FortiAuthenticator Administration...

Administration Guide

FortiAuthenticator 1.0

FortiAuthenticator: Administration Guide

17 June 2011

23-100-144822 -20110617

for FortiAuthenticator 1.0

© Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

Trademarks

The symbols ® and ™ denote respectively federally registered trademarks and unregistered trademarks of Fortinet, Inc., its subsidiaries and affiliates including, but not limited to, the following names: Fortinet, FortiGate, FortiOS, FortiASIC, FortiAnalyser, FortiSwitch, FortiBIOS, FortiLog, FortiVoIP, FortiResponse, FortiManager, FortiWiFi, FortiGuard, FortiReporter, FortiClient, FortiLog, APSecure, ABACAS. Other trademarks belong to their respective owners.

Contents

A2h

Contents

FortiAuthenticator 5Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . 6

FortiAuthenticator initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

FortiAuthenticator and FortiOS users . . . . . . . . . . . . . . . . . . . . . . . . 8

Monitoring users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Users monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Password Recovery Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

User password recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

FortiTokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

FortiAuthenticator and FortiTokens . . . . . . . . . . . . . . . . . . . . . . . . 10

FortiToken maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

NAS and RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Remote LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

FSSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Communicating with FortiGate units . . . . . . . . . . . . . . . . . . . . . . . . 13

Communicating with Domain Controllers. . . . . . . . . . . . . . . . . . . . . . 15

System maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Upgrading the firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Backing up and restoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Search button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Log entry order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Log Type Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

FortiGate authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

FortiAuthenticator settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

FortiGate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Index 19

dministration Guide3-100-144822 -20110617 3ttp://docs.fortinet.com/ • Feedback

http://docs.fortinet.com/

http://docs.fortinet.com/surveyredirect.html

Contents

Administration Guide for FortiAuthenticator 1.04 23-100-144822 -20110617

http://docs.fortinet.com/ • Feedback



FortiAuthenticator

A2h

FortiAuthenticatorFortiAuthenticator is an Authentication, Authorization, and Accounting (AAA) server, that includes a RADIUS server and an LDAP server. It is not a firewall, and it requires a FortiGate unit to provide firewall related services. AAA servers make up an important part of an enterprise network by providing access to protected network assets, and tracking users activities to comply with security policies.

FortiAuthenticator provides an easy to configure remote authentication option for FortiGate users. It centralizes authentication, and FortiToken maintenance. Additionally it replaces the FSSO Agent on a Windows AD network.

Multiple FortiGate units can use a single FortiAuthenticator for FSSO, remote authentication, and FortiToken management.

FortiAuthenticator is a server and can be isolated on a separate network interface, such as the DMZ interface, to enable server related firewall protection.

Figure 1: FortiAuthenticator on a multiple FortiGate unit network

The following topics are included in this section:

• Initial setup

• Users and user groups

• FortiTokens

• NAS and RADIUS

• LDAP

• FSSO

• System maintenance

• Troubleshooting

FortiGate unit

ortiGate

FortiAuthenticator

Client Network

Client Network

FortiGate unit




Initial setup FortiAuthenticator

Initial setup

The following procedures assume your local subnet is 192.168.1.0/255.255.255.0, and the FortiAuthenticator will be set to 192.168.1.99. The default gateway on the subnet is 192.168.1.2. In Figure 2, this is the dmz interface on the FortiGate unit. Substitute your own addresses for these as required.

Figure 2: Basic FortiAuthenticator initial setup

Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.

FortiAuthenticator initial setup

Before the initial setup of FortiAuthenticator, there are some requirements for your network:

• One or more configured FortiGate units

• Security policies that allow traffic between the client network and the subnet of the FortiAuthenticator

• Ensure the following ports are open through all security policies: port 8000 (FSSO), ports 389 and 636 (LDAP), and 1812 (RADIUS) in addition to the usual HTTP, HTTPS, telnet, SSH, Ping, and other ports you may choose to allow.

To initially setup FortiAuthenticator hardware

1 Connect the port1 interface on the FortiAuthenticator to your local subnet.

Its default IP address is 192.168.1.99 /24.

2 Power on the FortiAuthenticator.

3 Using your internet browser, go to http://192.168.1.99.

4 Logon using admin for the username. There is no password

5 Go to Network > Default Gateway.

6 Select the gateway entry for the port1 interface.

FortiGate unit

tiG

FortiAuthenticator

Client Network

192.168.1.99/24port1

192.168.1.2/24

dmz

Administration Guide for FortiAuthenticator 1.0 6 23-100-144822 -20110617


https://support.fortinet.com



FortiAuthenticator Users and user groups

A2h

7 Set the gateway IP address to the correct value for your subnet.

Generally the gateway IP address will be your FortiGate unit.

8 Go to Network > DNS.

9 Enter your primary and secondary name servers.

10 Go to Dashboard > Status.

11 Go to System Information > System Time, and select Change.

12 Select the Time zone from the list that applies to your location.

13 Either enable NTP or set the date/time manually.

Enter new time and date by either typing it manually, selecting Today or Now, or select the calendar or clock icons for a more visual method of setting the date and time.

14 Select OK.

15 If the FortiAuthenticator is connected to additional subnets, configure port2 through port4 as required by:

• going to Network > Interface to set the IP address and subnet mask for each interface.

• going to Network > Default Gateway to set the gateway for each interface as required.

Users and user groups

In FortiOS the two types of users are local and remote. Local users are authenticated on the FortiGate unit without requiring access to an external server. Remote user authentication requires the use of an LDAP, RADIUS, or TACACS+ server. FSSO users use LDAP and RADIUS to authenticate as well. FortiAuthenticator can replace all those remote servers, except TACACS+.

FortiAuthenticator has the added benefit of being able to associate additional information with each user, as you would expect of RADIUS and LDAP servers. This information includes: if the user is an administrator, uses RADIUS authentication, uses FortiToken two-factor authentication, personal information such as first and last name and address, password recovery options, and of course which groups the user belongs to.

The RADIUS server on FortiAuthenticator is configured using default settings. For a user to authenticate using RADIUS, the option Uses RADIUS Authentication must be selected for that user’s entry, and the authenticating client must be added to the NAS list. See “NAS and RADIUS” on page 11.

Note: If you will be using FortiTokens, Fortinet strongly recommends using NTP. FortiTokens require an accurate system clock.




Users and user groups FortiAuthenticator

Administrators

Administrator accounts on FortiAuthenticator are standard user accounts that are flagged as administrators.

Once flagged as an administrator, a user account’s administrator privileges can be set to either full access or customized to select their administrator rights for different parts FortiAuthenticator. There are log events for administrator configuration activities.

FortiAuthenticator and FortiOS users

The following are the steps to use FortiAuthenticator to authenticate users on a FortiGate unit. The FortiAuthenticator can authenticate users for multiple FortiGate units.

1 The FortiAuthenticator is configured as an LDAP server on the FortiGate unit. See “LDAP” on page 11.

2 A user account is created on the FortiGate unit called test, and is associated with the FortiAuthenticator LDAP server.

3 User test is added to a group called test_group of other users who authenticate using the same LDAP server.

4 An identity based security policy is created for test_group. When a member of this group wants to access the Internet, they must first authenticate.

5 When this authentication challenge occurs, the FortiGate unit verifies the user’s information on the FortiAuthenticator LDAP server.

6 If the user cannot remember their password, they have the option of password recovery through the FortiAuthenticator. See “Password Recovery Options” on page 9.

7 Once authenticated, the user can access the Internet.

Monitoring users

There are two methods for monitoring or tracking users that are logged on — on the dashboard, and with the Users monitor.

Dashboard

On the dashboard there are two user related widgets.

The Authentication Activity widget is a graph that tracks the number of logons over time. It can display all logons, failed only, successful logons only, or a combination of all three. Multiple occurrences of this widget can be displayed on the dashboard, and configured individually.

The User Inventory widget displays the total number of configured users, groups, and FortiTokens. It also tracks the number of disabled users and FortiTokens.

Users monitor

To see the users monitor, go to Authentication > Monitor > Users.

The users monitor displays a list of currently logged on FSSO users and their information.





FortiAuthenticator Users and user groups

A2h

Password Recovery Options

FortiAuthenticator allows password recovery for all users that configure a security question and email address. This option is not available in FortiOS.

To configure multiple password recovery email addresses

1 Go to Authentication > Users > Users.

2 Select and edit the chosen user.

3 Expand User Information, and enter the user’s email address.

4 Expand Password Recovery Options.

5 Select Email, and select Manage alternative emails.

6 Enter up to three additional email addresses for this user.

These email addresses will be used to contact this user for password recovery operations if needed. In the event of password recovery, the email message is sent to all configured email addresses — both the user information email address and the alternative email addresses.

7 Select OK.

To configure a password recovery security question

1 Go to Authentication > Users > Users.

2 Select and edit the chosen user.

3 Expand Password Recovery options.

4 Select Security Question, and select Edit.

5 Choose one of the questions in the list. If you choose to write your own question, a custom question field will be displayed where you can enter your question.

6 Enter the answer for your question.

7 Select OK.

User password recovery

When a user is authenticating, if they cannot remember their password they have the option to recover their password. Once configured, user password recovery involves the following steps.

To recover a user password

1 The user browses to the IP address of the FortiAuthenticator.

Security policies must be in place on the FortiGate unit to allow these sessions to be established.

2 Select Forgot my password.

3 Choose to recover by either Username, or Email.

4 Enter either your username or email as selected in the previous step.

This information is used to select the user account. If your information does not match a user account, a message will be displayed stating the password recovery cannot be completed and to contact your site administrator.

5 If the user account has password recovery preferences selected, you will be taken directly to the option selected.




FortiTokens FortiAuthenticator

6 If the user account has no password recovery preferences selected, the following message will be displayed. The user does not have the option to set it up.

We are unable to complete your request for the following reasons:

• We don't have enough information to reset your password. Please contact your site administrator.

7 If send a secure link was selected, the new password is sent to the email address associated with that user account.

8 If answer the question was selected, answer the question displayed correctly.

9 Once the question is answered correctly, you will be prompted to enter your new password twice and select OK.

Once the password has been reset, the user can return to typical authentication.

FortiTokens

The standard logon requires only a username and password. This is one-factor authentication. Two-factor authentication adds the requirement for another piece of information for your logon. Generally the two factors are something you know (password) and something you have (certificate, token). This makes it harder for a hacker to steal your logon information. For example if you have a FortiToken device, the hacker would need to both use it and know your password to gain entry to your account.

FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user’s username and password as two-factor authentication. The code displayed changes every 60 seconds. When not in use the LCD screen is blanked to extend the battery life.

FortiTokens have a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and should be treated with similar care.

For more information about FortiTokens and FortiOS, see the User and User Groups chapter of the User Authentication guide.

FortiAuthenticator and FortiTokens

With FortiOS, FortiToken serial numbers must be entered to the FortiGate unit, which then contacts FortiGuard servers to verify the information before activating them. If you want to add the same FortiToken to multiple FortiGate units, this process must be repeated for each.

FortiAuthenticator acts as a repository for all FortiTokens used on your network — it is a single point of registration and synchronization for easier installation and maintenance.

When entering FortiToken serial numbers on the Create New screen, if there are multiple numbers to enter select the + icon to switch to a multiple line entry box. Drag the lower right corner of the box to change the size to suit your needs.

Note: Two-factor authentication does not work with FortiOS explicit proxies.



http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-authentication-40-mr3.pdf



FortiAuthenticator NAS and RADIUS

A2h

FortiToken maintenance

Once entered, the FortiToken can be disabled, re-enabled, or synchronized from the edit screen. Disable a FortiToken when it is reported lost or stolen. Re-enable it when it is recovered, or delete it otherwise. Synchronize is used to synchronize the FortiAuthenticator and FortiToken clocks so they are providing and expecting the same token code. Fortinet recommends synchronizing all new FortiTokens.

NAS and RADIUS

A NAS is a network access server (NAS) that can authenticate using the FortiAuthenticator. A FortiGate unit is an example of a NAS. A NAS is a gateway that protects parts of the network, and requires authentication to gain access to what it protects. They are commonly used with Authentication, Authorization, and Accounting (AAA) servers. Every device that will use FortiAuthenticator for authentication must have a NAS entry.

Every time there is a change to the list of NAS entries two log messages are generated — one for the NAS change, and one to state that the RADIUS server was restarted to apply the NAS change.

When a user is configured on FortiAuthenticator, there is an option to authenticate the user using the RADIUS database. There is a RADIUS server already configured and running on the FortiAuthenticator server. It is set up using default values. For a computer or other external device to access the RADIUS server on the FortiAuthenticator, that device must have a NAS entry.

FortiAuthenticator allows both RADIUS and remote LDAP authentication for NAS entries.

To configure a NAS

1 Go to Authentication > NAS > NAS.

2 Select Create New.

3 Enter the Name, Server name/IP, and description for the NAS unit.

4 Enter the shared secret to be used with the RADIUS server.

5 If remote LDAP authentication is to be used, enable it and select the configured remote LDAP server from the list. If the server is not listed, create it. See “Remote LDAP” on page 12.

6 Select OK.

LDAP

Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network.

To configure LDAP, go to Authentication > LDAP > Directory Tree.

Configure the LDAP tree for your organization, or the just branches that will be used for this FortiAuthenticator. Keep in mind that multiple FortiGate units can use a single FortiAuthenticator for LDAP authentication. While each FortiGate may use only one branch of the LDAP tree, the FortiAuthenticator may benefit from being configured with the whole tree.




FSSO FortiAuthenticator

An example hierarchy is the top level organization (o) common name such as “cn=fortinet, cn=com”. This would be followed by country (c), organizational unit (ou), group (cn), and user (uid).

For more information on LDAP, see the Servers chapter of the User Authentication guide.

Remote LDAP

If you already have an LDAP server or servers configured on your network, FortiAuthenticator can connect with them for remote authentication much like FortiOS remote authentication.

To create a new remote LDAP server entry

1 Go to Authentication > Remote > LDAP.

2 Select Create New.

3 Enter the following information.

4 Enter the username and security token (FortiToken) for all remote LDAP users of this server. Select Add another Remote Ldap User to add more users.

5 Select OK.

FSSO

The Fortinet Single Sign On (FSSO) agent connects FortiGate Fortinet security appliances to the corporate authentication servers, such as Microsoft Active Directory and Novell E-Directory, allowing security policies to be defined on the FortiGate unit based on the user information residing on the corporate authentication servers. FSSO, a component installed on the authentication server or a standalone server, provides user authentication information to the FortiGate unit so users can automatically gain access to the permitted resources with a single sign on. Older versions were called Fortinet Server Authentication Extension (FSAE).

FortiAuthenticator acts as the FSSO Agent, or Controller Agent. It can only be configured in polling mode, not DCAgent mode.

For more information on FSSO, see the FSSO integration with Windows AD chapter of the User Authentication guide.

Name Enter the name for the remote LDAP server on FortiAuthenticator.

Server name/IP Enter the IP address or FQDN for this remote server.

Common name identifier

The identifier used for the top of the LDAP directory tree as it applies to FortiAuthenticator users. This may be the top of the tree, or only a smaller branch of it. cn is the default, and is used by most LDAP servers.

Distinguished name Enter the DN for the top of the LDAP tree or branch that applies o FortiAuthenticator users. Can be a maximum of 512 characters.

Bind Type The Bind Type determines how the authentication information is sent to the server. Select either Simple or Regular.• Simple — bind using the user’s password which is sent to the server

in plaintext without a search.• Regular — bind using the user’s DN and password and then searchIf the user records fall under one directory, you can use simple bind type. But Regular is required to allow a search for a user across multiple domains.







FortiAuthenticator FSSO

A2h

Figure 3: FSSO topology with FortiAuthenticator

Communicating with FortiGate units

In an FSSO topology, the FortiGate units provide the firewall which acts as the authentication trigger. The FortiAuthenticator communicates logon information from the domain controllers to the FortiGate units by polling the controllers.

The FortiAuthenticator is easier to configure, contains both an LDAP and RADIUS server, performs additional functions when compared to the FSSO Collector agent.

The following procedure assumes the FortiGate already has a NAS entry on the FortiAuthenticator. See “NAS and RADIUS” on page 11.

FortiGate unit

ortiGate

FortiAuthenticator

Client Network

Client Network

FortiGate unit

polling logon events

client logons

WindowsAD Domain

Controllers




FSSO FortiAuthenticator

To configure FortiAuthenticator to communicate with FortiGate units

1 Go to Authentication > Directory Service > General.

2 Select and edit the following fields.

3 On the FortiGate units, go to User > Remote > LDAP.

4 Enter the following information, and select OK.

5 Go to User > Single Sign-On > FSSO Agent.


Enable Authentication

Set to 1

FortiGate listening port

Leave at 8000 unless your network requires you to change this. Ensure this port is allowed through the firewall.

Log file path Leave at the default. If you need to test or troubleshoot a configuration, change the log file path to generate a new smaller log file.

Secret key Set to fortinet. This is the password that will be used when configuring the FSSO Agent on the FortiGate unit.

User Login Expiry (in minutes)

300. This will allow FSSO users to remain logged in for up to five hours before the system logs them off automatically.

Name FortiAuthentLDAP Enter a unique name to describe the FortiAuthenticator

Server Name/IP 192.168.1.99 As configured for your network. See “Initial setup” on page 6.

Server port 389 Leave this at default. FortiAuthenticator uses default values for LDAP and RADIUS servers.Ensure this port is open on the firewall.

Common Name Identifier

cn Change this to match your LDAP directory tree.

Distinguished Name cn=example,cn=com

Generally this is the top level of your tree, or the branch of your tree that will be authenticated using this FortiGate unit.Use the browse button to ensure you have a connection to the FortiAuthenticator. If not, check your information.

Bind Type Simple

Secure Connection Leave unchecked.

Name FortiAuthentFSSO Once you select OK, this entry must be deleted to change the Name.

FSSO Agent IP/Name

192.168.1.99 As configured for your network. See “Initial setup” on page 6.

Port 8000 Use the value set on the FortiAuthenticator. Ensure this port is open on the firewall.

Password fortinet This is the secret key entered on the FortiAuthenticator.

LDAP Server enableFortiAuthenticator

Enable LDAP server, and select FortiAuthenticator from the list.





FortiAuthenticator System maintenance

A2h

Communicating with Domain Controllers

As the FSSO Controller agent, FortiAuthenticator polls the Windows AD Domain Controllers for logon event information. Each Domain Controller that will be polled must be configured on the FortiAuthenticator.

You can disable a Domain Controller entry without removing its configuration. This is useful when testing, troubleshooting, or moving controllers within your network.

To add a domain controller to FortiAuthenticator

1 Go to Authentication > Directory Service > Domain Controllers.


3 Repeat step 2 for each Domain Controller FortiAuthenticator will be polling.

System maintenance

System maintenance tasks are limited to changing the firmware, and backing up or restoring the configuration file.

This section includes:

• Upgrading the firmware

• Backing up and restoring

• Logging

• CLI commands

Upgrading the firmware

To upgrade the firmware, you must first register your FortiAuthenticator with Fortinet. See “Registering your Fortinet product” on page 6.

To upgrade FortiAuthenticator firmware

1 Download the latest firmware to your local computer from the Fortinet Technical Support web site, https://support.fortinet.com.

2 On FortiAuthenticator, go to System > Maintenance > Firmware.

3 Select Browse, and locate the new firmware image on your local computer.

4 Select OK.

When you select OK, the new firmware image will upload from your local computer to the FortiAuthenticator, which will then reboot. You will experience a short period of time during this reboot when the FortiAuthenticator is offline and unavailable for authentication.

NetBIOS Name Enter the name of the Domain Controller as it appears in NetBIOS.

Display Name This is a unique name to easily identify this Domain Controller.

Network Address Enter the network IPv4 address of this controller.

Account Enter the account name used to access logon events. This account should have administrator rights. To use a non-administrator account, see the FSSO chapter of the User Authentication guide.

Password Enter the password for the Account selected above.





https://support.fortinet.com

System maintenance FortiAuthenticator

Backing up and restoring

You can backup the configuration of the FortiAuthenticator to your local computer. The backup file is encrypted to prevent tampering. This configuration file backup includes both the CLI and web-based manager configuration.

Logging

Accounting is a large part of any AAA server, and the same is true with FortiAuthenticator. Logging provides a record of the events that have taken place on the FortiAuthenticator.

The Logs page has controls to help you find the information you are looking for in your logs.

Search button

You can enter a string to search for in the log entries. The string must appear in the Message portion of the log entry to result in a match for the search.

To prevent each term being matched separately, multiple keywords must be in quotes and be an exact match.

After the search is complete next to the Search button the number of positive matches will be displayed, with the total number of log entries in brackets following. Select the total number of log entries to return to the full list. Subsequent searches will search all log entries and not just the previous search’s matches.

Log entry order

You can change the order used to display the log entries. To sort the log entries by a particular column, such as Timestamp, select the title for that column. The log entries will now be displayed based on data in that column in ascending order. Ascending or descending is displayed with an arrow next to the column title — up arrow for ascending, and down arrow for descending.

Log Type Reference

There are Admin Configuration, Authentication, System, and User Portal events. Each of these have multiple log message types for each major event. To see the various types of log messages, go to Logging > Log Access > Logs and select Log Type Reference.

On this page, you can search for the exact text of a specific log message. The search will return any matches in any columns.





FortiAuthenticator Troubleshooting

A2h

CLI commands

The FortiAuthenticator has limited CLI commands that are accessed using a Telnet session port. Their purpose is to initially configure the unit, perform a factory reset, or reset the values using a telnet session if the web-based manager is inaccesssible for some reason.

Troubleshooting

Troubleshooting includes useful tips and commands to help deal with issues that may occur. For additional help, always contact customer support.

FortiGate authentication

If you have issues when attempting authentication on FortiGate using the FortiAuthenticator, there are some FortiAuthenticator settings and FortiGate settings to check.

In addition to these settings you can use log entries, monitors, and debugging information to determine more information about your authentication problems. For help with FortiAuthenticator logging, see “Logging” on page 16. For help with FortiGate troubleshooting, see the Troubleshooting and User Authentication chapters of the FortiOS handbook.

FortiAuthenticator settings

When checking FortiAuthenticator settings, you should ensure

• there is a NAS entry for the FortiGate unit. See “NAS and RADIUS” on page 11.

• the user trying to authenticate has an account that is not disabled, and that the username and password are spelled as expected.

• the user account allows RADIUS authentication if RADIUS is enabled on the FortiGate unit

• the user account can be found on the LDAP directory tree

• the user has membership in the expected groups

set port1-ip <addr_ipv4mask>

Enter the IPv4 address and netmask for the port1 interface. Once this port is configured, you can use the web-based manager to configure the remaining ports.

set default-gw <addr_ipv4>

Enter the IPv4 address of the default gateway for this interface. This is the default route for this interface. el

show Display the port1 IP, netmask, and default gateway.

help Display list of valid CLI commands.

exit Terminate the Telnet session

reboot Perform a hard restart the FortiAuthenticator unit. All sessions will be terminatedThe unit will go offline and experience a delay while it is restarting.

factory-reset Enter this command to reset the FortiAuthenticator settings to factory default settings. This includes clearing the user database.

Note: This procedure deletes all changes that you have made to the FortiAuthenticator configuration and reverts the system to its original configuration, including resetting interface addresses.




http://docs.forticare.com

http://docs.forticare.com

Troubleshooting FortiAuthenticator

FortiGate settings

When checking FortiGate settings, you should ensure

• the user trying to authenticate has an account that is not disabled, and that the username and password are spelled as expected.

• the user has membership in the expected groups

• there is a valid entry for the FortiAuthenticator as a remote RADIUS or LDAP server

• there is a valid security policy to authenticator the user’s traffic





A2h

IndexAAuthentication Activty widget, 8Authentication, Authorization, and Accounting (AAA), 5, 11

CController Agent, 12

Ddashboard

Authentication Activty widget, 8User Inventory widget, 8

Domain Controllers, 15

Eexplicit proxy, 10

Ffirewall

open ports, 6ports, 6

firmware updates, 6FortiGuard Antivirus, 6Fortinet Server Authentication Extension (FSAE), 12Fortinet Single Sign On (FSSO), 12

Agent, 12Domain Controllers, 15ports, 6

FortiToken, 10NTP, 7synchronization, 11

LLightweight Directory Access Protocol (LDAP), 11

directory tree, 11ports, 6remote server, 11

Logging, 16NAS, 11

Mmonitor

users, 8

Monitoring, 8

Nnetwork access server (NAS), 11NTP, 7

Oone-time password (OTP), 10

Pports, 6product registration, 6proxy, 10

RRADIUS

NAS, 11ports, 6server, 7

remote LDAP, 11, 12

TTACACS+, 7technical support, 6troubleshooting, 17two-factor authentication

FortiToken, 10

UUser Inventory widget, 8users, 7

FortiOS, 8monitor, 8monitor, dashboard, 8NAS, 7RADIUS authentication, 7

WWindows AD Domain Controllers, 15




Index

Administration Guide for FortiAuthenticator 1.020 23-100-144822 -20110617




Date post:	24-Jun-2018
Category:	Documents
Upload:	truongmien
View:	224 times
Download:	0 times

FortiAuthenticator Administration...

Documents