it is provisioned. This method is used</p><p>in low-risk situations where added security is not required for the specific client. This method is not recommended</p><p>and should be used use with caution.</p><p>OTP-only: This authentication method validates only the token passcode. Entering the password will fail and a</p><p>challenge will not be made. This method is used where the first factor (username and password) is validated</p><p>externally, for example, for integration with a banking web application where username and password are</p><p>validated against a separate SQL or other type of database.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 181</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 182</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to provision OTP tokens.</p><p>Now, you will learn how to manage the FortiTokens.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 183</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in token-related tasks, such as configuration, synchronization, and monitoring, you</p><p>will be able to effectively manage FortiTokens.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 184</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>On the Tokens page, you can configure various token settings for both time-based and event-based tokens. For</p><p>example, you can:</p><p>• Set a time window (or counter window for event-based tokens) so that a FortiToken code will be marked as</p><p>valid inside the window. For example, if the field is set to 1 minute, the token code that is issued in the last,</p><p>current, or next minute is considered valid.</p><p>• Set a sync window (or counter window for event-based tokens) so that, if a FortiToken code is invalid but is</p><p>still inside this window, it will be marked out of synchronization.</p><p>• Set the length of time after which a token passcode sent by email or SMS will be marked as expired.</p><p>• Offline support allows Windows agents to cache future-dated tokens for when the end station is offline.</p><p>• Emergency codes help users without access to FortiToken, SMS, or email to complete 2FA. They can be</p><p>supplied to the user by an administrator.</p><p>You can reduce security by changing these settings. For example, by changing the time-based valid window from</p><p>1 minute to 100 minutes, you would increase the chance of being able to guess a token from 1/1,000,000 to</p><p>100/1,000,000 or 1/1,000. Use caution when changing this setting.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 185</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The system clock in the token must be synchronized with the system clock in FortiAuthenticator. Perfect</p><p>synchronization is always impossible to achieve. There is always a difference, called a drift, between the two</p><p>clocks. The drift usually increases with time, causing both device clocks to become out of sync.</p><p>A time step (which is equivalent to the frequency that a new code is generated) is 60 seconds. FortiAuthenticator</p><p>will accept the valid code for the current time step, the one before, and the one after. So, any drift that is not</p><p>bigger than +/-1 time step is tolerated. If the drift is larger, a re-synchronization is required. This ensures that the</p><p>device provides the token code</p><p>that FortiAuthenticator expects, because the codes are time-based. Fortinet</p><p>recommends synchronizing all new FortiTokens.</p><p>You can re-synchronize a FortiToken on the FortiToken page. Locate the FortiToken you want to synchronize</p><p>and click Synchronize. You must enter the code currently displayed on the FortiToken, wait for a new time step,</p><p>and then type the next code displayed. In this way, FortiAuthenticator can calculate the drift and adjust</p><p>accordingly.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 186</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Remote user synchronization rules allow you to configure token-based authentication sync priorities, how and</p><p>when remote LDAP users are synchronized, and the role assigned to the imported users. The prevents the</p><p>administrator from having to assign tokens to users one at a time.</p><p>You can enable the Token-based authentication sync priorities setting, and then prioritize the entries by</p><p>dragging them up or down in the list.</p><p>You can assign the new user imports FortiAuthenticator the role of Administrator, Sponsor, or User.</p><p>Enable Email password recovery to provide an email password recovery option to new and existing remote</p><p>LDAP users, if they have a valid email address.</p><p>You can delete synchronized users when they are no longer found on the remote server. This option is available</p><p>only when the Proceed with rule even when response is empty option is not enabled.</p><p>Enabling the Proceed with rule even when response is empty will result in the deletion of all users in a</p><p>FortiAuthenticator group when the synchronization returns no results.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 187</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The User Inventory widget on the FortiAuthenticator dashboard indicates the total number of registered</p><p>FortiToken devices and the total number of disabled FortiTokens.</p><p>From the FortiTokens page, you can:</p><p>• Unlock locked tokens in bulk</p><p>• View the status of each FortiToken</p><p>• View the last time a token was used</p><p>• View the user to which each FortiToken is assigned</p><p>• View the time drift of each FortiToken</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 188</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can export FortiTokens to a CSV file on the FortiTokens page by clicking Export FTK Hardware.</p><p>Tokens are removed from FortiGuard once provisioned, so it is not possible to reprovision them onto another</p><p>system without opening a support ticket. By providing an export option, you can reprovision tokens without</p><p>needing additional support. Furthermore, it is currently not possible to import configuration backups from different</p><p>appliance models. So the ability to export tokens (and users) allows for easy migration between systems.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 189</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Changing devices requires the user to install new tokens on their new device because the unique device ID is</p><p>used to form the seed decryption key.</p><p>If you wipe data from your device, or upgrade your device, you must reprovision your accounts.</p><p>If it is not enabled, FortiAuthenticator blocks all requests to transfer activation codes.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 190</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The process for transferring a token to a new device is as follows:</p><p>1. The end user selects the FortiToken Mobile menu option: Initiate Token Transfer.</p><p>2. FortiToken Mobile requests a new token transfer request service from FortiGuard, and includes the token</p><p>data.</p><p>3. FortiGuard stores the token data and creates a Transfer Activation Code.</p><p>4. FortiGuard signals back to FortiToken Mobile on the old device that transfer initialization is complete.</p><p>5. The user is prompted for approval, and when approved, the tokens are deleted from the old device.</p><p>6. On the old device, FortiToken Mobile sends a request to FortiAuthenticator for the Transfer Activation</p><p>Code.</p><p>7. FortiAuthenticator retrieves the Transfer Activation Code from FortiGuard and signals back to</p><p>FortiToken Mobile (on the old device) that the Transfer Activation Code request was successful.</p><p>8. FortiAuthenticator sends either an email or SMS to the end user with the transfer code (as a QR code from</p><p>email).</p><p>9. On the new device, the end user selects the FortiToken Mobile menu option Complete Token Transfer and</p><p>enters the transfer code (or scans the QR code).</p><p>10. FortiToken Mobile receives the token data from FortiGuard and installs the token(s) on the new device. All</p><p>tokens are removed on the old device after the transfer is complete.</p><p>When transitioning from one iOS device to another iOS device, the process of transferring tokens may not be</p><p>necessary if the device was backed up to iCloud.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 191</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>If a user reports a FortiToken lost or stolen, you can lock the FortiToken. Select the FortiToken on the</p><p>FortiTokens page and click Lock. You must provide a reason for locking the FortiToken. A temporary SMS or</p><p>email token can be provided to the user for logging in until new arrangements have been made. The device can</p><p>be unlocked if it is recovered.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 192</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 193</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 194</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you learned how to apply and manage two-factor</p><p>authentication using tokens.</p><p>Two-Factor Authentication</p><p>FortiAuthenticator 6.4 Study Guide 195</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn how to use FortiAuthenticator as a login event collector that uses the Fortinet Single</p><p>Sign-On (FSSO) communication framework to transparently authenticate users.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 196</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the topics shown on this slide.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 197</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in understanding FSSO, you will be able to identify the different methods of</p><p>collecting login events from AD as well as understand the FSSO framework.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 198</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FSSO offers a solution for transparently identifying (and implicitly trusting) users who have already authenticated</p><p>to the network through a different system.</p><p>FSSO differs from the generic single sign-on (SSO) in that FSSO is a single sign-on into the FortiGate firewall</p><p>policy only, as opposed to a single sign-on into any web or similar application.</p><p>FSSO is commonly used to transparently authenticate Microsoft AD users, but with FortiAuthenticator, it is not</p><p>limited to that environment. FSSO can also transparently authenticate users in non-Microsoft environments by</p><p>leveraging the Fortinet mobility agent, syslog SSO, and SAML SSO.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 199</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The FSSO process is as follows:</p><p>1. The user authenticates only once, against an authentication server that is usually a Windows Domain</p><p>Controller (DC).</p><p>2. The user login information is forwarded and distributed to all the firewalls and authentication devices in the</p><p>network. Login information usually contains the user name, IP address, and user groups. This way, firewalls</p><p>know which user is at which IP address.</p><p>3. The firewall uses the source IP address of the packets, and the login information received from</p><p>the</p><p>authentication server, to identify the user and apply the proper firewall policy depending on the user group.</p><p>The firewall will not ask the user to authenticate again.</p><p>This process is also similar if a user is accessing an internal network resource. The firewall uses the source IP</p><p>address to identify the user and determine if they can have access to a specific network service.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 200</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the multitude of ways FortiAuthenticator can identify users over the FSSO framework.</p><p>The FortiAuthenticator FSSO framework has five layers:</p><p>• The first layer is the identity source: the method by which the user identity is ascertained.</p><p>• The second layer is the identity discovery: the methods by which the user identity and their location (IP) are</p><p>discovered. You will learn each of these methods in the FSSO User Identity Discovery Methods section.</p><p>• The third layer is aggregation and embellishment: the collection of user identity and addition of any missing</p><p>information, such as group, which is gathered from the external LDAP/AD.</p><p>• The fourth layer is the communication framework: the method by which the authentication information is</p><p>communicated with the subscribing device.</p><p>• The fifth layer is the subscribing device: for example, FortiGate. The user information is forwarded to the</p><p>subscribing device where the information can be used in firewall policies.</p><p>Note that you can also combine multiple methods. For example, Single Sign-On Mobility Agent may be used for</p><p>Microsoft Windows domain PCs but fall back to the login portal with embedded widgets for non-Windows systems</p><p>or unauthenticated PCs.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 201</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In the case of Microsoft AD users, there are two ways of collecting login events:</p><p>• Domain controller (DC) agent mode</p><p>• Windows AD polling mode</p><p>Now, you will take a closer look at both of these methods.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 202</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The DC agent mode requires a DC agent to be installed on each of the Windows domain controllers. It also</p><p>requires FortiAuthenticator or a Windows domain server with a software collector agent installed to act as a</p><p>collector agent. This is how this mode works:</p><p>1. When the user logs into the Windows network, a login event is recorded in one of the domain controllers.</p><p>2. The DC agent installed in that DC detects the login event and forwards it to the collector agent. In that way,</p><p>the collector agent collects the login events from multiple DCs.</p><p>3. The FortiAuthenticator or Windows domain server, configured as a collector agent, gathers the login events,</p><p>looks up the missing information such as group membership, and then forwards the appropriate collected</p><p>login events to FortiGate. The information forwarded contains the user name, user groups, and user IP</p><p>address.</p><p>When traffic is coming from that user IP address, FortiGate knows in advance which user is there, and applies</p><p>the correct firewall policies depending on the user, the user groups, and the traffic destination.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 203</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>It’s worth mentioning WMI polling, because it relies on DC agent mode. FortiAuthenticator supports WMI polling</p><p>to detect workstation logout. This validates the currently logged in user for an IP address that has been</p><p>discovered by the DC polling detection method.</p><p>Note that remote WMI access requires that the related ports are opened in the Windows firewall, and access to a</p><p>domain account that has sufficient permissions, such as domain admins.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 204</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Unlike DC agent mode, Windows AD polling mode does not require DC agents and therefore is an alternative for</p><p>customers with third-party installation limitations. However, it is not as scalable as the DC mode, and requires</p><p>more CPU and memory. Polling can be done directly from FortiGate, so a FortiAuthenticator or other collector</p><p>agent is not always needed.</p><p>It works as follows:</p><p>1. The user logs on to the network, which generates a login event.</p><p>2. The collector agent is periodically polling the DCs to extract the login events.</p><p>3. The collector agent gathers the login events, looks up the missing information such as group memberships,</p><p>and then forwards the appropriate collected login events to FortiGate. The information forwarded contains the</p><p>user name, user groups, and user IP address.</p><p>When traffic is coming from that user IP address, FortiGate knows in advance which user is there, and applies</p><p>the right firewall policies and profiles.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 205</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>So, if you can have single sign-on without FortiAuthenticator, why configure it?</p><p>FortiAuthenticator offers two main advantages:</p><p>1. Both DC agent mode and polling mode work only in Windows AD environments. You can use</p><p>FortiAuthenticator to implement FSSO in both Microsoft and non-Microsoft environments. It can collect login</p><p>events from many different sources, which you will learn about later.</p><p>2. It offers a Windows AD polling mode that does not require the use of a domain agent and it is more scalable</p><p>than polling directly from FortiGate.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 206</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator therefore takes the FSSO framework introduced in FortiGate and enhances it with several</p><p>authentication methods:</p><p>• Users can authenticate through a web portal and a set of embeddable widgets</p><p>• Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient</p><p>SSO Mobility Agent</p><p>• SAML authentication can be used to trigger an FSSO authentication</p><p>• Users can be identified through the FortiAuthenticator API which is useful for integration with third-party</p><p>systems</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 207</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 208</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now have a brief understanding of FSSO.</p><p>Now, you will learn about the different FSSO user identity discovery methods and how to configure them.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 209</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in understanding and configuring FSSO discovery methods, you will be able to</p><p>implement the different FSSO methods in your network.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 210</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator has taken the concept of FSSO, as used on FortiGate and the FSSO software client, and</p><p>extended it with several new user identification methods. Because of flexibility built in to FortiAuthenticator, this</p><p>list is continually growing. This section examines current FSSO user identity discovery methods, including the</p><p>following:</p><p>• Active Directory polling</p><p>• Kerberos-based FSSO</p><p>• FortiClient SSO Mobility Agent</p><p>• RADIUS accounting</p><p>• External syslog</p><p>• Rest API</p><p>• DC and TS collector agents</p><p>• RADIUS accounting proxy</p><p>• FortiNAC</p><p>You can enable one or more discovery methods on FortiAuthenticator on the General page in the Fortinet</p><p>Single Sign-On (FSSO) section.</p><p>Some methods require further configuration other than enabling the method shown on this slide. You will explore</p><p>the configurations in this section.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 211</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator is able to poll Windows domain controllers to monitor the security event logs for login events.</p><p>Polling of the Security Event Log is configured to occur every 5</p><p>seconds so that any login event that has occurred</p><p>since the previous poll is captured and entered into FSSO.</p><p>Note that while login events can be detected from the security event logs, logout events cannot. This is due to the</p><p>fact that logout events can be triggered by many different processes, many that are not indicative of the user</p><p>logging out.</p><p>While some methods natively support logout detection (like the FortiClient SSO Mobility Agent), others such as</p><p>AD polling do not. To enable logout detection, FortiAuthenticator supports Windows Management Instrumentation</p><p>(WMI) polling to identify the current logged on user state for a device and log the user out. A manual timeout</p><p>period can also be set to remove the user from the authorization table.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 212</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In order to use domain controller polling, you must enable Windows Active Directory (AD) domain controller</p><p>polling.</p><p>After you enable it, you must create a domain controller. This allows FortiAuthenticator to poll the AD event log to</p><p>track user logins as well as poll the WMI logs to track the user logouts. You can configure domain controllers on</p><p>the Windows Event Log Source page. You must enter the NETBIOS name of the controller, the domain</p><p>controller IP address, and the account credentials that can poll the event and WMI logs. Administrator privileges</p><p>are not essential, you only need an account that can bind with the domain controller.</p><p>For this method, FortiAuthenticator and FortiGate must be prepared.</p><p>Security event selection is accessible from the Configure Events link.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 213</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To avoid the need to poll the domain controller while still retaining the ability to transparently authenticate</p><p>Windows users, FortiAuthenticator supports use of Kerberos tickets passed by the browser and validated against</p><p>the key distribution center (KDC) to identify users. In this case, unauthenticated users are redirected from</p><p>FortiGate to FortiAuthenticator. FortiAuthenticator requests the service ticket from the browser and then decrypts</p><p>and uses the ticket to validate the user identity.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 214</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The FortiClient SSO Mobility Agent is part of the standard FortiClient product installation. When installed, the</p><p>SSO Mobility Agent identifies Windows Domain users transparently and communicates the user identity and IP</p><p>address to FortiAuthenticator for use in FSSO. The agent also monitors the system for IP address changes, such</p><p>as those caused by Wi-Fi roaming, and automatically updates FortiAuthenticator. When the user logs out or shuts</p><p>down, the user is also logged out of FortiAuthenticator. In cases where an unclean disconnection is made (for</p><p>example, power failure, hibernation, network failure), a heartbeat system is implemented so the user will be de-</p><p>authenticated following a configurable number of heartbeat failures.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 215</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In order to use the SSO Mobility Agent, the service must be enabled. This involves setting the FortiClient listening</p><p>port number (by default, it is 8001) and enabling authentication in the communication between FortiAuthenticator</p><p>and the FortiClient devices. This requires you to enter the secret key. You can also configure the duration</p><p>between keepalive transmissions from 1 to 60 minutes, and the idle time-out period.</p><p>The Enable NTLM option helps to prevent attacks based on a user authenticating to an unauthorized AD server</p><p>in order to spoof a legitimate user login through the FortiClient SSO Mobility Agent. FortiAuthenticator will initiate</p><p>NTLM authentication with the client, proxying the communications only to the legitimate AD servers it is</p><p>configured to use. If NTLM is enabled, FortiAuthenticator requires NTLM authentication when:</p><p>• The user logs in to a workstation for the first time</p><p>• The user logs out and then logs in again</p><p>• The workstation IP address changes</p><p>• The workstation user changes</p><p>• NTLM authentication expires (user configurable)</p><p>FortiClient must be configured on the end station by supplying the FortiAuthenticator IP address, communication</p><p>port, and secret key.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 216</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In situations where device or user identity cannot be established transparently, such as non-domain BYOD</p><p>devices or shared kiosk machines, a web portal can be used to prompt users for login. Often this method is used</p><p>with other transparent methods and used as a catch-all. Once authenticated, the user remains authenticated until</p><p>they log out of the browser.</p><p>Because repeated manual reauthentication may impact the user experience, FortiAuthenticator supports</p><p>automated user identification for subsequent access through the use of portal widgets. The widget</p><p>implementation, which uses an HTML iframe, can be incorporated into a web page, such as an intranet webpage</p><p>for users to use for login. Following a successful login, a time-limited cookie, the validity of which is configurable</p><p>for up to 30 days, is stored in the user’s browser. On subsequent visits, the user will be transparently</p><p>reauthenticated using the user’s cookie key (assuming it matches that stored on FortiAuthenticator). When the</p><p>cookie times out, or should the user clear the cache or visit a new machine, the user will be required to</p><p>reauthenticate.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 217</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In order to use portal services--which support multiple authentication methods, including manual authentication,</p><p>embeddable widgets, and Kerberos authentication--you have to configure portal services on the Portal Services</p><p>page.</p><p>If you want to use manual portal authentication or widgets, enable Enable SSO on login portal. You must</p><p>specify if you want to authenticate local users, or remote users, or both (in a remote LDAP server) in the self-</p><p>service portal policy. You can also specify if all users can authenticate, or only users that belong to specific</p><p>groups.</p><p>If you want to use Kerberos authentication so FortiAuthenticator can identify connecting users through a Kerberos</p><p>exchange after a redirect from FortiGate, you must first generate a keytab file that describes your Kerberos</p><p>infrastructure, and import it. You can use a ktpass utility to generate the file. The code provided in the</p><p>FortiAuthenticator Administration Guide can be used in a batch file to simplify the keytab file creation.</p><p>The SAML portal enables support for Security Assertion Markup Language (SAML), allowing users to provide one</p><p>set of credentials to gain access to many different websites. SAML will be covered, in detail, in another lesson.</p><p>The SSO web service refers to SSO using the API. This configuration is needed to allow the API to accept SSO</p><p>logins, and to tell the API which type of users will be authenticating.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 218</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The RADIUS accounting method uses RADIUS start, interim, and stop accounting packets to trigger login/logout</p><p>to FSSO. Such RADIUS packets are commonly sent by networking devices such as SSL-VPN devices, wireless</p><p>controllers, and switches.</p><p>The benefit of this method is that, for vendors who support sending such packets, no direct support is required by</p><p>FortiAuthenticator (they use standard RADIUS which is already supported) and minimal change is required to</p><p>enable the input of the user authentication data into the FSSO.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 219</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To accept and process the start, interim, and stop packets you must enable the Enable RADIUS accounting</p><p>SSO clients option.</p><p>Once enabled,</p><p>you have to configure RADIUS accounting on the RADIUS Accounting Sources page. Here, you</p><p>will configure FortiAuthenticator as a RADIUS accounting server to the RADIUS accounting source. The source</p><p>could be a RADIUS server, a switch, a Fortigate device, or any other device that can generate RADIUS</p><p>accounting packets.</p><p>To configure a RADIUS accounting SSO client, you must select a name for the RADIUS accounting client, enter</p><p>the IP address of the RADIUS accounting client, and enter the RADIUS client’s preshared key. You must also</p><p>select the type of SSO user the client will provide (external, local, remote). If required, you can also customize the</p><p>user name, client IP address, and user group RADIUS attributes to match the ones used in the incoming RADIUS</p><p>accounting records.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 220</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The configuration of FortiAuthenticator to accept and process syslog messages from external sources includes</p><p>identifying the sources, defining the syslog rules, and associating the rules with the sources.</p><p>Sources identify the entities sending the syslog messages, and the associated rules extract the events from the</p><p>syslog messages. Messages coming from non-configured sources are dropped.</p><p>The syslog rule configurations provide FortiAuthenticator with the necessary information to parse username and</p><p>IP address information from a syslog feed, and inject this information into FSSO so it can be used in FortiGate</p><p>firewall policies.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 221</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The configurations necessary for leveraging syslog information is as follows:</p><p>1. Enable the syslog SSO method.</p><p>2. Create a syslog rule. Rules are required for every syslog source. Predefined rules are available for FortiNAC,</p><p>Cisco, and Aruba wireless controllers. For other systems, new rules can be created to parse the messages.</p><p>3. Configure the syslog sources on the Syslog Sources page. This includes selecting a name and configuring</p><p>the IP address of the source. Each syslog source must be defined for traffic to be accepted by the syslog</p><p>daemon. You must also select a matching rule. Finally, you must select an SSO user type (external, local, or</p><p>remote).</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 222</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To enable integration with third-party systems, FortiAuthenticator offers a programmatic REST API that can be</p><p>used to authenticate and deauthenticate users into FSSO. This can be used for integration with third-party</p><p>applications such as portals and identity management systems.</p><p>For more information, see the FortiAuthenticator REST API Solution Guide.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 223</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator devices support the collection of login information from Windows Active Directory systems</p><p>through the installation of the DC agent on the domain controller. Terminal services (TS) agent is a similar</p><p>concept, except it collects user login information from Citrix or Windows terminal servers. Citrix users do not have</p><p>unique IP addresses. When a Citrix user logs in, the TS agent assigns that user a range of source ports.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 224</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In order to use the DC agent and/or TS agent, FortiAuthenticator must be set to listen and accept the incoming</p><p>packets from the agents. To do this, enable DC/TS Agent Clients. Remember, FortiAuthenticator can implement</p><p>the polling functionality directly, but it can also accept a feed from both DC agent and TS agent installations, if</p><p>necessary.</p><p>To configure, you must also specify a UDP port (the default is 8002). To enable authentication, select Enable</p><p>Authentication and enter the secret key of the DC/TS agent.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 225</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>RADIUS accounting proxy is different from the previously mentioned RADIUS accounting.</p><p>• RADIUS accounting is used to convert, for example, third-party (or FortiGate Wi-Fi/VPN login) RADIUS events</p><p>to RSSO. This is most useful in an enterprise environment for adding third-party user identity sources.</p><p>• RADIUS accounting proxy, on the other hand, takes in one accounting source and redistributes it to multiple</p><p>FortiGate devices. This is most commonly used by ISPs and carriers.</p><p>The RADIUS accounting proxy must be configured with:</p><p>• Rule sets to define or derive the RADIUS attributes that FortiGate requires</p><p>• The source of the RADIUS accounting records (the RADIUS server)</p><p>• The destinations of the accounting records (the FortiGate devices using this information for RADIUS SSO</p><p>authentication)</p><p>Once configured on FortiAuthenticator, FSSO can include users.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 226</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 227</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 228</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you learned how to use FortiAuthenticator as a login event</p><p>collector that uses the FSSO communication framework to transparently authenticate users.</p><p>FSSO Process and Methods</p><p>FortiAuthenticator 6.4 Study Guide 229</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn how to use FortiAuthenticator as a login event collector that uses the Fortinet Single</p><p>Sign-On (FSSO) communication framework to transparently authenticate users.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 230</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the topics shown on this slide.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 231</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in preparing FortiAuthenticator and FortiGate for FSSO, you will be able to set up</p><p>FSSO using FortiAuthenticator on your network.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 232</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Each FortiGate that uses FortiAuthenticator to provide SSO authentication must be configured to use</p><p>FortiAuthenticator as an SSO server. To do this, you need to create an FSSO agent—which sets</p><p>FortiAuthenticator as an SSO server—on FortiGate.</p><p>You can configure the FSSO agent on FortiGate on the External Connectors page. You must select FSSO</p><p>Agent on Windows AD as the type of SSO agent, enter a name for the agent, enter the IP address of your</p><p>FortiAuthenticator, and finally, enter a secret key. The secret key must be the same as the one you will define on</p><p>FortiAuthenticator when you enable FSSO authentication later in the process.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 233</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When a user tries to access network resources, FortiGate selects the appropriate firewall policy for the</p><p>destination. The selection consists of matching the FSSO group the user belongs to with the firewall policy that</p><p>matches that group. If the user belongs to one of the permitted user groups associated with that policy, the</p><p>connection is allowed. Otherwise, the connection is denied.</p><p>You can configure the FSSO user group on FortiGate on the User Groups page. You must enter a name for the</p><p>group and select Fortinet Single Sign-On (FSSO) as the group type.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 234</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To allow FortiAuthenticator to listen for requests from authentication clients, you must enable FSSO</p><p>authentication.</p><p>Configuration</p><p>FortiAuthenticator 6.4 Study Guide 14</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The table on this slide shows some of the key differences in LDAP capabilities between FortiGate and</p><p>FortiAuthenticator beyond active directory synchronization.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 15</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator can retrieve FSSO identity information from a variety of sources, including the FortiClient</p><p>mobility agent, Syslog messaging, Windows domain polling, and RADIUS accounting. FortiAuthenticator then</p><p>passes gathered user, group, and IP address information to FortiGate devices.</p><p>You can use FortiAuthenticator to restrict the number of devices per FSSO user.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 16</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator offers SAML support for end-user SSO and can act as both an identity provider (IdP) and a</p><p>service provider (SP).</p><p>FortiAuthenticator can act as a certificate authority (CA) and provide certificate auto-enrollment using SCEP</p><p>or OCSP.</p><p>FortiAuthenticator social authentication provides users with the ability to validate using social media sites,</p><p>such as Facebook, Twitter, LinkedIn, and Google.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 17</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator can support up to 1 million users and offer two-factor authentication.</p><p>FortiAuthenticator provides the ability to centrally manage tokens. For example, a single token can be used to</p><p>access many FortiGate devices instead of a separate token for each FortiGate. Tokens can be pushed using</p><p>SMS.</p><p>Fast ID Online (FIDO) can provide secure authentication without a password.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 18</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 19</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand the key features of FortiAuthenticator, and comparisons between</p><p>FortiAuthenticator and FortiGate.</p><p>Now, you will learn about the initial configuration.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 20</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in the initial configuration of FortiAuthenticator, you will be able to deploy</p><p>FortiAuthenticator in your own network and perform basic administrative tasks.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 21</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To log in to FortiAuthenticator, you need to know:</p><p>- The factory default settings—you can find these in the QuickStart Guide for your FortiAuthenticator model</p><p>- The default user name and password</p><p>To connect to the management computer, you need to know:</p><p>- The IP address of port1 and the netmask</p><p>- The default supported management access protocols</p><p>The number of ports for each FortiAuthenticator model varies, however port1 is the management port, and its</p><p>default IP address is 192.168.1.99.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 22</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>If you are using the GUI to configure FortiAuthenticator, you need to connect an Ethernet cable between</p><p>FortiAuthenticator and the management computer on port1. You also must configure the management</p><p>computer to be on the same subnet as the FortiAuthenticator port1 interface.</p><p>To log in, open a supported browser and enter the default IP address preceded by https://. At the login</p><p>screen, use the factory default information for the administrator account. The username is admin. When</p><p>prompted do not enter a password. During the initial login, FortiAuthenticator will prompt you to create a</p><p>password.</p><p>If you are using the CLI configuration tool to configure FortiAuthenticator, use a terminal emulation application,</p><p>such as PuTTY. Because of the limited functionality of the CLI, there is no CLI Console widget on the web-</p><p>based manager, like there is for other Fortinet products.</p><p>On the terminal emulation application, enter the default FortiAuthenticator port1 IP address and select a</p><p>supported management access protocol. SSH is the only protocol enabled by default.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 23</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The status dashboard is the landing page for administrators after login. The dashboard contains widgets that</p><p>display different types of real-time information. It should be one of the first places you look for any signs of</p><p>trouble every time you log in.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 24</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After you log in, you must configure the interface, the primary and secondary DNS server IP addresses, static</p><p>routing (which includes the default gateway), and system time. For the sake of simplicity, in this lesson, the</p><p>GUI is used to explain the configuration requirements.</p><p>You perform all initial configuration tasks on the same area of the GUI. Click System > Network.</p><p>You must fulfill some requirements for your network during configuration. At a minimum, you must ensure</p><p>specific ports are open in the security policies between the RADIUS authentication clients and</p><p>FortiAuthenticator.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 25</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can configure the interface network settings on the Interfaces page. This includes setting an IP address</p><p>and netmask, as well as supported administrator access and system protocols.</p><p>You must edit the default IP address and netmask associated with the port1/MGMT interface, based on your</p><p>own network. This provides more security than using the default IP address and, if more than one</p><p>FortiAuthenticator is located in the network, different network settings are mandatory (the management</p><p>interface must have a dedicated address). You can assign IPv4 and IPv6 addresses, which must be static.</p><p>Administrator access for IPv4 and IPv6 have been separated, so you can mix and match the options you</p><p>want.</p><p>You must also select the administrative protocols you want to support. Any interface that is used to provide</p><p>administration access to FortiAuthenticator requires at least HTTP or HTTPS, for GUI access, or SSH for CLI</p><p>access. By default, HTTPS and SSH are enabled on FortiAuthenticator.</p><p>Finally, you must select the services you want to allow. These are tied to the functionality you want to employ</p><p>and several are already enabled by default. You will learn about many of these services throughout the</p><p>training.</p><p>FortiAuthenticator supports the receipt of messages from a syslog source over a TLS connection using TCP</p><p>port 6514.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 26</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>For security reasons, hosts may access the FortiAuthenticator GUI only if they are on the same domain or on</p><p>the same network as FortiAuthenticator, and, even then, only if the interface has HTTP or HTTPS for GUI</p><p>access enabled. You can allow additional hosts by designated IP address or domain name, from the System</p><p>Access page.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 27</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can define the number of REST API requests in the System Access view. Limiting the number of</p><p>requests is essential to preventing DoS attacks as well as providing scalability.</p><p>The inbound proxy settings allow FortiAuthenticator to determine origin of the source IP address after the</p><p>traffic has been forwarded through a proxy:</p><p>* From the FORWARDED HTTP header</p><p>* From the X_FORWARDED HTTP header</p><p>You can also set FortiAuthenticator to restrict admin access based on trusted IP addresses or subnets, by</p><p>configuring valid FORWARDED “by” values.</p><p>Introduction and Initial Configuration</p><p>You can enable FSSO authentication on FortiAuthenticator on the General page. You must enable Enable</p><p>authentication and then type the secret key in the Secret key field. The secret key that you type here must be</p><p>the same secret key that you defined when creating the FSSO agent on FortiGate.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 235</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In order to provide FSSO to specific groups on a remote LDAP server, you can filter the polling information so</p><p>that it includes only those groups.</p><p>You can create a FortiGate filter on the FortiGate Filtering page. You must name the filter, provide the IP</p><p>address of FortiGate, enable Forward FSSO information for users from the following subset of</p><p>users/groups/containers only, and select the LDAP server and remote group on which you want to filter.</p><p>In some situations is may be desirable to exclude designated IP addresses from the FSSO process, for example,</p><p>domain controllers or Exchange servers. This is accomplished through the creation of IP filtering rules. Once</p><p>crated these rules can be added to the FortiGate filtering configuration.</p><p>Note that FortiGate filtering has no effect on which FSSO events are stored on FortiAuthenticator. The filters</p><p>affect only which events are passed down to FortiGate.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 236</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Finally, in order to allow FortiGate to receive a list of user groups from FortiAuthenticator, you need to add the</p><p>SSO group on FortiAuthenticator to the FSSO agent on FortiGate.</p><p>If you already created your FSSO agent on FortiGate, you just need to edit it, and then click Apply & Refresh, or</p><p>from the CLI, issue the command: execute fsso refresh. FortiGate is able to view the remote group that</p><p>you set to filter. The group can now be used in firewall policies.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 237</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To use FortiNAC as an SSO session source, you must first configure FortiNAC to participate in SSO session</p><p>information transfer. This is accomplished from the Fortinet FSSO Settings page in the System</p><p>Communication folder. You must enable Enable FSSO Communications, a port designated for communication</p><p>(the default is 8000), and set a password. You must use the same password when configuring devices to gather</p><p>SSO session information from FortiNAC.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 238</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>On the FortiAuthenticator FortiNACs settings page, you will create a FortiNAC entry for each FortiNAC device</p><p>the FortiAuthenticator will gather SSO session information from. Each entry will contain a name for the FortiNAC</p><p>device, the IP/FQDN of the FortiNAC device, the communication port (this must match the setting on FortiNAC),</p><p>and a password (this must match the one configured on FortiNAC).</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 239</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You must enable the FortiNAC SSO method on FortiAuthenticator. You do this on the General settings page.</p><p>After you enable the Enable FortiNAC SSO setting in the Fortinet Single Sign-On (FSSO) section, you can add</p><p>FortiNAC sources. The available sources are the FortiNAC devices that have been added to this</p><p>FortiAuthenticator. FortiAuthenticator can now begin pulling the SSO session information.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 240</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 241</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to configure FortiAuthenticator and FortiGate for FSSO.</p><p>Now, you will learn about how to optimize the additional settings for FSSO.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 242</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in configuring additional settings for FSSO, you will be able to fine-tune the</p><p>FortiAuthenticator to work seamlessly with FortiGate for FSSO authentication.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 243</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Fine-grained controls provides options to include or exclude a user or group from SSO, and set the maximum</p><p>number of concurrent sessions that a user or group can have.</p><p>You can adjust the controls on the Fine-grained Controls page.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 244</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Use SSO users and groups only when you need to modify the behavior of a user or group before sending it to</p><p>FortiGate. For example, you would use users and groups when you want to:</p><p>Exclude a user from SSO (only supported as a user, not as a group). This is needed in the following scenarios:</p><p>• Some antivirus products will log in using service accounts on the PC and overwrite the user credentials,</p><p>breaking FSSO.</p><p>• To override the default number of concurrent devices a user or group can have in FSSO.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 245</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can configure user group membership on the General page to specify how to cache group information once</p><p>FortiAuthenticator has obtained it. There are two ways to cache information: passive mode and active mode.</p><p>In passive mode, items have an expiry time after which they are removed and re-queried upon the next login. In</p><p>active mode, items are periodically updated for all currently logged in users.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 246</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Multiple FortiAuthentictor devices can be configured to work in a hierarchical tiering configuration. The supplier</p><p>FortiAuthenticator devices gather information locally, then send the information to the upstream FortiAuthenticator</p><p>collector. The collector then aggregates the supplier information and sends the logins up to the FortiGate</p><p>device(s).</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 247</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You enable hierarchical tiering of suppliers and collectors on the General page. You must specify a collector</p><p>listening port (the default port is 8003). Suppliers will pass collected information to the configured listening port</p><p>while collectors listen to receive information on that port.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 248</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can manage any supplier and collector tier nodes on the Tiered Architecture page.</p><p>You must provide a name for the node, a serial number, the role of the tier (supplier or collector), and the IP</p><p>address of the node.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 249</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 250</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to optimize the additional settings for FSSO.</p><p>Now, you will learn how to troubleshoot FSSO issues.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 251</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objective shown on this slide.</p><p>By demonstrating competence in troubleshooting FSSO issues, you will be able to diagnose and fix FSSO issues</p><p>in your network.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 252</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When debugging Windows event log source issues, ensure you verify the domain controller configuration on the</p><p>Windows Event Log Source page. Check whether the account is specified in the correct User Principal Name</p><p>(UPN) format. Ensure the domain controller wasn’t disabled by accident. Lastly, check with your administrator</p><p>whether</p><p>a secure connection is required.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 253</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can find detailed logs in the FSSO debug log. The example shown on this slide indicates that the wrong</p><p>password is being used.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 254</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The SSO domain monitoring view displays the status of all configured domain controllers. Color coding is used to</p><p>convey the result of the last connection attempt for each listed controller.</p><p>A green domain controller indicates that the last connection attempt was successful. A gray controller indicates</p><p>there is no recent connection information, and a red controller indicates the last connection attempt failed.</p><p>Hovering the mouse pointer over a domain controller displays connection details for that controller.</p><p>Clicking a domain controller opens a Recent Queries window, which presents the 100 most recent queries</p><p>ordered by timestamp. The response times are also color coded as follows:</p><p>• Green: Less than 500 ms</p><p>• Orange: Between 500 and 1000 ms</p><p>• Red: 1000 ms or greater</p><p>Any failed queries will contain error information about the failure in the Error column.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 255</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The majority of FSSO issues can be traced back to incorrect permissions when querying LDAP or AD. The table</p><p>shown on this slide outlines the feature, where it is located on FortiAuthenticator, and the minimum Windows</p><p>permissions required.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 256</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 257</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 258</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you learned how to use FortiAuthenticator as a login event</p><p>collector that uses the FSSO communication framework to transparently authenticate users.</p><p>FSSO Deployment and Troubleshooting</p><p>FortiAuthenticator 6.4 Study Guide 259</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about portal services offered by FortiAuthenticator.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 260</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the topics shown on this slide.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 261</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in portal services, you will be able to understand how they fit in your network</p><p>services.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 262</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Portal service allows you to grant remote users access to certain portions of your network, using delegated</p><p>authentication. In this scenario, authentication requires the user to associate their device with the guest SSID,</p><p>as published by the FortiGate wireless controller.</p><p>FortiGate facilitates access control by redirecting the user’s web browser to one of FortiAuthenticator’s captive</p><p>or guest portals. Because of this, you have to configure FortiGate (on a per-FortiGate basis) to employ captive</p><p>or guest portal on FortiAuthenticator.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 263</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the general process flow for the portal service.</p><p>A user connects to the wireless or wired network and tries to access the internet. FortiGate intercepts the</p><p>traffic and redirects it to the FortiAuthenticator web login page defined in the FortiGate captive portal profile.</p><p>The user enters their credentials on the FortiAuthenticator web login page. FortiAuthenticator performs any</p><p>required preauthorization checks and displays the login message to the user. If the user does not have</p><p>credentials, there may (depending on configuration) be an option to purchase login time. The login message</p><p>instructs the user’s browser to submit the user credentials directly to FortiGate as HTTPS POST, for</p><p>authentication processing.</p><p>When FortiGate receives the client credentials in the HTTPS POST, it sends a RADIUS Access-Request to</p><p>the FortiAuthenticator RADIUS server to authenticate the user. FortiAuthenticator validates the Access-</p><p>Request message using its user database, which can either be local or remote (LDAP/RADIUS).</p><p>Based on the results of the authentication and authorization processing, FortiAuthenticator responds with</p><p>either an Access-Accept or Access-Reject message. RADIUS attributes returned by FortiAuthenticator can be</p><p>used to define the access granted to the user by FortiGate. Following a successful authentication and initiation</p><p>of the user session, the client is redirected to the originally requested URL, which should now be accessible.</p><p>Finally, timeout or user logout will end the session.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 264</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator captive portal includes the following three options:</p><p>• Credentials authentication: Allows known users (users who already have an account) to authenticate</p><p>using their existing credentials (password and/or token code). The goal is to restrict access to a set of</p><p>preauthorized users only.</p><p>• Social WiFi authentication: Allows FortiAuthenticator to utilize third-party user identity methods (social</p><p>sites, valid e-mail address, or phone number) to authenticate users into a wireless guest network. The goal</p><p>is to provide some traceability of users, without requiring the heavy overhead of creating guest accounts.</p><p>• MAC address authentication: Allows FortiAuthenticator to authenticate the user with minimal interaction</p><p>from the user. This is useful in situations where the goal is to provide the most simple experience for the</p><p>user as possible (for example, wireless guest networks, retail environments, transient access such as</p><p>airports, hotels, and so on).</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 265</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Guest portal offers pre-login and post-login services that you can use with any authentication type.</p><p>Pre-login services offer features like account creation and validation, social login options, form-based</p><p>information gathering, disclaimer, password reset feature, and so on.</p><p>Post-login services offer features to guest profile information, change passwords, register tokens for the user,</p><p>and so on.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 266</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 267</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand portal services.</p><p>Now, you will learn about authentication types.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 268</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating an understanding of authentication types, you will be able to identify their role in your</p><p>network.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 269</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The credentials portal requires known users (users who already have an account) to authenticate using their</p><p>credentials (password and/or token code). The goal is to restrict access to a set of preauthorized users only.</p><p>For the credentials portal, the administrator must indicate which of the profiles to use for user authentication.</p><p>For environments with one FortiWifi that has multiple access points (APs), the administrator can specify a list</p><p>of IP addresses for all the APs.</p><p>When the user is redirected to the credentials portal login page, they are prompted to enter</p><p>their username</p><p>and password, and (optionally) their FortiToken passcode. Upon successful login, FortiAuthenticator redirects</p><p>the user to the webpage they originally requested.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 270</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Regardless of the supported social channel you choose to configure, all social providers follow a similar</p><p>process flow:</p><p>• The user requires a social account</p><p>• FortiAuthenticator delegates the authentication process to the social provider</p><p>• After confirming the identity, FortiAuthenticator creates a temporary account in RADIUS and provides it to</p><p>FortiGate</p><p>• FortiGate uses the credentials to log in</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 271</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The social WiFi authentication process from the user’s perspective is as follows:</p><p>1. The user connects to your Wi-Fi network when trying to access a URL, and the FortiAuthenticator social</p><p>WiFi splash page appears.</p><p>2. The user selects an authentication method from the social channels offered. If a social channel is not</p><p>configured, it appears greyed out (disabled), and the user is unable to select it.</p><p>3. FortiAuthenticator prompts the user to enter credentials for the selected social channel.</p><p>4. FortiAuthenticator redirects the user to the URL that they originally requested.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 272</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The purpose of device-only authentication is to identify and authenticate users with minimal user interaction</p><p>and some degree of traceability. This authentication method is less disruptive and, therefore provides a better</p><p>user experience.</p><p>With MAC address authentication enabled, the user attempts to open a web browser, but is intercepted by the</p><p>FortiGate wireless controller, and redirected to the FortiAuthenticator portal configured to record the user's</p><p>MAC address (without requiring any user interaction). FortiAuthenticator then redirects the user to the</p><p>originally requested webpage.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 273</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 274</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand authentication types.</p><p>Now, you will learn how to configure FortiAuthenticator.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 275</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating a competence in configuring portal service on FortiAuthenticator, you will be able to</p><p>configure this service in your network.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 276</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the steps needed to deploy the captive portal. Portal pages define the pre-login and post-</p><p>login services that the portal provides. Access points identify the point of connection used to access the portal.</p><p>The portal policy settings define the content of the portal and the authentication process.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 277</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Portal creation consists of assigning a name to the portal, and if desired, an SMS gateway for end user</p><p>notifications. If you don’t have an SMS gateway, you can use the FortiGuard Messaging Service, if you have</p><p>valid licensing for the service.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 278</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>On the Pre-Login Services page, you can enable or disable the following services, based on your</p><p>requirements:</p><p>• Disclaimer: If you enable the disclaimer page, the end-user will need to accept the disclaimer before they</p><p>can proceed to the login page.</p><p>• Password Reset: You can enable this service to setup pre-login password reset.</p><p>• Account Registration: With this service enabled guest users, during account login, can register by</p><p>entering the required information in the fields specified on the Required filed configuration page. All</p><p>guest accounts created using the Account Registration feature will be placed in the group specified in the</p><p>Place registered users into a group option. FortiAuthenticator can randomly generate a password for the</p><p>guest user, or the user can specify their own password. All accounts registered through the guest portal</p><p>must be validated through SMS or email, before they are can be used to log in. FortiAuthenticator will send</p><p>the guest user an activation code that they can use to activate their account. Administrators do not have to</p><p>manually activate each self-registered account request.</p><p>• Token Revocation: Select this service to revoke tokens based on specified conditions.</p><p>• Usage Extension Notifications: This service sends users a notification if they exceed their allocated data</p><p>or time.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 279</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Enabling post-login services allows you to set features that users can use after they are logged in</p><p>successfully. You can select the following services on the Post-login Services page:</p><p>• Profile: Select this service to allow authenticated users to view their account information, edit their account</p><p>information, or both.</p><p>• Password Change: Select this service to allow local users, remote users, or both to change their</p><p>password once they are successfully logged in.</p><p>• Token Registration: Select this service to enable the self-provisioning feature for FortiToken.</p><p>• Smart Connect: You can select and assign a smart connect profile.</p><p>• Device Tracking and Management: Select this service to allow users to register their device after they</p><p>are logged in. When you enable Device Tracking and Management, you must specify which device</p><p>group self-registered devices are put in, and specify the Maximum number of devices per user. The</p><p>number is set to 3 by default, but can be set to a maximum of 20.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 280</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can configure FortiAuthenticator to provide Windows AD users with the ability to change their Windows</p><p>AD passwords remotely. This capability can be provided in the three following ways:</p><p>1. Through RADIUS Login, this option requires all of the following configurations:</p><p>• FortiAuthenticator has joined the Windows AD domain.</p><p>• The RADIUS client is configured to use Windows AD domain authentication</p><p>• RADIUS authentication requests use MS-CHAPv2</p><p>• The RADIUS client must support MS-CHAPv2 password change</p><p>2. Through GUI User Login, this option requires one of the following two criteria:</p><p>• FortiAuthenticator is joined to the Windows AD domain</p><p>• Secure LDAP (LDAPS) is enabled, and the LDAP admin has sufficient permissions to reset user</p><p>passwords</p><p>3. Through GUI User Portal, this option requires one of the following two criteria:</p><p>• FortiAuthenticator is joined to the Windows AD domain</p><p>• LDAPS has been enabled</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 281</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Now, you will explore another benefit of adding FortiAuthenticator to your LAN edge solution.</p><p>If FortiGate is configured to authenticate clients using a remote LDAP server, VPN and wireless clients using</p><p>CHAP schemes cannot authenticate. This is the case for wireless clients that use PEAP/MSCHAP2 and IPsec</p><p>VPN clients with extended authentication (XAuth) and CHAP. The same applies for any other device or</p><p>application using CHAP, MSCHAP, or MSCHAP2 to authenticate against a FortiGate device that uses an</p><p>LDAP server as the back end.</p><p>During CHAP, MSCHAP, and MSCHAP2 authentication, a client sends a one-way hash of the password.</p><p>However, the LDAP server, which is on the back end, expects the password itself. FortiGate, which is acting</p><p>as the LDAP client, does not have the client passwords, nor can it convert a hashed password to a cleartext</p><p>password.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 282</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Two methods that you can use to solve the CHAP</p><p>and LDAP problem are:</p><p>• PAP: Configure FortiGate to use PAP instead of CHAP when authenticating clients. This approach is not</p><p>secure due to the nature of the PAP protocol.</p><p>• RADIUS: Change the back-end server from LDAP to RADIUS.</p><p>If you are using Windows AD as your LDAP server, an alternative is to use FortiAuthenticator as an</p><p>authentication proxy. FortiAuthenticator would be located between FortiGate and the Windows server. You</p><p>must also configure FortiAuthenticator to log in to the Windows domain using the credentials of a Windows</p><p>administrator. This adds FortiAuthenticator as a trusted device on the Windows AD domain, allowing</p><p>FortiAuthenticator to proxy the password hash from the client to the Windows server using NTLM.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 283</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator can store the user database locally. It can also proxy authentication requests from a client</p><p>to a back-end authentication server.</p><p>Now, you will learn how to configure FortiAuthenticator to proxy authentication requests to a remote LDAP</p><p>server, which can be a Windows AD server.</p><p>You must configure the following settings: Name, Primary server name/IP, Base distinguished name, Bind</p><p>type, and administrator Username and Password for regular bind type. Note that the Base distinguished</p><p>name sets the root node where LDAP starts searching for user accounts.</p><p>You can select predefined LDAP templates in the Server type section. They include default attribute settings</p><p>for well-known LDAP servers, such as Windows AD, OpenLDAP, and Novell eDirectory.</p><p>If you want FortiAuthenticator to relay CHAP, MSCHAP, and MSCHAPv2 authentication to a Windows AD</p><p>server, you must enable Windows Active Directory Domain Authentication and enter the credentials for a</p><p>Windows administrator. FortiAuthenticator logs in to the domain as a trusted device, allowing</p><p>FortiAuthenticator to proxy CHAP, MSCHAP, and MSCHAP2 authentication using NTLM.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 284</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The Smart Connect post-login service gives you the ability to preconfigure necessary network access security</p><p>settings, defined in Smart Connect Profiles, for users that authenticate through the FortiAuthenticator portal.</p><p>After successful authentication, the users will have a Smart Connect button displayed on the post-login main</p><p>page. The button will initiate the downloading of a script or executable file (depending on the end stations OS)</p><p>to perform the configurations.</p><p>You create a Smart Connect profile from the Smart Connect Profiles page in the following way:</p><p>1. In the Name field, type a name for this profile. In the Connection type field, the only available option is</p><p>Wireless.</p><p>2. Configure the EAP settings.</p><p>3. Configure wireless network details, including typing a value in the SSID field, and selecting WPA2</p><p>Personal or WPA2 Enterprise in the Auth method field. Note that if you select WPA2 Personal, you will</p><p>need to enter a pre-shared key. If you select WPA2 Enterprise, you will need to configure certificate</p><p>installation settings.</p><p>4. Configure the certificate installations settings.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 285</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You configure access points (APs) to use as part of the portal selection criteria in a portal policy. The APs</p><p>define where an end user is being redirected from, in order to be directed to a specific portal.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 286</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator uses portal policies to determine the appropriate portal and how the user is authenticated.</p><p>A multistep policy wizard guides you through the configuration of portal policies. In the initial step, Policy</p><p>type, you provide a name and description for the policy, as well as the type of access that FortiAuthenticator</p><p>will enforce.</p><p>The settings in the Type field allow you to direct users to a designated portal, which you select in the drop-</p><p>down list, or you can select Deny captive portal access to deny portal access.</p><p>You define the policy match criteria using the configuration options that you set in other policy wizard steps.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 287</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You must configure a portal policy to present the portal page to the user. User portal access is mapped based</p><p>on the incoming POST parameters.</p><p>In the Portal Rule Conditions section, you can configure HTTP parameters that need to be matched before</p><p>the user is presented with the portal. Select a parameter in the HTTP parameter drop-down list, and then add</p><p>a condition by selecting one of the three pre-defined operators (exact_match, substring_match, or</p><p>in_range) in the Operator drop-down list.</p><p>Use the Value field to manually define the values of a condition.</p><p>For example, to present a portal to users who connect from an IP address in the range of 10.0.1.0/24, set</p><p>the following conditions:</p><p>HTTP parameter: userip</p><p>Operator:[ip] in_range</p><p>Value: 10.0.1.0/24</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 288</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In addition to the POST parameters, page presentation depends on the point of connection (the AP) and the</p><p>source of the RADIUS message. You select the access points and RADIUS clients on the Authorized clients</p><p>page by moving existing entries for each type to the Chosen Access Points and Chosen RADIUS Clients</p><p>lists.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 289</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You define the type of authentication that FortiAuthenticator will use on the Authentication type page. The</p><p>authentication type options are:</p><p>• Password/OTP authentication: You can configure validation using local or remote user records, social</p><p>media accounts, or both. You can designate local and remote users by realm and filter them by group.</p><p>FortiAuthenticator can automatically add users that authenticate using social media accounts to groups</p><p>created on the User Groups page. You do not have to manually add users to the group, because</p><p>FortiAuthenticator does it dynamically on a successful authentication. You can only add users that log in</p><p>through the social or MAC address portals. You can configure account expiration times for social users.</p><p>• MAC Authorization: You can grant or deny access based on MAC address parameters or an authorized</p><p>group of MAC addresses.</p><p>You can configure FortiAuthenticator to automatically assign social users to a user group and define an</p><p>account expiration period.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 290</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You configure the back-end authentication details on the Identity sources page. If you have enabled social</p><p>users as an authentication type, select the social platforms that will be available for user authentication. The</p><p>options are Facebook, Google, Twitter, Linkedin, WeChat, Phone number, and Email. For each option,</p><p>except for phone number and email, you must configure a remote OAUTH server.</p><p>In the Local/Remote Users section, select a username format and realms. You can filter each realm you</p><p>select down to the group level.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 291</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You define authentication requirements, such as mandatory two-factor authentication, password-only</p><p>authentication, and so on, on the Authentication factors page. You can select user IP address parameters</p><p>for FortiGate or FortiWLC. The Adaptive Authentication option allows you to bypass OTP validation if the</p><p>user is on a trusted subnet. FIDO authentication can be used if a token has been registered to the user.</p><p>MAC address parameter options are available for CiscoWLC, FortiGate, and FortiWLC.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 292</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The RADIUS response page provides a summary of the RADIUS response for each authentication result.</p><p>Portal</p><p>Services</p><p>FortiAuthenticator 6.4 Study Guide 293</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Just like the customizable replacement messages used for the self-service portal (see the Administering and</p><p>Authenticating Users lesson), captive portal messages are also customizable. You can add, modify, or</p><p>remove fields. You can enable and disable features. For example, you can include a small eye in the</p><p>password field that a user can click on to see their password in plain text.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 294</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 295</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to configure a FortiAuthenticator captive portal.</p><p>Now, you will learn how to configure captive portal settings on FortiGate.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 296</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in configuring captive portal services on FortiGate, you will be able to use them</p><p>and apply exempt rules in your network.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 297</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In order to authenticate portal users and allow them to access the FortiGate network, you must configure</p><p>FortiAuthenticator as a RADIUS server on FortiGate (RADIUS Servers page).</p><p>For social login, this may sound counterintuitive, because authentication takes place on the social network,</p><p>but in order to allow FortiGate to authenticate users, FortiAuthenticator creates a temporary user name and</p><p>password in RADIUS and provides the credentials to FortiGate. FortiGate then uses these credentials to</p><p>authenticate the user through RADIUS.</p><p>To configure FortiAuthenticator as a RADIUS server, you must enter the FortiAuthenticator IP and secret.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 298</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>A firewall user group for RADIUS users allows FortiGate to check a user’s credentials against the user group.</p><p>The authentication user group is required, because it is used to validate the user credentials as part of the</p><p>captive portal login process.</p><p>You can create a new group for your social users on the User Groups page. Here, you must set the type to</p><p>Firewall and create a new remote group, with the FortiAuthenticator RADIUS server configured in the</p><p>previous slide as the remote server.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 299</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Now, you are ready to enable captive portal as the security mode on FortiGate, and specify the authentication</p><p>protocol you are configuring.</p><p>On a physical (wired) network interface, you can enable captive portal on the Interfaces page. First, select</p><p>Captive Portal as the security mode. Since you are using FortiAuthenticator, your authentication portal will be</p><p>external and you must provide the portal address that users will use for access. The portal address for the</p><p>guest portal is: URL/portal.</p><p>And finally, in the User Groups drop-down list, select your preconfigured firewall group for social users.</p><p>For Wi-Fi, a Wi-Fi interface does not exist until you create the Wi-Fi SSID. After you create the Wi-Fi SSID,</p><p>you can then enable captive portal by editing the Wi-Fi network interface on the Interfaces page or on the</p><p>SSID page.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 300</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Now, you need to create firewall policies on FortiGate for captive portal. All traffic going through a FortiGate</p><p>must be associated with a policy (so it can be controlled and governed). FortiGate analyzes the connection</p><p>packet, registers the incoming, and outgoing interfaces, and attempts to locate a security policy that matches</p><p>the packet. If the policy matches the parameters, it looks for an action for that policy (accept or deny). If</p><p>FortiGate accepts the packet, it looks to see if there are any other instructions for processing the traffic.</p><p>To allow clients access to FortiAuthenticator for registration through the captive portal page, you must exempt</p><p>the traffic from the captive portal in the FortiGate policy. This option is only visible if the Policy Advance</p><p>Options feature is enabled on the Feature Visibility page.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 301</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To allow users to authenticate to the social network sites before they are allowed to browse to the wider</p><p>Internet, some exemptions are required.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 302</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You also need to create a firewall policy for outbound social network access. This policy allows user access to</p><p>specified social networks. You can configure this policy through the CLI or the FortiAuthenticator GUI. You</p><p>can create a separate outbound policy for each social network portal, if you prefer.</p><p>There is a large list of predefined internet services included in FortiGate. You can create additional services if</p><p>one that you need is not included in the predefined list.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 303</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 304</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to configure FortiGate captive portal settings.</p><p>Now, you will learn about user management.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 305</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating an understanding of portal management tasks, you will be able to manage portals in your</p><p>network.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 306</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can monitor and manage portal users from the FortiGate Firewall User Monitor page.</p><p>The social portal removes the overhead of registering guests by using existing third-party identity systems to</p><p>authenticate and identify users. Although not registering users directly through FortiAuthenticator, you can still</p><p>trace some information about the users logged in to your network through the social portal.</p><p>You can monitor social logins from the FortiAuthenticator web-based manager on the Social Login Users</p><p>page.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 307</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Although you configure account expiry in the FortiAuthenticator social portal settings, for various reasons, you</p><p>may wish to forcefully deauthenticate users prior to the expiry time. You can monitor and deauthenticate</p><p>users on FortiGate.</p><p>Note that session time outs may still apply.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 308</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives covered in this lesson.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 309</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you learned how to understand, configure, and monitor</p><p>portal services in our network.</p><p>Portal Services</p><p>FortiAuthenticator 6.4 Study Guide 310</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about private key infrastructure and how to configure FortiAuthenticator as a</p><p>certificate authority (CA) that can generate, distribute, and manage digital certificates.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 311</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the topics shown on this slide.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 312</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 313</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>PKI uses asymmetric cryptography as a way to secure communications between</p><p>two entities. Cryptography</p><p>achieves four objectives:</p><p>• Data privacy (or confidentiality)</p><p>• Data integrity</p><p>• Authentication</p><p>• Non-repudiation</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 314</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Asymmetric cryptography is the solution to the problem with symmetric cryptography, which relies on the</p><p>same secret key for both encryption and decryption. The problem with symmetric cryptography is that the</p><p>sender and recipient have to exchange the secret key so the message can be encrypted and decrypted. The</p><p>secret key is exchanged over the internet, and is therefore susceptible to being intercepted.</p><p>Asymmetric cryptography uses a key pair. There is a public key, which is openly distributed, and a private</p><p>key, which is kept secret by the owner. There is no concern about intercepting the public key, because it is</p><p>supposed to be public. The key pairs are mathematically linked, so a message encrypted by the public key</p><p>can be decrypted only by using the matching private key. Alternatively, a message encrypted by the private</p><p>key, can be decrypted only by using the matching public key.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 315</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Digital certificates, also known as X.509 certificates, are used to exchange the public key between two</p><p>entities. But they are also much more than that. They contain specific information that identifies both the entity</p><p>and the certificate issuer.</p><p>The certificate issuer is a CA. A CA signs each certificate it issues in order to certify that the digital certificate</p><p>and its contents are trusted and valid.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 316</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>PKI uses the relationship trust model, and the CA is at the root of the hierarchy as the trusted third-party:</p><p>everything begins with the CA. A CA issues its own digital certificate—known as the root certificate—in order</p><p>to establish this point of ultimate trust. Once the root certificate is established, the CA can generate digital</p><p>certificates that are issued and signed by the root certificate. It can also issue a certificate to a subordinate</p><p>CA, which issues certificates on its behalf.</p><p>When a CA issues and signs a digital certificate, it is essentially proclaiming, “This is the entity who I say it is</p><p>and I certify it”. Accordingly, if users trust the CA and can verify the CA’s signature as authentic, then they</p><p>must trust that the public key does belong to the entity identified in the digital certificate.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 317</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>A CA can generate many different types of certificates, each with different functions (and sometimes,</p><p>confusingly, with different names). A few common certificate types include:</p><p>• CA certificates (also called root or authority certificates): These certificates identify the CA and create the</p><p>root of a CA hierarchy. As such, the certificate details have the same input for both the Issuer and Subject</p><p>fields. These certificates are self-signed and contain the CA’s public key needed to decrypt signatures in</p><p>the signed certificates.</p><p>• Web server certificates (also called local service certificates): These certificates identify web servers and</p><p>are used to secure communication to and from web servers, such as an SSH server, HTTPS website, web</p><p>portals, or EAP 802.1X authentication servers. The certificate details have the DNS name of the server in</p><p>the subject field. The public key of the web server is included.</p><p>• User certificates (also called client certificates): These certificates identify one person to another, a</p><p>person to a device or gateway, or one device to another device. The certificate includes the public key</p><p>associated with the identity.</p><p>Both user and web server certificates fall under the category of end-entity certificates.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 318</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 319</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now can describe PKI, digital certificates, and CAs.</p><p>Now, you will learn about certificate management on FortiAuthenticator.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 320</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 321</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator can act as a self-signed or local CA for the creation, signing, and revoking of X.509</p><p>certificates, such as server certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPsec</p><p>VPN. These certificates can be used for VPN authentication, 802.1X authentication, Windows Desktop</p><p>authentication, and token-based authentication, to name a few.</p><p>As a CA, the administrator can also import other authorities' CA certificates and CRLs.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 322</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator can also act as a SCEP server for:</p><p>• Signing user CSRs</p><p>• Distributing CRLs</p><p>• Distributing CA certificates</p><p>Users can request a user certificate through online SCEP at http://<FortiAuthenticator_IP>/app/cert/scep.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 323</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>A CSR is a request sent to a CA in order to apply for a digital certificate. The CSR request is usually in the</p><p>PKCS#10 format for X.509 certificate requests and includes information the CA requires to issue a certificate.</p><p>A CRL is a list that contains revoked certificates (or, more specifically, the serial number of the certificates).</p><p>You would revoke a certificate when you no longer want it to be considered trustworthy, for example, if the</p><p>private key was compromised or the user who owns the certificate has left the company. A CRL is remotely</p><p>accessible, and updated and reposted by the CA periodically, so any entities attempting to validate the</p><p>certificate can see that it is revoked based on its presence on the CRL.</p><p>A revocation is irreversible. You can reverse only those revocations placed on hold (that is, for a missing</p><p>digital certificate).</p><p>FortiAuthenticator can sign CSRs as a CA, distribute CRLs, and insert OCSP URLs for client certificate status</p><p>queries of intermediate certificates.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 324</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>OCSP provides a more efficient means for clients to validate certificate status. Instead of downloading and</p><p>searching a CRL list of certificate serial numbers OCSP validates as follows:</p><p>1. The client requests the servers certificate.</p><p>2. The server presents its certificate to the client. The certificate includes the OCSP responder URL to use</p><p>for validation.</p><p>3. The client validates the status of the certificate with the OCSP responder.</p><p>4. The OCSP responder returns the certificate status.</p><p>FortiAuthenticator can include the OCSP responder in intermediate certificates.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 325</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Acting as an LDAP client, FortiAuthenticator can authenticate users against an external LDAP server. It</p><p>verifies the identity of the external LDAP server by using a trusted CA certificate.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 326</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>EAP is a type of authentication framework often used in wireless networks and point-to-point connections. In</p><p>this scenario, if a client is attempting to authenticate over EAP, FortiAuthenticator can check that the client’s</p><p>certificate is signed by one of the configured (and authorized) CA certificates. The client certificate must also</p><p>match one of</p><p>the user certificates.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 327</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator can also integrate with FortiManager to deploy digital certificates to multiple FortiGate</p><p>devices in VPN implementations. Site-to-site VPNs are often only secured with a preshared key, which, if</p><p>compromised, could give access to the whole network. With FortiAuthenticator, certificate-based</p><p>authentication is used to secure access to networks over VPN, which is a more secure authentication method.</p><p>First, FortiAuthenticator signs and generates the certificates. Second, FortiManager pushes the SCEP client</p><p>configuration to all FortiGate devices. Finally, the FortiGate devices automatically get the certificates from</p><p>FortiAuthenticator through SCEP.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 328</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>For client-based certificate VPNs, certificates can be created and stored in the FortiToken 300 USB smart</p><p>card token—which is compatible with FortiClient. These client VPN connections are further secured with</p><p>FortiAuthenticator.</p><p>Since the FortiToken 300 stores an x.509 certificate, it can also be used to authenticate on web-based</p><p>applications as well as sign and encrypt email, PDF documents, Microsoft Office files, and software.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 329</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 330</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand certificate management on FortiAuthenticator.</p><p>Now, you will learn how to generate local CA certificates.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 331</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 332</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In order for FortiAuthenticator to sign and distribute certificates as the ultimate point of trust in your network,</p><p>you need to generate a root certificate—a self-signed CA.</p><p>You can create a root certificate on the Local CAs page. You must select Root CA as the certificate type,</p><p>and, at a minimum, provide a name (cn), validity period, key size, and hash algorithm.</p><p>You also have the option to specify some advanced options for key usages (for example, non repudiation) and</p><p>advanced key usages (for example, code signing).</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 333</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Once the root CA certificate is created, you can use it for generating and signing intermediate certificates. The</p><p>procedure is very similar to creating a root CA certificate, but this time you must select Intermediate CA</p><p>certificate as the certificate type. You must also select the local root CA that will sign the certificate.</p><p>The main reason for using intermediate certificates is for security. If a private key is compromised, all the</p><p>certificates signed with that private key are also compromised. In other words, if a CA signs hundreds of</p><p>thousands of end-entity certificates using its private key and that private key is compromised, the entire PKI</p><p>structure will fail. By using intermediate CAs, the PKI structure becomes segmented into branches. So if the</p><p>intermediate CA’s private key is compromised, only one branch in the PKI structure is compromised, and the</p><p>rest of the organization remains protected.</p><p>Other reasons for having intermediate CAs:</p><p>• Reduce overloading the CA</p><p>• Ease the administrative burden</p><p>o In large organizations, each department might run its own CA, which is certified by the</p><p>organization’s root CA</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 334</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator also allows you to create an intermediate certificate signed by a third-party root CA. In this</p><p>case, FortiAuthenticator must first generate a CSR and send it to the third-party CA. The third-party CA will</p><p>send back the signed certificate, which you then must import into FortiAuthenticator.</p><p>Again, the procedure for creating a CSR is very similar to creating a root CA certificate, but this time you must</p><p>select Intermediate CA certificate signing request (CSR) as the certificate type and not set a validity</p><p>period.</p><p>Selecting the Intermediate CA option will create and sign the certificate locally on FortiAuthenticator.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 335</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator can leverage network HSMs for local CA cryptographic key storage. You create the</p><p>integration by configuring the HSM server by IP or FQDN, the partition password and client IP. You must also</p><p>authorize FortiAuthenticator as a client on the HSM. You then select the server during the creation of a root</p><p>CA on the FortiAuthenticator.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 336</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 337</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 338</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you learned how to use FortiAuthenticator as a certificate</p><p>authority (CA) that can generate, distribute, and manage digital certificates. You also learned about certificate</p><p>revocation lists (CRLs), certificate signing requests (CSRs), and using the Simple Certificate Enrollment</p><p>Protocol (SCEP) to import certificates into FortiGate.</p><p>PKI and FortiAuthenticator as a CA</p><p>FortiAuthenticator 6.4 Study Guide 339</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn how to use FortiAuthenticator to generate client certificates, manage certificate</p><p>revocation lists (CRLs), certificate signing requests (CSRs), and using Simple Certificate Enrollment Protocol</p><p>(SCEP) to import certificates into FortiGate.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 340</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the topics shown on this slide.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 341</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 342</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can manually export and import certificates (local or trusted CAs) on the Certificate Authorities page.</p><p>You can import the FortiAuthenticator root CA and intermediate CA signed by the root, once exported as a</p><p>file, into another network device, such as FortiGate. Once imported by the other network device, that device</p><p>can validate (and trust) any certificates signed by the FortiAuthenticator CA. You will examine importing the</p><p>root certificate into FortiGate later in this lesson.</p><p>Conversely, FortiAuthenticator can import another network device’s certificates. Once imported into</p><p>FortiAuthenticator, it can validate (and trust) any certificates signed by that CA.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 343</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>As mentioned, other network devices, such as FortiGate, can import the FortiAuthenticator root CA. In the</p><p>case of FortiGate, you can do this on the Certificates page. You can import manually if you have the CA</p><p>certificate downloaded on your local computer, or you can choose to import through the SCEP protocol. The</p><p>URL of the FortiAuthenticator SCEP server is http://<FortiAuthenticator_IP>/app/cert/scep.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 344</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator</p><p>uses trusted certificates to validate certificates signed by an external CA. If</p><p>FortiAuthenticator needs to validate certificates that are signed by an external CA, you must import the</p><p>external CA certificate into the device. You can import trusted CAs on the Trusted CAs page.</p><p>By using the Learn Certificate button, a certificate chain can be extracted to show the CA certificates, both</p><p>root and intermediate. This can greatly simplify the process of importing root and intermediate certificates</p><p>from a designated host. You specify a hostname or IP address with a port number and FortiAuthenticator</p><p>gathers the certificate chain and will display it for import. The certificates in the chain can be imported</p><p>individually or as a group.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 345</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can use the Import button to individually import trusted CA certificates that have been downloaded</p><p>locally.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 346</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>As mentioned earlier, you can create an intermediate CA signing CSR through FortiAuthenticator. Once</p><p>created, the status appears as Pending. In order for the status to become active, you must manually export it</p><p>and send the file to a third-party CA for signing. Once signed, the third-party CA sends it back to</p><p>FortiAuthenticator where you must import it.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 347</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator can sign certificate signing requests (CSRs). The .csr file is generated on the endpoint</p><p>that the certificate will be installed, and then uploaded to FortiAuthenticator to be signed. For example, a .csr</p><p>file could be generated on FortiGate in preparation for SSL deep inspection, and then uploaded to</p><p>FortiAuthenticator for signing.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 348</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Once the certificate has been signed it can be exported for distribution to the endpoint. For example, a</p><p>FortiGate device that had previously generated the .csr file.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 349</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Intermediate CA certificates can be exported with keys in a PKCS#12 archive file. You can then import the</p><p>certificate and key into an endpoints certificate store. Note that the key can only be exported one time.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 350</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 351</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand exporting and importing certificates and CSRs.</p><p>Now, you will learn how to generate client certificates.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 352</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 353</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can create a user certificate on the Users page. You must select the CA that will sign this user certificate,</p><p>such as a local root CA (which also includes local intermediate CAs) or a third-party CA. Optionally, if you</p><p>want to link this certificate to a user locally created on FortiAuthenticator, you can select the user in the drop-</p><p>down list. You must select the subject input method, either Fully distinguished name or Field-by-field, and</p><p>provide the required information. You must also specify an expiration date or time for the certificate.</p><p>You also have the option to configure the certificate further. For example, you can enable the certificate for</p><p>smart card logon, and specify some advanced options for key usages (for example, non repudiation) and</p><p>advanced key usages (for example, code signing).</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 354</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Creating a local service certificate is very similar to creating a user certificate. You can create a local service</p><p>certificate on the Local Services page. Just as for the user certificate, you must select the CA that will sign</p><p>the certificate and the subject input method, as well as specify an expiration date or time for the certificate.</p><p>You also have the option to specify some advanced options for key usages for this certificate type as well.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 355</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Importing a local service certificate into FortiGate is similar to the process of importing the FortiAuthenticator</p><p>root CA certificate into FortiGate. You would import a local service certificate, for example, to provide</p><p>FortiGate with HTTPS access to the GUI. Essentially, the certificate becomes available to services and other</p><p>processes that run under the local service store.</p><p>You can import a local service certificate on the Certificates page on FortiGate. The FortiGate administrator</p><p>must have the local service certificate file available to upload.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 356</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 357</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to generate client certificates.</p><p>Now, you will learn about CRLs and certificate revocation.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 358</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 359</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can revoke user certificates on the User Certificates page, or local service certificates on the Local</p><p>Services page. Select the certificate and click Revoke. You must select a reason for the revocation from the</p><p>reasons listed in the Reason code drop-down list.</p><p>Once a certificate is revoked, the operation cannot be undone. The only way you can reinstate a certificate is</p><p>if you selected the reason code On Hold. You would place a certificate on hold if, for example, an employee</p><p>has misplaced their token with their digital certificate installed on it, but are not ready to concede it is lost, or if</p><p>a contractor is temporarily leaving the company, but will return.</p><p>By default, revoked or expired certificates do not appear in the certificate list.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 360</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The serial numbers of the revoked certificates are automatically placed on the CRL. However, the CRL is</p><p>maintained locally, so in order to let other CAs know of a certificate’s revoked status, you must export and</p><p>publish (distribute) the CRL.</p><p>You can export the CRL on the CRLs page. On FortiAuthenticator, a CRL exists for each local CA. Select the</p><p>CRL you want to export and click Export.</p><p>You should distribute or publish the CRL periodically, or each time a new certificate has been revoked.</p><p>You can also import CRLs from third-party CAs.</p><p>It is important to note that if a CA is deleted, their corresponding CRLs are also deleted (along with any user</p><p>certificates they signed).</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 361</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can import the CRL into FortiGate on the Certificates page.</p><p>In addition to static CRLs, FortiAuthenticator supports the Online Certificate Status Protocol (OCSP) as an</p><p>alternative method to checking a certificate’s revocation status, though usually CRLs are used. The OCSP</p><p>status check is carried out over HTTP or HTTPS with a request-response format. The authority responding</p><p>can reply with a status of good, revoked, or unknown. The OCSP responder can be accessed at</p><p>http://FortiAuthenticator_fqdn:2560.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 362</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiGate can also import a CRL from the FortiAuthenticator SCEP client. This is done on the Certificate</p><p>page. Select</p><p>SCEP and enter the FortiAuthenticator SCEP client URL:</p><p>http://<FortiAuthenticator_IP>/app/cert/crl.</p><p>When leveraging SCEP the service must be enabled on the client facing port.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 363</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator supports the CRL distribution points (CDP) and Online Certificate Status Protocol (OCSP)</p><p>extensions. The CDP extension provides, within the certificate, the CRL server that can be used to check for</p><p>certificate revocation. The OCSP extension defines the URL of the OCSP responder, within the authority</p><p>information access field of the issued certificate.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 364</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 365</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand CRLs and certificate revocation.</p><p>Now, you will learn how to enable and configure SCEP.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 366</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 367</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can enable SCEP on the General page. You must enter the default CA and enrollment password. You</p><p>must also specify the enrollment method type.</p><p>Two SCEP enrollment methods are supported:</p><p>• Automatic: With this method, the administrator pre-approves the certificate first and gives the user a</p><p>challenge password. By using this password during the CSR submission, the user’s device will</p><p>immediately receive the signed certificate from the SCEP server.</p><p>• Manual and Automatic: With this method, the user submits a CSR first, the request shows up as pending</p><p>on FortiAuthenticator, and then the administrator manually approves or rejects the CSR. You must supply</p><p>the password to the administrator approving (or denying) the CSR request. With this option,</p><p>FortiAuthenticator can send an email to the administrator each time there is a CSR pending approval.</p><p>Note that when leveraging SCEP the service, you must enable HTTP and/or HTTPs administrator access on</p><p>the FortiAuthenticator interfaces that face the SCEP clients. This is also true for CRL distribution.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 368</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In order to pre-approve a CSR, you must create an automatic enrollment request on FortiAuthenticator. This</p><p>allows you to set a challenge password, which you then pass to the user who wants their certificate signed by</p><p>the FortiAuthenticator CA. Once the user has this challenge password and enters it into the CSR for</p><p>FortiAuthenticator, they will immediately receive the signed certificate from the FortiAuthenticator SCEP</p><p>server.</p><p>The automatic enrollment request does not have to be specific to a user, but to anyone who includes the</p><p>same subject in their CSR as was configured in the automatic enrollment request, along with the challenge</p><p>password. This is known as a wildcard request type and is usually not recommended.</p><p>You can create an automatic enrollment request on the Enrolment Request page. You must select the</p><p>request type (either regular or wildcard), the CA that will sign the CSR, the subject input method required in</p><p>the CSR (fully distinguished name or field-by-field), the validity period, the hash algorithm, and the challenge</p><p>password.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 369</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can use a challenge password that is randomly generated by FortiAuthenticator or the preconfigured</p><p>default enrollment password of the SCEP client.</p><p>You can choose to distribute the random challenge password manually, over SMS, or over email. If you</p><p>choose to distribute it manually, the random password is displayed at the top of the page once the automatic</p><p>enrollment request is created.</p><p>After FortiAuthenticator creates the automatic enrollment request, the status is Pending until the user submits</p><p>their CSR with the challenge password.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 370</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>If FortiAuthenticator has automatically pre-approved a CSR for FortiGate, the FortiGate administrator must</p><p>submit a CSR with the challenge password to FortiAuthenticator—after which, FortiAuthenticator</p><p>automatically approves the CSR.</p><p>On FortiGate, you can create the CSR on the Certificate page. In addition to filling out all the certificate</p><p>information, you must select Online SCEP as the enrollment method and enter the SCEP URL and password</p><p>provided by FortiAuthenticator.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 371</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Device self-enrollment is a method that local and remote users can use to obtain certificates for their devices.</p><p>It is primarily used to enable EAP-TLS for bring your own device (BYOD) configurations or VPN</p><p>authentication.</p><p>Note that EAP-TLS is a bidirectional certificate authentication method; the client and FortiAuthenticator EAP</p><p>need to have matching certificates from the same certification authority (CA).</p><p>You can enable device self-enrollment on the Device Self-enrollment page. You must:</p><p>• Select a preconfigured SCEP enrollment template</p><p>• Set a limit on the maximum number of devices that a user can self-enroll</p><p>• Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits)</p><p>You also have the option to enable self-enrollment for smart card certificates. This requires you to configure</p><p>the device FQDN, because it is used in the CRL distribution points certificate extension.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 372</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 373</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 374</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you learned about importing and exporting certificates and</p><p>certificate signing requests (CSRs), generating user and local service certificates, certificate revocation lists</p><p>(CRLs), and using the Simple Certificate Enrollment Protocol (SCEP) to import certificates into FortiGate.</p><p>Certificate Management</p><p>FortiAuthenticator 6.4 Study Guide 375</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about wireless and wired 802.1X authentication.</p><p>You will learn how to configure FortiAuthenticator, FortiGate, and Windows workstations for a successful</p><p>802.1X operation.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 376</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the topics shown on this slide.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 377</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in understanding 802.1X authentication, you will be able to use 802.1X</p><p>authentication methods in your network.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 378</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>802.1X is a standard that provides authentication services to network devices that want to join a local wired or</p><p>wireless network. The 802.1X standard defines an authentication protocol called EAP. It also defines how</p><p>EAP is encapsulated over LAN (the EAPOL protocol) and over RADIUS.</p><p>802.1X involves three parties: the client (also commonly known as the supplicant), which is the device that</p><p>wants to join the network; the authenticator, which is a network device such as a wireless access point or</p><p>switch; and the authentication server, which is a host that supports the RADIUS and EAP protocol, such as</p><p>FortiAuthenticator.</p><p>The client is not allowed access to the network until the client’s identity has been validated and authorized.</p><p>Using 802.1X authentication, the client provides credentials to the authenticator, which the authenticator</p><p>forwards to the authentication server for verification. If the authentication server determines that the</p><p>credentials are valid, the client device is allowed access to the network.</p><p>Note that the authenticator does not need to have a certificate or have any knowledge of the authentication</p><p>method (PEAP, TLS, and so on). The authentication is tunnelled from the client to the FortiAuthenticator over</p><p>the RADIUS protocol.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 379</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When a client (device) connects to a LAN switch that requires 802.1X authentication, the credentials</p><p>(machine, user, or MAC address) are sent to the authenticator using EAP over LAN (or EAPOL). The</p><p>authenticator then forwards the EAP traffic to an EAP over RADIUS server (FortiAuthenticator).</p><p>If the client tries to send user data before authenticating, the traffic is blocked by the authenticator. The client</p><p>must authenticate first. The authentication process, is a follows:</p><p>1. The client sends an EAPOL-Start packet to initiate the EAP authentication.</p><p>2. The authenticator replies with an EAP-Request/Identity packet to request identification.</p><p>3. The client sends its identity (usually the username).</p><p>4. The information is forwarded to the RADIUS server in a RADIUS-Access request packet.</p><p>5. The RADIUS replies with an Access Challenge packet requesting the password.</p><p>6. The authenticator requests the password from the client.</p><p>7. The client replies with a Response/Auth packet, which contains the password.</p><p>8. The password is forwarded to the RADIUS server, which then replies with an Access-Accept packet to</p><p>grant the access.</p><p>9. The authenticator sends an EAP-Success packet to the client with a confirmation that the credentials are</p><p>OK.</p><p>10. The client can now send the user data.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 380</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This table summarizes the five EAP options that FortiAuthenticator supports.</p><p>• PEAP forms a potentially encrypted and authenticated TLS tunnel between the client and server using a</p><p>digital certificate on the server. It is known as the outer authentication method because it creates only the</p><p>TLS tunnel, to protect authentication transactions. Once the outer tunnel is formed, FortiAuthenticator uses</p><p>an EAP-type tunnel as an inner authentication method, such as MSCHAPv2.</p><p>• EAP-TTLS (or tunneled transport layer security) extends the TLS protocol. It uses digital certificates on the</p><p>server side only. After the server is securely authenticated to the client, it uses the tunnel (the secure</p><p>connection) to authenticate the client.</p><p>• EAP-GTC is a type of inner authentication method for PEAP, which provides user or device information. It</p><p>carries a text challenge from the authentication server and a reply that a security token generates. It allows</p><p>generic authentications to virtually any identity store, including OTP token servers, LDAP, Novell</p><p>eDirectory, and more. It uses digital certificates on the server side only.</p><p>• EAP-MSCHAPv2 is a means for a client and server to mutually authenticate each other, using MSCHAPv2</p><p>packets encapsulated in EAP messages, without the need for a client-side certificate.</p><p>• EAP-TLS also uses the TLS protocol and is considered one of the most secure EAP standards available</p><p>because it supports certificate-based authentication with public keys on both the server and client sides. It</p><p>is also the most commonly used method when supporting bring your own device (BYOD) in the enterprise.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 381</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The main advantage of using FortiAuthenticator for 802.1X solutions is that it includes all the features that are</p><p>required for EAP deployment. FortiAuthenticator is a certificate authority, a SCEP server, and a RADIUS</p><p>server all in one device.</p><p>You can also use the self-service portal with device certificate self enrollment.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 382</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When non-802.1X-compliant devices, such as a printer, want to join the network, FortiAuthenticator offers the</p><p>option of 802.1X MAC-based authentication. This feature allows you to add a list of MAC addresses to allow</p><p>into the network.</p><p>FortiAuthenticator also supports machine-based 802.1X authentication. This feature allows a Windows</p><p>machine to authenticate to a network using 802. 1X, prior to user authentication.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 383</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 384</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand the basics of 802.1X.</p><p>Now, you will learn how to configure wireless 802.1X:EAP-TLS.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 385</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in configuring 802.1X: EAP-TLS/TTLS, you will be able to use the wireless</p><p>802.1X authentication method in your network.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 386</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To configure a wireless solution with 802.1X EAP-TLS authentication, you first require the following:</p><p>• A root CA:</p><p>You can use either an existing external CA to generate certificates and FortiAuthenticator can act as an</p><p>intermediate CA, or you can use FortiAuthenticator as a self-signed root CA. Refer to the Certificate</p><p>Management lesson for more information about how to configure a root CA.</p><p>• RADIUS server:</p><p>The RADIUS server allows FortiAuthenticator to authenticate users using RADIUS. Refer to the</p><p>Administrating and Authenticating Users lesson for more information about how to configure a RADIUS</p><p>server.</p><p>• Wireless clients:</p><p>For a wireless 802.1X solution, you require a wireless client. A wireless client should already be set up on</p><p>your FortiGate. This configuration is out of scope for this training. Refer to the FortiGate Administration</p><p>Guide for more information.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 387</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>EAP-TLS uses public keys on both the server and the client side, so you need a root CA. The root CA issues</p><p>a local server certificate to FortiAuthenticator. To configure EAP-TLS, you need to do the following:</p><p>1. Create a local server certificate for FortiAuthenticator.</p><p>FortiAuthenticator acts as the authenticating AAA server and therefore requires a server certificate</p><p>(issued by the root CA). Refer to the Certificate Management lesson for more information about how to</p><p>create a local server certificate.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 388</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>2. Configure the user account.</p><p>This involves binding the user’s certificate to their account (required for EAP-TLS), and enabling RADIUS</p><p>authentication on the User Management page. The RADIUS protocol is used to tunnel EAP messages</p><p>from the client to FortiAuthenticator. Note that you can enable RADIUS authentication for groups instead.</p><p>In this example, RADIUS authentication is enabled per user.</p><p>3. Configure the RADIUS server.</p><p>This permits the user to authenticate. If the RADIUS client is already preconfigured, you only have to set</p><p>the EAP type. You do this on the Authentication type page of the RADIUS policy. In the example shown</p><p>on this slide, the EAP type is set to EAP-TTLS. When you configure the RADIUS server, you also must</p><p>add the FortiGate wireless controller as an authentication client. This tells FortiGate where to forward the</p><p>RADIUS Auth requests from the client. For more information about configuring a RADIUS client, see the</p><p>Administering</p><p>FortiAuthenticator 6.4 Study Guide 28</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The domain name system (DNS), ensures human-friendly hostnames are translated into IP addresses—the</p><p>DNS resolves hostnames. Specific FortiAuthenticator functionalities rely on the use of the DNS, for example,</p><p>any feature that requires sending notification emails to users or administrators. For this reason,</p><p>FortiAuthenticator must have a reliable and stable connection to a DNS server.</p><p>You can configure the DNS on the DNS page. The DNS servers must be reachable from the networks to</p><p>which FortiAuthenticator connects and should specify two different addresses: a primary and a secondary.</p><p>The secondary DNS server is used in cases where there is no reply from the primary DNS server.</p><p>The default primary and secondary DNS server addresses are the FortiGuard DNS servers. You can use</p><p>these or change the address to another.</p><p>Note that in an Active Directory (AD) environment and using AD authentication, you should use the domain</p><p>DNS servers as the DNS servers.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 29</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can configure the default gateway associated with the interface on the Static Routing page.</p><p>The default gateway is the next hop that routes internal traffic to another, usually external, network. To</p><p>simplify, a default gateway acts as an entry and exit point in a network. All computers on your local network</p><p>need to know the default gateway IP address in order to access the Internet. To configure, click Edit and add</p><p>the next hop IP address of FortiAuthenticator to the Gateway field.</p><p>If you want to configure another port on FortiAuthenticator, you can assign specific IPv4 or IPv6 static routes</p><p>to a different gateway so that packets are delivered by a different route. Click Create New to create a new</p><p>route. Here, you need to configure the destination IP address and mask, the gateway, and the interface (port).</p><p>You can create, edit, and delete the static routes.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 30</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can either manually set the FortiAuthenticator system time and date, or configure FortiAuthenticator to</p><p>automatically keep its system time correct by synchronizing with an NTP server. NTP is a standard protocol</p><p>used for clock synchronization. You should synchronize FortiAuthenticator with an NTP server because, for</p><p>many features to work, the FortiAuthenticator system time must be accurate.</p><p>For example, for the time-based one-time password (TOTP) method used in two-factor authentication to</p><p>function correctly, it is critical for the time to be accurate and stable. NTP servers provide this necessary</p><p>accuracy and stability.</p><p>You can configure NTP servers in the System Information widget. In the System Time field, click Change</p><p>and then enable NTP enabled, and type the IP address of the NTP server. By default, the FortiAuthenticator</p><p>uses Fortinet NTP servers (ntp1.fortinet.net).</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 31</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>It’s always a good idea to make sure all the integral configurations are in place, such as:</p><p>• Network interfaces</p><p>• DNS servers (required for token/SMS/license registration)</p><p>• Time zone and NTP server (critical if using time-based tokens)</p><p>• License (trial license provides limited functionality)</p><p>• Mail servers (After configuration, don’t forget to set the default mail server!)</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 32</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>As a best practice, after complete the FortiAuthenticator deployment, you should back it up to your</p><p>management computer. The Restore/Backup option is located in the dropdown list in the upper-right of the</p><p>GUI.</p><p>The backup includes both the CLI and GUI device configurations. It also includes information on users, user</p><p>groups, the FortiToken device list, the authentication client list, the LDAP directory tree, FSSO settings,</p><p>remote LDAP, and certificates.The backup file is encrypted to prevent tampering. You can create multiple</p><p>backups, from different points in time. Make sure you name the file to indicate the time of the backup.</p><p>If you make changes to FortiAuthenticator that negatively affect your network, you can restore a configuration</p><p>from any of the backups.</p><p>The backup files can be encrypted using a password. The administrator must supply the password when</p><p>restoring an encrypted configuration file. Encryption is disabled by default. The backup files can be password</p><p>protected to prevent unauthorized restoration.</p><p>Note that you can restore the configuration only to the same build and hardware version.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 33</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This diagram shows all the FortiAuthenticator ports. It is a useful reference that you can use when you</p><p>configure your FortiAuthenticator.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 34</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Finally, to locate general system and diagnostic information, you can enter the status and hardware-</p><p>info commands on the CLI.</p><p>The get system status command displays the firmware build number, unit serial number, system time,</p><p>disk usage and size, and HA status.</p><p>The get hardware command displays information about the CPU, memory, NIC, disk, and RAID.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 35</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 36</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 37</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you learned about the key features of FortiAuthenticator,</p><p>and how to configure FortiAuthenticator for initial setup.</p><p>Introduction and Initial Configuration</p><p>FortiAuthenticator 6.4 Study Guide 38</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the key features and concepts of FortiAuthenticator and how to configure</p><p>FortiAuthenticator for initial setup.</p><p>FortiAuthenticator is the central device for any authentication infrastructure.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 39</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the topics shown on this slide.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 40</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in the initial configuration of FortiAuthenticator, you will be able to set up</p><p>administrator privileges and provide administrator roles to users.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 41</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator includes two administrator profiles by default (Sponsor and Read-only Administrator).</p><p>You can create additional administrator profiles using the permission sets and individual permissions.</p><p>An administrator profile comprises one or more permission sets. A permission set, in turn, comprises</p><p>individual permissions. For example, the Local LDAP Service permission shown on this slide includes the</p><p>individual permissions within this permission set. Note that the list of permissions shown on this slide is not</p><p>the full list.</p><p>Administrative profiles are useful for dividing responsibilities and controlling administrator access. For</p><p>example, an administrator user who has been granted only the Certificate Management permission set</p><p>cannot add or delete local users, because those permissions are assigned,</p><p>and Authenticating Users lesson.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 389</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>4. Configure RADIUS-EAP settings.</p><p>After you generate the certificates, you must associate them with the RADIUS service, so that they are</p><p>used during the authentication process. To configure this association, you must select the EAP server</p><p>certificate that will be used. This is required for EAP-TLS and EAP-TTLS.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 390</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>5. Configure FortiGate.</p><p>This involves:</p><p>• Configuring FortiAuthenticator as a RADIUS server on FortiGate. Refer to the Administering and</p><p>Authenticating Users lesson for how to configure a RADIUS server.</p><p>• Configuring the Wi-Fi controller SSID to use the WPA2 Enterprise security mode. You must also</p><p>configure the authentication to use the RADIUS Server.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 391</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>6. Configure the wireless clients.</p><p>In the example shown on this slide, the native Windows wireless application is used, which supports various</p><p>EAP standards, including EAP-TLS. However, most of the third-party wireless drivers also support EAP, and</p><p>their configuration is similar. In most cases, Windows automatically detects the wireless network requirements</p><p>and auto-configures the wireless interface properly. In this lesson, you will learn about the manual</p><p>configuration for cases where the auto-configuration is unsuccessful.</p><p>To manually configure the wireless client, click Wireless Properties associated with your Wi-Fi connection. In</p><p>the dialog box that opens, click the Security tab and ensure that WPA2 Enterprise is selected as your</p><p>security type. In the Choose a network authentication method drop-down list, select Microsoft Smart</p><p>Card or other Certificate (this is the EAP-TLS setting for Microsoft, but other EAP options are available).</p><p>If you want to validate the RADIUS server certificate, you can click Settings and enable Verify the server’s</p><p>identity by validating the certificate.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 392</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 393</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to configure 802.1X:EAP-TLS.</p><p>Now, you will learn how configure wired 802.1X authentication.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 394</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in configuring wired 802.1X authentication, you will be able to use it in your</p><p>network.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 395</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The wired 802.1X authentication process, in general, is very similar to the 802.1X:EAP-TLS authentication</p><p>process. The client tries to connect to the network through a LAN switch that supports wired 802.1X (such as</p><p>FortiSwitch). The workstation uses EAP over LAN (EAPOL), and the communication between the LAN switch</p><p>and the RADIUS server uses EAP over RADIUS.</p><p>The EAP configuration on FortiAuthenticator is the same for wired or wireless clients.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 396</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To configure a switch to use 802.1X authentication, you must enable 802.1X, enter the FortiAuthenticator IP</p><p>address as the RADIUS server IP, and provide the RADIUS secret key.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 397</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To enable 802.1X in Windows, open the Windows Component Services application (search for</p><p>services.msc). Open the properties for the Wired AutoConfig service and change the startup type to</p><p>Automatic. Now, the service will automatically start each time the computer is started. You must reboot your</p><p>computer for the changes to take effect.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 398</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After you restart your computer, and the Wired AutoConfig service is running, the LAN connection properties</p><p>displays a new tab called Authentication. On that tab, select the Enable IEEE 802.1X authentication</p><p>checkbox, and select the Microsoft Smart Card or other certificate authentication method (this is EAP-</p><p>TLS). Note that other EAP methods are also available.</p><p>Optionally, you can click Setting to enable the validation of the RADIUS local server certificate. If enabled,</p><p>you must install the root CA certificate of the CA that signed that RADIUS local certificate.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 399</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 400</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to configure wired 802.1X authentication.</p><p>Now, you will learn how configure MAC-based authentication.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 401</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objective shown on this slide.</p><p>By demonstrating competence in configuring MAC-based authentication, you will be able to use it in your</p><p>network.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 402</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The MAC-based authentication feature is a list of MAC addresses that are allowed access to the network. A</p><p>non-802.1X-compliant device will be accepted into the network only if its MAC address is on the list.</p><p>The RADIUS client, which is usually a LAN switch, must support 802.1X MAC-based authentication. That</p><p>means that the RADIUS Service-Type attribute must be set to Call Check, and the Calling-Station-ID must</p><p>contain the MAC address.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 403</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After you enable MAC-based authentication, you must create a list of allowed MAC addresses on the MAC</p><p>Devices page. The clients that do not support 802.1X, and whose MAC address is not in this list, will not be</p><p>able to connect to the network.</p><p>You can add MAC addresses one at a time, or you can import in bulk from a CSV file. The first column</p><p>contains the device names and the second column contains the corresponding MAC address.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 404</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 405</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to configure MAC-based authentication.</p><p>Now, you will learn how to configure machine-based 802.1X authentication.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 406</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in configuring machine-based authentication, you will be able to use it in your</p><p>network.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 407</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Machine authentication is performed by the computer, which sends its computer object credentials before the</p><p>Windows logon screen appears. Machine authentication commonly occurs when the computer starts up or the</p><p>user logs out. FortiAuthenticator caches authenticated devices based on their MAC addresses for a</p><p>configurable period of time.</p><p>You can limit access to the network based on the machine credentials provided during authentication. For</p><p>example, you can grant access to only the Active Directory server, to enable user authentication.</p><p>After the machine is authenticated, user authentication can take place to authenticate that the user is also</p><p>valid. You can then grant further access to the network based on the user credentials.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 408</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Windows AD machine authentication uses MSCHAPv2 for encryption. PEAP/MSCHAPv2 are only supported</p><p>when the Windows</p><p>Active Directory Domain Authentication option is enabled on the Remote Auth.</p><p>Server settings page. For this reason, you must enable Windows Active Directory Domain Authentication</p><p>for access to the Windows AD computer authentication option in RADIUS policies.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 409</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can configure machine authentication for your RADIUS clients on the Identity source and</p><p>Authentication factors pages in the RADIUS policy.</p><p>Without the override groups configured, the user will be authenticated and added to the group specified in the</p><p>RADIUS client configuration.</p><p>When the override group membership is set, the group membership is overwritten based on the logic</p><p>configured. For example, if the user is the only user authenticated (this is an employee but on an</p><p>unapproved personal device), they will be put into a “personal_device” group. Using the override groups, they</p><p>can then be added to a predefined VLAN (by using RADIUS attributes assigned to the group).</p><p>You must enable Use Windows AD Domain Authentication on the Identity source page in order to have</p><p>the Windows AD computer authentication option on the Authentication factors page. Recall that</p><p>Windows Active Directory Domain Authentication option must be enabled on the LDAP settings page for</p><p>access to these settings.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 410</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 411</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 412</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you learned about 802.1X authentication and how to</p><p>configure it.</p><p>802.1X Authentication</p><p>FortiAuthenticator 6.4 Study Guide 413</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the security assertion markup language (SAML), and how to configure and</p><p>troubleshoot SAML using FortiAuthenticator.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 414</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the topics shown on this slide.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 415</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in understanding SAML, you will be able to describe the process, identify the</p><p>different roles, and describe SAML SSO types.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 416</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Security Assertion Markup Language (SAML) defines a framework for exchanging security assertions</p><p>between SAML entities. It uses an XML-based framework and browser cookies to exchange security</p><p>assertions between entities to achieve SSO. One of the main SAML use cases is multiple-domain web SSO.</p><p>Online business partners can exchange SAML assertions, to provide user access to multiple web services,</p><p>without asking the user to log in to each domain.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 417</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>At a minimum, you need the following SAML entities to perform SSO:</p><p>• Principal: requests access to a service that usually requires authentication and authorization using the</p><p>SAML model. A principal can be a user, group, or machine.</p><p>• IdP: responsible for creating, maintaining, and managing identity information for principals. It is responsible</p><p>for responding to requests for SAML assertions within a federation.</p><p>• SPs: provides a service to a principal. It relies on an IdP for authentication and authorization information</p><p>that it can use to provide access a principal.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 418</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>SAML uses security assertions to transfer user identity information between its entities, using the principal (for</p><p>example, a web browser). For SAML to work correctly, all SPs participating in SSO must trust the IdP. Once a</p><p>user is pointed to an IdP by an SP, the IdP is responsible for authenticating the principal, and asserting</p><p>relevant SAML assertions in the browser cookie. The principal will not have to re-authenticate when accessing</p><p>partner web services, as long as it is using and trusting the same IdP.</p><p>There are three main types of SAML assertions used in the SSO configuration:</p><p>• Authentication assertions: contain authentication information about the principal and time.</p><p>• Attribute assertions: contain attribute information related to the principal.</p><p>• Authorization assertions: contain information about the principal's access privileges.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 419</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>There are two types of SSO in SAML: IdP initiated and SP initiated.</p><p>A user can perform an IdP-initiated login by directly accessing the IdP login page from a browser and</p><p>generating a login event. On a web page, the user can then access all the applications that would have</p><p>required them to log in. This can simplify the configuration, and administrators do not need to implement</p><p>SAML functionality on web servers.</p><p>A user can perform an SP-initiated login by visiting a SAML SP-compliant page that would then redirect the</p><p>user to IdP for authentication. It will transparently redirect the users before providing access to secure content.</p><p>The SP will need authorization assertions from the IdP before allowing users to access resources.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 420</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 421</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now have an understanding of SAML.</p><p>Now, you will learn about the SAML process flow.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 422</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in understanding the SAML flow and the advantages of SAML, you will be able</p><p>to make deployment decisions for your environment.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 423</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Now, you will learn about the SAML packet flow for a non-authenticated principal that is trying to access</p><p>resources.</p><p>1. The principal tries to access resources on SP1.</p><p>2. SP1 requests SAML assertion.</p><p>3. The principal replies that it does not have SAML assertion for SP1.</p><p>4. SP1 instructs the principal to redirect to the SAML IdP for authentication.</p><p>5. The principal contacts the IdP and requests SAML assertion for SP1.</p><p>6. The IdP asks the principal whether it has SAML authentication assertion for the contacted IdP.</p><p>7. The principal replies that it does not have an authentication assertion for the IdP.</p><p>8. The IdP then presents the principal with a login portal</p><p>9. The principal logs in with their credentials.</p><p>10. The IdP validates the credentials and updates its database with the login event.</p><p>11. Once the principal is successfully authenticated, the IdP provides it with SAML authentication assertion</p><p>and attributes the assertion for SP1.</p><p>12. The principal is redirected to the SP1 resources that it originally requested.</p><p>13. SP1 receives the SAML assertion for SP1, and authorizes the principal to access the resources.</p><p>The principal can continue to access resources on SP1, without having to log in again, until the SAML</p><p>authentication cookie expires, or the user closes the web session, or the user triggers a log out.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 424</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Now, you will learn about the SAML packet flow for an authenticated principal that is trying to access</p><p>resources on another SP in the federation.</p><p>1. The principal tries to access resources on SP2.</p><p>2. SP2 requests SAML assertion.</p><p>3. The principal replies that it does not have SAML assertion for SP2.</p><p>4. SP2 instructs</p><p>the principal to redirect for authentication to the SAML IdP.</p><p>5. The principal contacts IdP and requests SAML assertion for SP2.</p><p>6. The IdP requests SAML authentication assertion for itself.</p><p>7. The principal provides SAML authentication assertions to the IdP.</p><p>8. Once the IdP validates the SAML authentication assertion, it provides the principal with the SAML</p><p>attributes assertion for SP2.</p><p>9. The principal gets redirected to the SP2 resources that it originally requested.</p><p>10. SP2 receives the SAML assertion from the principal and authorizes the principal to access the resources</p><p>that it requested.</p><p>The principal can now access resources on SP2 until the SAML assertion expires, or the user closes the web</p><p>session, or the user triggers a logout.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 425</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When using SAML for web SSO, SPs never need to directly communicate with the IdP for SSO to work. All</p><p>communication between the IdP and SPs happens through the principal that is trying to request the resources.</p><p>Another advantage of using SAML is that as long as the principal and IdP are located behind the same</p><p>firewall, user credentials will never leave the network. Third-party SPs will redirect unauthenticated users back</p><p>to the IdP for authentication, and users will enter credentials only after they is prompted by the IdP. Multiple</p><p>domains can use the same IdP for SSO when using SAML. SAML SSO relies on SAML assertions that are</p><p>created by the IdP, for a principal. SPs will use these assertions to grant access to the principal.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 426</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 427</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand SAML SSO flow and advantages.</p><p>Now, you will learn how to configure FortiAuthenticator as a SAML identity provider.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 428</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you will be able to achieve the objective shown on this slide.</p><p>By demonstrating a competent understanding of FortiAuthenticator IdP configuration, you will be able to</p><p>configure FortiAuthenticator IdP.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 429</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can configure FortiAuthenticator as a SAML IdP or an SP. When you configure FortiAuthenticator as an</p><p>IdP, it uses the self-serve login web portal to prompt the user for authentication. FortiAuthenticator can use</p><p>the local user database or remote authentication server to validate authentication requests. You must add all</p><p>SPs to FortiAuthenticator to establish a trust relationship between the SPs and FortiAuthenticator. Once an</p><p>SP is added to FortiAuthenticator, it can create SAML authorization assertions for the SP.</p><p>You can also configure FortiAuthenticator as an SP, to request assertions from a third-party IdP such as Okta.</p><p>When you configure FortiAuthenticator in the SAML SP role, it can use SAML attributes assertion to generate</p><p>an FSSO session and distribute the information to FortiGate devices within a network. This works in a similar</p><p>way to RADIUS SSO, where you use the attributes provided by the server to generate FSSO sessions for an</p><p>internal network.</p><p>Note that FortiAuthenticator can convert a SAML web SSO to an FSSO session.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 430</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The following is the an overview of the configuration you must complete to enable FortiAuthenticator to</p><p>perform the IdP role in SAML.</p><p>• Create a realm for the remote authentication server.</p><p>• This is required only if you are using remote authentication server.</p><p>• Create or import local server certification to use in SAML configuration.</p><p>• Certificates will be used to sign SAML assertions.</p><p>• Enable and configure IdP settings.</p><p>• Select the authentication realm to use for user authentication.</p><p>• You can narrow down the scope to a specific group using group filter option.</p><p>• Add SP configuration.</p><p>• You must add all SPs separately.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 431</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You must enable FortiAuthenticator to support SAML in the IdP role. The server address is used when</p><p>metadata information is generated. If you have multiple IPs on FortiAuthenticator, FortiAuthenticator will</p><p>define which interface will be used to listen for authentication requests. On the FortiAuthenticator IdP</p><p>configuration page, you can also modify the SAML SSO assertion timeout value. You can also select a default</p><p>realm that will be used for user authentication. You can specify to override remote users, if an account also</p><p>exists in the FortiAuthenticator user database. Furthermore, you can narrow down the scope of user lookup to</p><p>a specific group using the group filter option. You need to select an IdP certificate, which is a local service</p><p>certificate that you can generate or import in the certificate manager section of FortiAuthenticator. Enabling</p><p>the Get nested groups for user option allows the IdP to perform a nested group lookup for Windows AD.</p><p>Identity and access management (IAM) user accounts, created in the IAM view under Authentication > User</p><p>Management, can be used for SAML IdP logins.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 432</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The next step is to define SPs on FortiAuthenticator. You must give a unique name and IdP prefix to each SP</p><p>that you add to the FortiAuthenticator configuration. You can choose to generate a 16-digit prefix to use in the</p><p>IdP entity ID, IdP sign-on, and logout URL. This prefix uniquely identifies the IdP to the SP. You must copy</p><p>this configuration to the SP configuration. SAML allows you to use XML metadata files to export these</p><p>parameters accurately.</p><p>You can click Import SP metadata to load a metadata file to assist in the configuration of a SAML service</p><p>provider. The metadata files are xml files that contain details about the service provider, such as, entity</p><p>descriptors, URLs, certificates, and so on. The SP metadata file provides the IdP with all the information it</p><p>needs to trust and accept redirection from an SP.</p><p>You can download all of the IdP-related configurations from this page by clicking Download IdP metadata at</p><p>the bottom of the view. The metadata file provides the information required for the SP to use and trust</p><p>FortiAuthenticator as an IdP.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 433</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can enable support for IdP-initiated assertion response in situations where it is necessary for the IdP</p><p>server to generate and send a SAML assertion to the SP, without a prior request from the SP. In this</p><p>configuration, the user accesses the IdP login portal and, if the user’s browser is already authenticated, the</p><p>user will be presented with a portal landing page that includes a list of SPs that participate in IdP-initiated</p><p>login. The end user can then select the SP to access, and the IdP will generate the SAML assertion and send</p><p>it to the SP.</p><p>The Relay state setting allows the SP to redirect the user after a successful assertion response.</p><p>When you enable the Participate in single logout option, logging out of the SP will automatically log you out</p><p>of all single-logout-configured SPs.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 434</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Within the SP configuration, you can enforce further options. You can also enforce two-factor, or FIDO</p><p>authentication on users that log in through SAML. Depending on the options you select, users will be</p><p>prompted to enter a token with their credentials when they are prompted for authentication.</p><p>Assertion Attributes are used to pass information to an SP from the IdP. You can configure the assertion the</p><p>IdP will provide, after a user is successfully authenticated. For example, you can configure the Subject Name</p><p>ID attribute (usually used to send the username back to the SP) to send the email, User DN, or objectGUID</p><p>instead.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 435</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>SAML attributes assertions are used to return more than just authentication and authorization information</p><p>about a principal. SAML assertions can provide details about a principal that can then be used by SP to</p><p>extend the functionally of the service they offer. For example, an SP can use SAML attributes assertions to</p><p>exchange information such as principal membership level among multiple online partners that use the same</p><p>IdP for web SSO. You can create and assign more then one SAML attribute to a principal and send the</p><p>assertions only to SPs that you want to.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 436</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 437</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to configure FortiAuthenticator as a SAML IdP.</p><p>Now, you will learn how to configure FortiAuthenticator as a SAML service provider.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 438</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you will bea ble to achieve the objective shown on this slide.</p><p>By demonstrating a competent understanding of FortiAuthenticator SP configuration, you will be able to</p><p>configure FortiAuthenticator SP.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 439</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When configuring FortiAuthenticator as a SAML SP, you do not need to host the user database locally. User</p><p>authentication will be performed by a third-party IdP, and FortiAuthenticator will direct principals to the IdP</p><p>portal for authentication. After the authentication is successful, FortiAuthenticator can then use SAML</p><p>assertions to generate FSSO sessions for the SAML principals. Then, FortiAuthenticator will share this</p><p>information with the FortiGate devices within the network to allow the principals to access the internet or</p><p>resources hosted locally.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 440</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When using the FortiAuthenticator as a SAML SP, the communication sequence will look like this:</p><p>1. The client tries to connect to a web server on the internet.</p><p>2. FortiGate redirects the client to the captive portal (http://<FortiAuthenticator</p><p>IP>/login/saml-auth).</p><p>3. If the user doesn't already have a valid (non-expired) SAML login ticket, FortiAuthenticator redirects the</p><p>client to the SAML IdP.</p><p>4. The client authenticates on the SAML IdP portal and gets a SAML login ticket.</p><p>5. SAML IdP redirects the client to FortiAuthenticator.</p><p>6. The client gives the SAML login ticket to FortiAuthenticator.</p><p>7. The FortiAuthenticator adds the client to the list of logged-in SSO users, and the new list of logged-in SSO</p><p>users is sent from FortiAuthenticator, to FortiGate. At this point the FortiAuthenticator converts the SSO</p><p>users to FSSO, this allows you to leverage FSSO groups and firewall policies.</p><p>8. FortiAuthenticator redirects the client to the web server.</p><p>Note that you must configure captive portal exemptions for the client to FortiAuthenticator and the client to</p><p>SAML IdP.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 441</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You must enable SAML portal services to configure FortiAuthenticator to act as an SP. Enable the SAML</p><p>portal by clicking Fortinet SSO Methods > SSO > Portal Services and enabling the Enable SAML portal</p><p>option.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 442</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Create a remote SAML authentication server from Authentication > Remote Auth. Servers > SAML.</p><p>FortiAuthenticator will generate the SAML URLs and entity ID automatically. The Portal URL is where</p><p>unauthenticated users are directed for authentication. Requests on the portal authentication URL will be</p><p>redirected to IdP to perform user authentication. Importing the metadata file will configure the IdP settings.</p><p>Once the authentication is successful, the IdP will attach an assertion that FortiAuthenticator can then use to</p><p>generate an FSSO session for the principal. You can also configure FortiAuthenticator to perform LDAP</p><p>lookup for group membership of the principal, as long as the IdP and FortiAuthenticator use the same LDAP</p><p>server. You can also specify whether the username of the principal is pulled in from Boolean assertions or</p><p>test-based attributes.</p><p>Finally, the FAC must be configured as an SP in the IdP server.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 443</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Furthermore, you can implicitly assign all SAML users to a specific SSO group that you can configure locally</p><p>on FortiAuthenticator.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 444</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can then configure FortiAuthenticator to use the remote SAML server as an IdP, by selecting it in the</p><p>Remote SAML server drop-down list.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 445</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>SAML assertions for a FortiAuthenticator SP will be used to generate FSSO sessions. You can view logs to</p><p>get more information about FSSO sessions, usernames, SAML authentications, and so on. You can view</p><p>successful SAML FSSO sessions on FortiAuthenticator on the SSO sessions tab. Note that SAML users are</p><p>categorized as external users and added to an SSO group called SAML FSSO that you created locally on</p><p>FortiAuthenticator. The FSSO sessions of all SAML users will be forwarded to the FortiGate devices with the</p><p>information you provided on the SSO Sessions page on FortiAuthenticator.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 446</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 447</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to configure FortiAuthenticator as a SAML service provider.</p><p>Now, you will learn how to troubleshoot SAML configurations with FortiAuthenticator.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 448</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you will be able to achieve the objective shown on this slide.</p><p>By demonstrating competence in SAML troubleshooting tools, you will be able to resolve SAML deployment</p><p>issues.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 449</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When FortiAuthenticator is configured in the IdP role, you must identify whether the issue is caused by an</p><p>authentication error, or related to SAML assertions. In the IdP role, FortiAuthenticator needs to perform</p><p>authentication for the user, so you need to ensure that the portal is configured properly. Review the</p><p>FortiAuthenticator logs to identify what is causing the issue.</p><p>To troubleshoot SAML-related issues, you can use tools such as the SAML tracer add-on that will track all the</p><p>redirects and display SAML assertions. You can keep track of which SP initiated the SAML SSO, which IdP</p><p>the principal is redirected to, and what assertions were inserted in the browser. Verify the entire configuration</p><p>on both the IdP and the SP to ensure you used the correct URLs and entity IDs.</p><p>To troubleshoot debug errors on FortiAuthenticator, you can use the GUI logs to identify what is causing the</p><p>issues.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 450</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>If FortiAuthenticator is configured in a SAML SP role, FortiGate devices in the network must have</p><p>FortiAuthenticator configured as an external captive portal to forward unauthenticated user requests.</p><p>FortiGate must have an exempt policy in place to forward authentication requests that FortiAuthenticator will</p><p>be forwarding to the third-party IdP. If users are having issues accessing the login page, make sure that the</p><p>exempt policy is allowing all traffic to the IdP URL(s). Check the configuration on FortiAuthenticator to make</p><p>sure the IdP URLs and entity IDs are correct.</p><p>If the authentication is successful and you are receiving SAML assertions, verify that FSSO sessions are</p><p>created on FortiAuthenticator. Use a SAML tracer to view SAML exchanges and assertions, and refer to the</p><p>FortiAuthenticator logs to view errors. If you</p><p>see FSSO sessions but users are still not able to access</p><p>resources, check the FSSO information on FortiGate to verify that users are populating properly.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 451</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can view SAML-related logs on FortiAuthenticator, in the log section.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 452</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>SAML session information can be found in the logs view. User information is displayed along with the</p><p>authentication time, the authentication expiration (shown as Valid Until), and the IdP session ID</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 453</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can view SAML assertions and exchanges using the SAML tracer add-on in a Firefox web browser. This</p><p>add-on allows you to keep track of all redirections, and SAML assertions and attributes that are exchanged</p><p>during the authentication.</p><p>The example on this slide shows a SAML authentication request that is sent to an IdP. It includes SAML</p><p>protocol and assertion information, the IdP login portal address that the authentication request will be</p><p>forwarded to, and information about the SAML SP that is requesting the authentication. The request also</p><p>contains the assertion consumer service URL, which is where the response from the IdP will be returned.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 454</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows an example of an authentication response sent from the IdP. The SAML authentication</p><p>response includes basic SAML protocol information. The authentication response also includes authentication</p><p>information such as the SAML NameID attribute value, time of authentication, authentication conditions</p><p>(validity period), and the response recipient (which is usually the SP).</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 455</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The authentication response assertion returned also includes authentication attributes by the IdP. The</p><p>attribute assertion contains additional information about a principal that can be used by an SP to provide</p><p>additional features and services to the authenticated user. The example shown on this slide includes two</p><p>attributes, username and user DN that are asserted by the IdP for this SP. SAML attributes can add extra</p><p>value because exchanging this information is completely transparent to the user.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 456</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 457</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 458</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you now understand SAML, and how to configure and</p><p>troubleshoot SAML using FortiAuthenticator.</p><p>SAML</p><p>FortiAuthenticator 6.4 Study Guide 459</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about fast ID online 2 (FIDO2) authentication. Specifically, an overview of how it</p><p>works, its advantages, and how to leverage it with FortiAuthenticator.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 460</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn about the topics shown on this slide.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 461</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in understanding fast ID online 2 (FIDO2), you will be able to describe the</p><p>processes and security advantages of FIDO2.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 462</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The FIDO2 set of specifications includes the World Wide Consortium’s (W3C) Web Authentication</p><p>(WebAuthn) and the FIDO Alliance’s Client to Authenticator protocol (CTAP).</p><p>FIDO2 leverages standard public key cryptography to provide a simpler and more secure authentication</p><p>option. A FIDO2-compliant device creates a public and private key pair for each online service using FIDO2</p><p>authentication and associates those with a user account. The public key is passed to the online service for</p><p>association with the user account on the service end. The private key is locally stored and never leaves the</p><p>device, so it cannot be compromised by phishing attacks or server-side data breaches, making it more secure</p><p>than a password-based solution. For the end user, authentication becomes far more convenient, requiring the</p><p>device to be unlocked with a simple PIN or non-memory-based option, like biometric (fingerprint, voice</p><p>recognition), or physical interaction (touch sensor or push button), replacing the need to remember</p><p>passwords. Security is further enhanced by the need for the FIDO2 device to be physically present with the</p><p>end user during authentication.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 463</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FIDO2 authentication leverages three key components:</p><p>1. The authenticator: This is most often a physical key, such as a FortiToken 400, Titan, or Yubiko, but could</p><p>also be an Android device or Windows Hello. The purpose of the authenticator is to generate and store</p><p>private and public key pairs to be associated with an online account or service. The authenticator requires</p><p>an interaction with the end user, such as scanning a fingerprint, entering a pin or pushing a physical</p><p>button, to perform authentication.</p><p>2. The client: This component interacts with the online service to perform the authentication and prompt the</p><p>user for authenticator activation. This is most often a web browser but could be another form of client,</p><p>such as FortiClient.</p><p>3. The server: This component is the service provider, such as Google or Facebook, or a identity provider,</p><p>such as FortiAuthenticator.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 464</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The packet flow for FIDO2 authentication occurs between the three FIDO2 components, and proceeds as</p><p>follows:</p><p>1. The user (with the authenticator) attempts to access the service using the client.</p><p>2. The client issues an authentication request to the server or IdP.</p><p>3. The server or IdP issues a challenge.</p><p>4. The client prompts the user to unlock their FIDO2 authenticator.</p><p>5. The authenticator uses the private key to sign the challenge and send it to the server or IdP.</p><p>6. The server or IdP validates the private key that signed the challenge matches the public key associated</p><p>with the user account, and if so, validates authentication.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 465</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 466</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now have a brief understanding of FIDO registration and login processes.</p><p>Now, you will learn how to configure FIDO settings on FortiAuthenticator.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 467</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 468</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can enable FIDO2 authentication for local and remote user accounts in the user records stored on</p><p>FortiAuthenticator.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 469</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To take advantage of FIDO2 authentication on FortiAuthenticator portals, both captive and self-service, you</p><p>must enable the FIDO authentication option on the corresponding portal policy. You can require both a</p><p>password validation as well as a FIDO2 token, or just the FIDO2 token. The FIDO authentication is applied</p><p>only to users who have a registered token.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 470</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When you enable the options on the self-service</p><p>portal, users can register and manage their FIDO keys. To</p><p>add a key to their account, the user clicks the Add FIDO key button and enters a name for the key. The user</p><p>then must insert and unlock the key.</p><p>Once a key is added, it can be revoked if it becomes compromised or lost.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 471</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>An administrative user can manage FIDO2 keys on the user properties page on FortiAuthenticator. A user can</p><p>revoke their own keys by selecting the Lost my FIDO token option on the login screen.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 472</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows an example packet flow with FortiAuthenticator acting as an IdP with FIDO2 authentication.</p><p>The steps to complete the authentication are as follows:</p><p>1. The user attempts to connect to the online service using the client.</p><p>2. The online service redirects the user agent to the FIDO2 enabled FortiAuthenticator using SAML.</p><p>3. The client issues a SAML request to FortiAuthenticator.</p><p>4. FortiAuthenticator issues a FIDO2 challenge.</p><p>5. The user unlocks the FIDO2 authenticator for the client.</p><p>6. The client responds to the FortiAuthenticator challenge.</p><p>7. FortiAuthenticator validates the response.</p><p>8. FortiAuthenticator issues the SAML assertion to the client.</p><p>The client is now able to access the online service.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 473</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You define when FIDO2 authentication is necessary in the Authentication section of a service provider</p><p>configuration. In the Authentication method option list, selecting FIDO-only requires that authentication is</p><p>based on the username and the FIDO2 key response. Selecting Password and FIDO requires both a valid</p><p>password for the user account, as well as a successful response from a FIDO2 key. FIDO2 authentication is</p><p>optional for any of the other selections, if it has been configured on the service provider.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 474</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The example shown on this slide shows a user logging in to a FortiGate device that has been configured as a</p><p>service provider on FortiAuthenticator. The service provider has the Authentication method set to FIDO-</p><p>only. The process proceeds as follows:</p><p>1. The user accesses the FortiGate login page and selects Sign in with Security Fabric. The user is</p><p>redirected to the authentication page on FortiAuthenticator.</p><p>2. The user enters their username, and then clicks Next.</p><p>3. The client instructs the user that they must enter the PIN for their security key.</p><p>4. The FortiAuthenticator challenges the client. The client signs the challenge with the private key.</p><p>FortiAuthenticator authenticates the user.</p><p>5. The client is redirected and logged in to the service (FortiGate).</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 475</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator logs the authentication process. In the example shown on this slide, the administrator login</p><p>in-session events can be seen as the lower four events in the log, and the logout events are the top three. You</p><p>can click any event in the event log to display log details.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 476</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 477</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 478</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you now understand FIDO, and how to configure FIDO</p><p>using FortiAuthenticator.</p><p>FIDO2 Authentication</p><p>FortiAuthenticator 6.4 Study Guide 479</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>No part of this publication may be reproduced in any form or by any means or used to make any</p><p>derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,</p><p>as stipulated by the United States Copyright Act of 1976.</p><p>Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,</p><p>Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company</p><p>names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and</p><p>actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein</p><p>represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written</p><p>contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified</p><p>performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For</p><p>absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any</p><p>commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.</p><p>Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,</p><p>transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>01 Introduction and Initial Configuration</p><p>02 Administrative Users and High Availability</p><p>03 Administering and Authenticating Users</p><p>04 Managing Users and Troubleshooting Authentication</p><p>05 Two-Factor Authentication</p><p>06 FSSO Process and Methods</p><p>07 FSSO Deployment and Troubleshooting</p><p>08 Portal Services</p><p>09 PKI and FortiAuthenticator as a CA</p><p>10 Certificate Management</p><p>11 802.1X Authentication</p><p>12 SAML</p><p>13 FIDO2 Authentication</p><p>by default, to a different</p><p>permission set (users and devices).</p><p>By default, the admin administrator has full access, which includes all permission sets and associated</p><p>permissions.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 42</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can create administrator profiles on the Admin Profiles page. You must assign a name to the profile and</p><p>optionally provide a description.</p><p>You can specify whether the admin profile:</p><p>• Should not have one of the default permission sets, by selecting None next to the permission set</p><p>• Should have read access to that permission set only, by selecting Read-only next to the permission set</p><p>• Should have read and write access to that permission set, by selecting Read & Write next to the</p><p>permission set.</p><p>To see which individual permissions make up a permission set, click Permission sets, and then click the</p><p>permission set name.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 43</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After you click Permission sets, the full list of built-in permission sets opens.</p><p>Built-in permission sets are static. You cannot add or remove individual permissions; however, you can clone</p><p>the built-in permission sets and then customize the cloned permission sets.</p><p>In this lesson, you will look at how to clone and modify a built-in permission set and create a new, custom one.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 44</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To clone an existing permission set for customization, select the permission set you want to clone and click</p><p>Clone. A page opens that shows you which permissions are currently associated with the cloned permission</p><p>set (these are located on the Selected user permissions pane), and which permissions are available to use</p><p>(these are located on the Available user permissions pane). You can move permissions to and from these</p><p>two panes using the arrow buttons.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 45</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>If you would rather create a new permission set than clone an existing one, click Create New. Provide your</p><p>new permission set with a name and then move individual permissions from the Available user permissions</p><p>pane to the Selected user permissions pane.</p><p>You can continue to add or remove permissions at any time. Just ensure the name or description aptly</p><p>identifies the permission set after modification.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 46</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After you have some administrator profiles, you can create administrator user accounts and assign profiles.</p><p>You can create an administrator user account on the Local Users page by clicking Create New. You must set</p><p>a user name and password.</p><p>There are three ways to handle the password. You can specify a password and communicate it to the</p><p>administrator user, have FortiAuthenticator create a random password and automatically email it to the</p><p>administrator user (you must assign an email to the user), or specify token-based authentication rather than</p><p>password-based authentication. With the last option, FortiAuthenticator adds the account, but it is disabled</p><p>until you associate a FortiToken with the user account. You will examine FortiTokens further in another</p><p>lesson.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 47</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In the Role field, select Administrator to make the user an administrator user. As you can see, administrator</p><p>accounts on FortiAuthenticator are standard user accounts (local or remote users) flagged as administrators.</p><p>You will learn about creating end users in another lesson.</p><p>You can assign the administrator full permissions, which provides all permission sets and associated</p><p>permissions like a super user (this is what the admin administrator is assigned), or select a preconfigured</p><p>administrator profile in the Admin profiles drop-down list.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 48</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After you add the administrator user account, you are presented with additional account settings that you can</p><p>configure, such as:</p><p>• Admin profiles: You can apply multiple administrator profiles to an administrative account. The most</p><p>permissive of the union will be applied.</p><p>• Web service access: Allows administrators to access web services using REST API or a client</p><p>application.</p><p>• Restrict admin login from trusted management subnets only: Allows you to restrict administrator</p><p>access to the GUI based on IP address. You can even restrict an administrator to a single IP address if you</p><p>define only one trusted host IP. However, FortiAuthenticator allows you to configure up to 10 trusted hosts.</p><p>You can also expand each of the sections shown on the slide to configure additional settings. This includes</p><p>specifying additional user information (address, phone/mobile number, language, and organization),</p><p>alternative email addresses, groups, email routing, and more. You can also set password recovery options.</p><p>Here, FortiAuthenticator can send local users a password recovery link for lost or forgotten passwords,</p><p>through email or in a browser, in response to a prearranged security question. The user must then set a new</p><p>password.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 49</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can define certificate bindings and RADIUS attributes as part of a local user configuration for use during</p><p>authentication. The certificate bindings require a designation of the common name (CN) on the certificate as</p><p>well as the certificate authority (CA). The defined RADIUS attributes will be passed upon authentication to the</p><p>authenticator. These attributes can specify user-related information.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 50</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When you complete the creation of an administrative user, or attempt to apply modifications to an existing</p><p>administrative user, you must supply the currently logged-in administrative user’s password as validation. This</p><p>validation provides an additional layer of security. If validation is not successful FortiAuthenticator ends the</p><p>user's session.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 51</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 52</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand the administrator profiles of FortiAuthenticator.</p><p>Now, you will learn about high availability (HA) modes and messaging services.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 53</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in HA and messaging services, you will be able to explain the different HA</p><p>modes; list the HA roles; configure message settings for SMTP, email, and SMS gateway; and configure</p><p>SNMP.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 54</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>If your deployment has more than one FortiAuthenticator device, you can choose to operate the</p><p>FortiAuthenticator devices as an HA cluster, to provide even higher reliability. All devices must run the same</p><p>firmware version.</p><p>You can configure HA in the following modes:</p><p>• Cluster (active-passive) mode (Cluster member designation in the GUI): In this mode, everything is</p><p>synchronized and is failover only. You designate one device as the primary and one as the secondary.</p><p>Layer 2 connectivity is required for data synchronization.</p><p>• An active-passive cluster can have up to 10 load-balancers.</p><p>• Active-passive clusters cannot be a mix of physical</p><p>and virtual appliances.</p><p>• Load-balancing (active-active mode or geo-HA). In this mode, one device acts as the primary (Standalone</p><p>Primary designation on the GUI) with up to 10 load balancing systems (Load Balancer designation on the</p><p>GUI). You can separate the load balancers geographically, and you can distribute the load across the</p><p>devices using your preferred method, such as round-robin DNS, or Auth/NAS client load distribution. You</p><p>can also use external load balancing devices. This type of configuration is intended for two</p><p>FortiAuthenticator deployments because it syncs the user authentication configuration (such as users,</p><p>groups, tokens, and so on). It does not sync FSSO and certificates.</p><p>• Load balancing can use a mix of physical and virtual appliances.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 55</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can configure load balancing as part of a FortiAuthenticator active-passive cluster to achieve fault</p><p>tolerance. In the example shown on this slide, Ottawa and Ottawa-DR are configured in an active-passive HA</p><p>configuration. Layer 2 connectivity between Ottawa and the Ottawa-DR location is required for</p><p>synchronization. If Ottawa became unresponsive, Ottawa-DR would no longer receive updates and would</p><p>become the primary. You select a port to be dedicated for data synchronization between the active and</p><p>standby FortiAuthenticator. The interface should not have an IP address already assigned and it must be the</p><p>same interface on both the primary and standby device. Fortinet recommends a direct cable connection for</p><p>data synchronization.</p><p>You can synchronize administrator or sponsor accounts. Each administrator and sponsor account has an</p><p>option to include the account in load balancing HA configurations. In addition, FortiAuthenticator synchronizes</p><p>certificate bindings for both local and remote users.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 56</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You enable HA on the High Availability page. Depending on which HA role you select, different fields appear</p><p>in order to configure that particular role.</p><p>Cluster member: In the cluster member role, one device is active and the other is on standby (passive). If the</p><p>active device fails, the standby becomes active. The cluster is configured as a single authentication server on</p><p>FortiGate. Authentication requests made during a failover from one device to another are lost, but subsequent</p><p>requests complete normally. The failover process takes approximately 30 seconds. You can configure up to</p><p>10 load balancing devices.</p><p>Use one of the maintenance modes when you need to make changes to a system setup and quickly return to</p><p>it to its HA role. The three maintenance mode options are:</p><p>• Disabled: Unit is not in maintenance mode.</p><p>• Enabled with synchronization: Unit is in maintenance mode and continues to synchronize data, similar to</p><p>the passive unit in a active-passive deployment.</p><p>• Enabled without synchronization: Full maintenance mode, not participating in HA.</p><p>Interface: The interface that will be used for data synchronization between the primary and standby</p><p>FortiAuthenticator. The IP address for this interface is configured here.</p><p>Password: A password must be entered for use as a shared key for Ipsec encryption, and must be the same</p><p>on both the primary and standby devices.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 57</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can use load balancing as an HA method across geographically separated locations and Layer 3</p><p>networks. In this configuration, FortiAuthenticator is designated as the standalone primary device. Up to 10</p><p>other FortiAuthenticator devices can be configured as load balancers. The standalone primary device keeps</p><p>the load balancers synchronized, and the traffic is balanced using an external method chosen by the</p><p>administrator.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 58</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You configure geographically distributed load balancing on the High Availability page.</p><p>The Role setting for the standalone primary FortiAuthenticator should be Standalone primary. The</p><p>standalone primary is the primary system where users, groups, and tokens are configured. The load</p><p>balancers are synchronized to the primary. To improve the resilience of the primary system, up to 10 load-</p><p>balancer devices can be configured.</p><p>The Password field must configured in the standalone primary configuration, and again in the load balancer</p><p>configurations.</p><p>The load balancing FortiAuthenticator devices must be added to the Load Balancers list using the Add</p><p>Secondary Load Balancer button. You must provide a name and IP address for each load balancer.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 59</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The Role setting for each FortiAuthenticator that will participate as a load balancer must be Load Balancer.</p><p>The Load Balancing primary IP address field must contain the IP address of the standalone primary. The</p><p>Password field must match the password set in the standalone primary configuration.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 60</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator can be also be configured as an active-passive cluster with geographically distributed load</p><p>balancing. In the example shown on this slide, Ottawa and Ottawa-DR are configured in an active-passive HA</p><p>configuration.</p><p>Regardless of which member of the active-passive cluster is currently active, the load is distributed across the</p><p>load balancers, using your preferred method, such as round-robin DNS, Auth/NAS client load distribution, or</p><p>external load balancing devices. The primary and secondary systems can also each function as a standalone</p><p>primary device.</p><p>FortiAuthenticator synchronizes certificate bindings to load balancers for both local and remote users.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 61</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The HA Status page displays the current status of the device, including Node type (for example, Cluster</p><p>member, Standalone Primary, or Load Balancer), Priority (high or low), Serial number, and Status.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 62</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>By default, FortiAuthenticator uses the built-in SMTP server. This is provided for convenience, but is not</p><p>necessarily optimal for production environments. Antispam methods can block mail, so you should relay email</p><p>through an official, external mail server for your domain.</p><p>To configure a new SMTP server, you require a name, server IP address, port (default 25), and sender email</p><p>address. You can also choose to use a secure connection to the mail server by selecting STARTTLS. Note</p><p>that you must import the CA certificate that validates the server’s certificate for STARTTLS to work. You will</p><p>examine CA certificates in another lesson.</p><p>Lastly, if the email server requires that you authenticate when sending mail, you can enable authentication</p><p>and set the account username and password.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 63</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can select any configured SMTP server and click on the Set as Default button to designate that server</p><p>as the default SMTP server. On the Email Services page, you can select the server that will be used by</p><p>administrators and the server that will be used for users. The SMTP Server drop-down list will contains all</p><p>configured SMTP servers, as well as a selection to use the server marked as default.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 64</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>To provide more actionable information, FortiAuthenticator provides detailed logging of failed SMTP send</p><p>attempts for administrative users. You can review these logs in the Logs view.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 65</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator provides two distinct email services: one for administrators and one for users.</p><p>For each recipient group (administrators and users), you can specify the SMTP server to use, as well as</p><p>customize the public address, which is the address or link to the site that the email recipients will receive.</p><p>Options include:</p><p>• Automatic discovery: Use DNS domain name if configured, or automatically obtain address from the</p><p>browser or an active network interface.</p><p>• Specify an address: Manually enter the address and port number.</p><p>• Use the IP address for a network interface: Select a specific network interface in the drop-down list.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 66</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>If you want to send SMS messages to users, you must configure the SMS gateways. The FortiAuthenticator</p><p>SMS gateway configuration differs according to the protocol your SMS provider uses, such as SMTP, HTTP,</p><p>or HTTPS, so you must ask your SMS provider for information about using its gateway.</p><p>When configuring SMS gateways you can specify how the mobile number is sent. The available options are</p><p>JSON String and JSON Number.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 67</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>SNMP allows you to monitor hardware on your network. You can configure the hardware, such as the</p><p>FortiAuthenticator SNMP agent, to report system information and send traps (alarms or event messages) to</p><p>SNMP managers. An SNMP manager, or host, is typically a computer running an application that can read the</p><p>incoming trap and event messages from the agent, and send SNMP queries to the SNMP agents.</p><p>Using an SNMP manager, you can access SNMP traps and data from any FortiAuthenticator interface</p><p>configured for SNMP management access. Part of configuring an SNMP manager is listing it as a host in a</p><p>community on the FortiAuthenticator device it will be monitoring. Otherwise, the SNMP monitor does not</p><p>receive any traps from that device, and cannot query that device.</p><p>Note that the FortiAuthenticator SNMP implementation is read-only. SNMP v1, v2c, and v3 managers have</p><p>read-only access to system information through queries and can receive trap messages from</p><p>FortiAuthenticator.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 68</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can configure SNMP on the SNMP page. The SNMP settings allow you to set the thresholds that trigger</p><p>various SNMP traps. Note that a setting of zero disables the trap.</p><p>However, before you can monitor FortiAuthenticator system information and receive FortiAuthenticator traps,</p><p>you must do the following:</p><p>• Configure one or more interfaces to accept SNMP connections. This allows a remote SNMP manager to</p><p>connect to the Fortinet agent. You can enable SNMP connections by enabling the SNMP service on the</p><p>required interface.</p><p>• Download the Fortinet and FortiAuthenticator MIB files for your SNMP manager. A MIB is a text file that</p><p>lists the SNMP data objects that apply to the device to be monitored. These MIBs provide information that</p><p>the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the</p><p>FortiAuthenticator SNMP agent. You can download the MIB files on the SNMP page on the GUI or from</p><p>the Customer Service & Support portal at https://support.fortinet.com. They are located in the</p><p>Firmware Images folder for the FortiAuthenticator product.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 69</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 70</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 71</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this</p><p>lesson, you learned about the key features of FortiAuthenticator, and how to configure FortiAuthenticator for</p><p>initial setup.</p><p>Administrative Users and High Availability</p><p>FortiAuthenticator 6.4 Study Guide 72</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn how to administer user account policies and management settings, and how to</p><p>authenticate users through LDAP and RADIUS, as well as the self-service portal.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 73</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will explore the topics shown on this slide.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 74</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in creating local users, you will be able to import users, manually add users,</p><p>assign user roles, and describe RADIUS attributes.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 75</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>There are two ways you can add local users to FortiAuthenticator:</p><p>• Import users from a CSV file or FortiGate configuration file</p><p>• Manually add users</p><p>Note that FortiAuthenticator does include a self-service portal, so users can register themselves. Self-</p><p>registration is covered in this lesson.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 76</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can import local user accounts from a CSV file or from a FortiGate configuration file, on the Local Users</p><p>page.</p><p>If you are importing from a CSV file, the file must contain only one record per line in the accepted format. The</p><p>accepted format is available in the FortiAuthenticator Administration Guide. If you do not include the optional</p><p>password in the record, FortiAuthenticator emails the user temporary login credentials and requests that the</p><p>user configure a new password.</p><p>If you are importing from a FortiGate configuration file, FortiAuthenticator provides the following options:</p><p>• Import users only</p><p>• Import users and only their associated FortiToken hardware</p><p>• Import all users and the FortiToken hardware (imports unassigned FortiTokens as well)</p><p>You must also enter the password associated with the FortiGate configuration file when importing, if one is</p><p>assigned.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 77</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The other way you can add local users is by manually creating them. You can do this on the same Local</p><p>Users page by clicking Create New.</p><p>First, you must set a username (253 characters or less and can include only letters, digits, and specific</p><p>symbols) and a password. There are three ways to handle the password:</p><p>• Specify a password: The administrator assigns a password immediately, and communicates it to the</p><p>user.</p><p>• Set and email a random password: FortiAuthenticator creates a random password and automatically</p><p>emails it to the new user. To use this option, you must enter the email address of the user.</p><p>• No password, FortiToken authentication only: No password is assigned because only token-based</p><p>authentication will be used. If you select this option, the user account is added, but is disabled until you</p><p>associate a FortiToken with the user account. You will learn more about FortiTokens later in this lesson.</p><p>• Allow RADIUS authentication: Locally created users will be allowed to authenticate through RADIUS.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 78</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After you set the user name and password, you must assign a user role. You can select Administrator to</p><p>create an administrator account,</p><p>or User to create a user account. This lesson focuses on creating end users.</p><p>To create an end user, select User as the role. After you select the user role, you can enable account</p><p>expiration in the event the user never activates the account or the account is meant to be temporary. You can</p><p>set the user account to expire after a set length of time (for example, 8 hours) or by a specific date. After you</p><p>add the local user account, FortiAuthenticator provides additional account settings that you can configure.</p><p>Similar to administrator users, you can specify additional user account information (address, phone/mobile</p><p>number, language, and organization), alternative email addresses, password recovery options, groups, and</p><p>email routing.</p><p>However, there are additional settings specific to user accounts, including:</p><p>• Allow LDAP browsing: This allows viewing of directory contents (that is, read-only operations that do not</p><p>modify LDAP directory contents). It applies only to non-administrator users.</p><p>• RADIUS Attributes: This allows FortiAuthenticator to receive information about an authenticated user</p><p>through RADIUS vendor-specific attributes. Attributes in user accounts can specify user-related</p><p>information. You will learn about RADIUS attributes in more detail, in this lesson.</p><p>• Certificate Bindings: This allows you to bind a local certificate to a user’s account.</p><p>The Sponsor role is equivalent to an administrator with read-write permissions to the Guest Users submenu</p><p>only.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 79</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Some RADIUS clients can receive information about users through vendor-specific RADIUS attributes. When</p><p>a RADIUS user successfully authenticates, FortiAuthenticator sends the user’s RADIUS attributes and values</p><p>to the RADIUS client.</p><p>The example shown on this slide passes FirewallAdmins to the client for remote user aduser1 as the</p><p>Fortinet attribute Fortinet-Group-Name. As another example, there is a Fortinet-proprietary attribute called</p><p>Fortinet-Client-IP-Address. It specifies the IP address assigned to that specific user when establishing an</p><p>SSL VPN tunnel. So, you can configure FortiAuthenticator and FortiGate to always assign the same static IP</p><p>address to a user. FortiAuthenticator stores the IP addresses as part of the user account information and</p><p>sends them to FortiGate, after the user has successfully authenticated.</p><p>You can configure RADIUS attributes on the Local Users or Remote Users pages.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 80</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can also configure RADIUS attributes per user group on the User Groups page. In the example shown</p><p>on this slide, members of the group Firewall Admin have the Fortinet attribute Fortinet-Group-Name</p><p>returned with a value of Remote-AD-admins. If attributes have been set on both a user and group level, the</p><p>client will determine how to handle the multiple attributes.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 81</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 82</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to create local users.</p><p>Now, you will learn how to configure remote authentication servers.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 83</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in configuring remote authentication servers, you will be able to describe</p><p>remote authentication with LDAP and RADIUS as well as importing remote users.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 84</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can configure FortiAuthenticator to connect to a remote LDAP server on the LDAP page. You must enter</p><p>all required information about the remote LDAP server, such as the IP address (or FQDN) as well as the</p><p>connecting port. You also have the option to set up a secondary server. When adding the base distinguished</p><p>name (dn) of the remote LDAP server, you must use the correct X.500 or LDAP format.</p><p>When selecting a bind type, which determines how the authentication information is sent to the server, you</p><p>can select:</p><p>• Simple, to bind using the user’s password, which is sent to the server in plaintext without a search.</p><p>• Regular, to bind using the user’s dn and password and then perform a search. Regular bind is required, if</p><p>searching for a user across multiple domains.</p><p>You can select a server type and apply an associated template. The template populates the Query Element</p><p>fields for that server type.</p><p>If you want to have a secure connection between FortiAuthenticator and the remote LDAP server, enable</p><p>Secure Connection and include the LDAP server protocol (LDAPS or STARTTLS) as well as any trusted CA</p><p>certificates.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 85</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can configure FortiAuthenticator to connect to a remote RADIUS server on the RADIUS page. You can</p><p>also use this feature to migrate away from third-party two-factor authentication platforms. Support for RADIUS</p><p>over TCP and TLS (RADSEC) ensures complete security.</p><p>You must enter all required information about the remote RADIUS server, such as the IP address, port, and</p><p>shared secret. You also have the option to set up a secondary server for redundancy.</p><p>If you want to record and learn what users are authenticating against this RADIUS server, enable Enable</p><p>learning mode in the User Migration section. You should enable this option if you need to migrate users</p><p>from the server to FortiAuthenticator.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 86</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You add remote LDAP and remote RADIUS users to FortiAuthenticator differently.</p><p>For remote LDAP users, you must import users into the FortiAuthenticator user database from their remote</p><p>LDAP servers.</p><p>You can create remote RADIUS users based on a remote RADIUS server. You can migrate remote RADIUS</p><p>users to LDAP users, as well as edit and delete them. You can also flag remote RADIUS users with the user</p><p>role or administrator role.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 87</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can import remote LDAP users on the Remote Users page. In the upper-right corner, make sure LDAP</p><p>users is selected, and then click Import.</p><p>You must select a preconfigured remote LDAP server and then either import users or import users by group</p><p>membership.</p><p>After FortiAuthenticator connects to your preconfigured LDAP server, you can see your remote users based</p><p>on the default LDAP filter (&(objectClass=user)(objectCategory=person)). The default configuration, shown on</p><p>this slide, imports the attributes commonly associated with Microsoft Active Directory LDAP implementations.</p><p>The filter value varies depending on the LDAP server type. You can also configure the user attributes to edit</p><p>the remote LDAP user mapping attributes.</p><p>Select the users you want to import. If you have organizations configured, you can choose to add users to a</p><p>specific organization.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 88</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The LDAP attributes, and the fields they are mapped to, can be defined using the User attributes button. This</p><p>provides you the flexibility to customized the attributes being imported.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 89</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator also allows you to create synchronization rules to control how and when remote LDAP</p><p>users are synchronized. You can do this on the Remote User Sync Rules page.</p><p>At a minimum, you must:</p><p>• Select the preconfigured remote LDAP server from</p><p>where users will be synced.</p><p>• Specify the token-based authentication sync priorities. Drag and drop the options up and down the list to</p><p>set a priority order.</p><p>• Specify whether you want to sync users as remote LDAP users, Remote RADIUS users, or local users.</p><p>• Specify if you want to sync FIDO authentication for user accounts.</p><p>• Specify how often FortiAuthenticator should perform the sync (for example, every <x> minutes, every <x></p><p>hours, or every <x> days).</p><p>When selecting to sync remote users as local users, FortiAuthenticator will create a password for the record.</p><p>All other user information will be synched.</p><p>You can assign roles to new user accounts, and create a group association.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 90</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can create remote RADIUS users on the Remote Users page. In the upper-right corner, select RADIUS</p><p>users, then click Create New.</p><p>You need to select a preconfigured remote RADIUS server and create a username for the remote RADIUS</p><p>user. You can specify the type of authentication and select the user role to assign to the account, either</p><p>Administrator, Sponsor, or User.</p><p>Once created, you have the option to perform the following tasks on one or more accounts at the same time:</p><p>• Re-enable user accounts in the event they are disabled.</p><p>• Migrate RADIUS users to LDAP users.</p><p>• Set whether FortiAuthenticator should force token-based authentication (if configured) or whether it should</p><p>bypass it.</p><p>You also have the option to edit or delete any remote RADIUS user account.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 91</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 92</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Good job! You now understand how to configure remote authentication servers.</p><p>Now, you will learn how to configure LDAP and RADIUS services.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 93</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives shown on this slide.</p><p>By demonstrating competence in configuring LDAP and RADIUS services, you will be able to set up the</p><p>FortiAuthenticator as a RADIUS or LDAP server.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 94</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>When you configure the LDAP service on FortiAuthenticator, you must specify the LDAP server certificate</p><p>settings on the General page. This includes configuring:</p><p>• The certificate that the server will present</p><p>• The certificate authority (CA) type (that is, whether it is a Local CA or Trusted CA)</p><p>• The CA certificate that issued the server certificate</p><p>The LDAP User Auto Provisioning settings allow you to select which users are automatically provisioned</p><p>(added to), the FortiAuthenticator LDAP directory structure. In the example shown on this slide, the user</p><p>user1, was manually created in the GUI as a local user. User1 was then auto provisioned to selected</p><p>container in the directory tree. Users can be auto provisioned when they are created using any of the following</p><p>four methods:</p><p>• GUI (Manually created local users)</p><p>• GUI (Imported local users)</p><p>• Self-registration</p><p>• API</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 95</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Another item you must configure is the LDAP directory tree. The directory tree includes a root distinguished</p><p>name (dn) and subordinate objects such as containers and leafs.</p><p>The root dn is the top level of the LDAP directory, such as dc=training,dc=lab, and there can be only one.</p><p>Everything else in your directory branches off the root dn. Choose a dn that makes sense for your</p><p>organization.</p><p>Place subordinate objects under the root dn. The objects you add depend on your requirements. Click the</p><p>green plus icon next to the root dn to add objects. In the example shown on this slide, the object is an</p><p>organizational unit (ou) container people.</p><p>Note that if your organization changes their structure or expands, you can move the branch in the LDAP</p><p>directory tree. Click and drag the branch from its current location to its new location.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 96</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This is an example of a simple LDAP hierarchy, where all user account entries reside at the organization unit</p><p>(ou) level, just below dc.</p><p>You must configure the FortiGate device (acting as an LDAP client) requesting authentication to address its</p><p>request to the correct part of the hierarchy, where user records exist. This is the distinguished name (dn). In</p><p>this example, the dn is ou=people,dc=training,dc=lab.</p><p>The authentication request must also specify the particular user account entry. This can be either the common</p><p>name (cn) or, on a computer network, the user ID (uid), because that is the information users use to log in.</p><p>Note that if the object name includes a space, such as John Smith, you must enclose the text with double</p><p>quotation marks. For example: cn=“John Smith”.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 97</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You must add user entries at the appropriate place in the LDAP tree. Using the previous example, this would</p><p>be under ou=people. In the Class drop-down list, select Local User (uid), and then move the users that</p><p>appear in the Available Users list (left) to the Chosen Users list (right). The users must already be defined in</p><p>the FortiAuthenticator user database.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 98</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After you have defined the LDAP tree, you can configure FortiGate to access FortiAuthenticator as an LDAP</p><p>server and authenticate users.</p><p>On your FortiGate device, click User & Device > Authentication > LDAP Server, and then create a new</p><p>LDAP server with the FortiAuthenticator LDAP server information.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 99</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Before getting into the specifics about the RADIUS service on FortiAuthenticator, take a moment to review</p><p>what RADIUS is. RADIUS is a standard protocol that provides AAA services.</p><p>When a user is authenticating, the client (for example, FortiGate) sends an Access-Request packet to the</p><p>RADIUS server (for example, FortiAuthenticator). The reply from the server will be one of the following:</p><p>• Access-Accept, which means that the user credentials are valid</p><p>• Access-Reject, which means that the credentials are wrong</p><p>• Access-Challenge, which means that the server is requesting a secondary password ID, token, or</p><p>certificate. This is typically the reply from the server when using two-factor authentication.</p><p>Not all RADIUS clients support the RADIUS challenge method.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 100</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>A RADIUS client on FortiAuthenticator is just a network access server (NAS) using a RADIUS infrastructure. It</p><p>provides some level of access to a larger network. The client sends connection requests and accounting</p><p>messages to a RADIUS server for authentication, authorization, and accounting.</p><p>You can add RADIUS clients on the Clients page. FortiAuthenticator sends answers only to the RADIUS</p><p>clients on this list. For example, for FortiAuthenticator to accept RADIUS authentication requests from</p><p>FortiGate, you must register the FortiGate as an authentication client on FortiAuthenticator. You must include</p><p>the IP of the client and the shared secret.</p><p>FortiAuthenticator allows both RADIUS and remote authentication for RADIUS authentication client entries.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 101</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>RADIUS policies allow you to define the way RADIUS client requests are addressed by FortiAuthenticator.</p><p>A</p><p>RADIUS policy can be applied to any number of RADIUS clients, and the RADIUS clients can be assigned to</p><p>multiple polices. The RADIUS clients tab provides you the ability to name the policy and select which RADIUS</p><p>clients will have their requests processed by that policies settings.</p><p>The RADIUS attributes criteria allows you to key on specific attributes within authentication requests before</p><p>the request is processed. The request can then be ignored, if it does not contain the required attributes.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 102</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can include RADIUS clients in any number of RADIUS policies, and you can prioritize policies. Matching</p><p>RADIUS attributes can provide granularity during policy evaluation. The RADIUS request is processed as</p><p>defined by the matching policy with the highest priority. You can adjust the policy priority by clicking the</p><p>arrows in the Priority column.</p><p>In the example shown on this slide, users authenticating through M-FortiGate-1, and connecting to the</p><p>Contractor SSID, would have their credentials validated based on the ManchesterContractor policy. All</p><p>other users connecting through that FortiGate would get the ManchesterPolicy. All users connecting through</p><p>the Corp-FortiGate would be authenticated using the Fortigate_Default policy.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 103</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The Authentication type tab allows you to set the desired security protocol to one of the following:</p><p>• Password/OTP authentication: Allows for password or one time password (OTP) authentication. EAP</p><p>can be enabled for this option and limited to one or more EAP protocols (PEAP, EAP-TLS, EAP-GTC,</p><p>EAP-MSCHAPv2)</p><p>• MAC authentication bypass (MAB): Provides the option to authenticate based on MAC address, and can</p><p>offer a solution for non-802.1x capable devices.</p><p>• Client Certificates (EAP-TLS): Provides authentication through client certificates.</p><p>The Identity source tab can define the username format and any desired realms. Groups can be filtered for a</p><p>more granular end user designation.</p><p>Note that If you want to authenticate users in an Active Directory environment, enable the Windows Active</p><p>Directory Domain Authentication option on the LDAP server configuration screen and enter the required</p><p>Windows AD domain controller information. You can then configure your RADIUS client to specify whether</p><p>authentication is available for all Windows AD users, or only for Windows AD users who belong to specific</p><p>groups that you select.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 104</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The Authentication factors tab provides you the ability to define the allowed authentication methods, and the</p><p>RADIUS response tab summarizes the configuration for successful and failed results.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 105</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The FortiAuthenticator RADIUS service also employs the concept of realms. Realms allow multiple domains</p><p>to authenticate to a single FortiAuthenticator device and support both LDAP and RADIUS remote servers.</p><p>Each realm is associated with a name, such as a domain or company name, that is used during the login</p><p>process to indicate the remote (or local) database in which the user resides.</p><p>For example, if you are a service provider that hosts multiple domains and you want each domain to have</p><p>different permissions, you can set up a realm on FortiAuthenticator for each domain. So even though each</p><p>domain is using the same RADIUS client, realms allow you to control access and permissions.</p><p>You can create realms on the Realms page.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 106</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>The connection between RADIUS clients and the server used for authentication is defined by the RADIUS</p><p>policy. The diagram shown on this slide visually represents the relationship. It illustrates that the RADIUS</p><p>client points to FortiAuthenticator, and based on the RADIUS policy, FortiAuthenticator validates the</p><p>authentication request. RADIUS policy-3 has been configured with multiple realms, and the AD realm has</p><p>been further filtered to a specific group. Users without a realm appended to the user name are authenticated</p><p>against the default realm (internal DB). Users with the AD realm appended to the username, are authenticated</p><p>against the Active Directory, and must be a member of the designated group (StandardUsers).</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 107</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>You can designate the ports FortiAthentictor uses for the different RADIUS services. The example shown on</p><p>this slide displays the default values.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 108</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 109</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>Congratulations! You have completed this lesson.</p><p>Now, you will review the objectives that you covered in this lesson.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 110</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>This slide shows the objectives that you covered in this lesson.</p><p>By mastering the objectives covered in this lesson, you learned how to administer user account policies and</p><p>management settings, and how to authenticate users through LDAP and RADIUS as well as the self-service</p><p>portal.</p><p>Administering and Authenticating Users</p><p>FortiAuthenticator 6.4 Study Guide 111</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will learn how to manager user account policies and management settings, , configure the</p><p>self-service portal, and troubleshoot authentication issues.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 112</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>In this lesson, you will explore the topics shown on this slide.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 113</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>After completing this section, you should be able to achieve the objectives on this slide.</p><p>By demonstrating competence in configuring user account policies, you will be able to understand the lockout</p><p>policy settings, password policy settings, and configure the custom user fields.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 114</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>On the General Settings page, you can configure some user account settings. You can:</p><p>• Automatically purge disabled user accounts at a scheduled time (for example, weekly at 2 AM) and purge</p><p>users that were disabled for any of the following reasons: They were manually disabled, they were</p><p>inactive, or their account expired.</p><p>• Discard stale RADIUS authentication requests.</p><p>• Look up geo-location based on user IP address.</p><p>Managing Users and Troubleshooting Authenticatoin</p><p>FortiAuthenticator 6.4 Study Guide 115</p><p>DO NOT REPRINT</p><p>© FORTINET</p><p>FortiAuthenticator allows you to lock a user account after repeated unsuccessful attempts to log in, which may</p><p>indicate an attempt at unauthorized access. You can configure the lockout policy settings on the Lockouts</p><p>page by selecting Enable user account lockout policy setting. By default, users are locked out after three</p><p>failed login attempts. If you decide to change the default value, ensure it provides room for human error, while</p><p>still securing your network from attacks. Usually, from three to five attempts are used. It is advised to enable a</p><p>lockout policy.</p><p>Along with enabling a lockout policy, you have the option to specify a lockout period. The default is set to 60</p><p>seconds (that is, users are locked out for 60 seconds after three failed login attempts), but you can set it to</p><p>between 60 and 86,400 seconds. If you disable this setting,</p>

Mais conteúdos dessa disciplina