Академический Документы
Профессиональный Документы
Культура Документы
FortiAuthenticator 1.2
FortiAuthenticator Administration Guide 11 January 2012 23-120-144822-20120111 Copyright 2012 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. Reproduction or transmission of this publication is encouraged.
Trademarks
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Visit these links for more information and documentation for your Fortinet products: Fortinet Knowledge Base - http://kb.fortinet.com Technical Documentation - http://docs.fortinet.com Training Services - http://campus.training.fortinet.com Technical Support - http://support.fortinet.com You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
Contents
Contents
Introduction 7
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
9
10 10 10 10 10 11 11 11 11 12 12 13 13 13 14 14 14 14 15 16 16 17 17 18
Adding a FortiAuthenticator unit to your network . . . . . . . . . . . . . . . . . . . System maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrading the firmware . . . Backing up the configuration Logging. . . . . . . . . . . . Search button . . . . . . Log entry order. . . . . . Log Type Reference . . . Exporting the log. . . . . CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
High Availability (HA) Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrative access to the HA cluster . . . . . . . . . . . . . . . . . . . . . . Configuring email relay servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FortiAuthenticator settings. . . . . . . . . . . . . . . . . . . . . . . . . . . FortiGate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
19 20 20 20 20 21
Contents
Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrators . . . . . . . . . . . . . . . . . . . . . User self-registration . . . . . . . . . . . . . . . . . . Adding a user account . . . . . . . . . . . . . . . . . Configuring two-factor authentication for a user . Configuring the users password recovery options Setting a password policy . . . . . . . . . . . . . User groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21 21 21 22 22 23 24 24 24 24 25 25 25 27 27 28 28 29 29 30 30 30 31 31 32 33 33 33
Adding FortiToken devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FortiAuthenticator and FortiTokens . . . . . . . . . . . . . . . . . . . . . . . . Monitoring FortiToken devices . . . . . . . . . . . . . . . . . . . . . . . . . . . FortiToken device maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . Adding FortiGate units as NAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring built-in LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LDAP directory tree overview . . . . . . . . . . . . . . Creating the LDAP directory tree . . . . . . . . . . . . Editing the root node . . . . . . . . . . . . . . . . Adding nodes to the LDAP hierarchy . . . . . . . . Adding user accounts to the LDAP tree . . . . . . . Moving LDAP branches in the directory tree . . . . Removing entries from the directory tree . . . . . . Configuring a FortiGate unit for FortiAuthenticator LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Remote LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a remote LDAP server . . . . . . . . . . . . . . . . . . . . . . . . . Adding Remote LDAP users . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Users monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35
35 37 37 37 37 38
Certificate Management
Certificate Authorities (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Certificates . . . . . . . . . . . . . . . . . . . . . Certificate Revocation List (CRL) . . . . . . . . . Locally created CRL . . . . . . . . . . . . . . Configuring Online Certificate Status Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
39
39 39 41 42 42 43
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents
Index
45
Contents
Introduction
Introduction
Welcome and thank you for selecting Fortinet products for your network protection. This chapter contains the following topics: Before you begin How this guide is organized
Introduction
Cli
N ent
etw
ork
u ate rtiG Fo
nit
Fo
rtiA
uth
ent
ica
tor
Fo
a rtiG
te u
nit
Cli
N ent
etw
ork
The following topics are included in this section: Initial setup Adding a FortiAuthenticator unit to your network System maintenance Troubleshooting
Initial setup
Initial setup
For information about installing the FortiAuthenticator unit and accessing the CLI or webbased manager, refer to the Quick Start Guide provided with your unit. The following section provides information about setting up the Virtual Machine (VM) version of the product.
FortiAuthenticator VM setup
Before using FortiAuthenticator-VM, you need to install the VMware application to host the FortiAuthenticator-VM device. The installation instructions for FortiAuthenticator-VM assume you are familiar with VMware products and terminology.
System requirements
The minimum system requirements for a computer running the FortiAuthenticator VM image include: Installed latest version of VMware Player, Fusion, or Workstation 512 MB of RAM minimum one virtual NICs minimum, to a maximum of four virtual NICs minimum of 3 GB free space
10
Telnet
CLI access is available using telnet to the port1 interface IP address, default 192.168.1.99. Use the telnet -K option so that telnet does not attempt to log on using your user ID. For example: $ telnet -K 192.168.1.99 At the FortiAuthenticator login prompt, enter admin. When prompted for password, just press Enter. By default there is no password. When you are finished, use the exit command to end the telnet session.
SSH
SSH provides secure access to the CLI. Connect to the port1 interface IP address, default 192.168.1.99. Specify the user name admin or SSH will attempt to log on with your user name. For example: $ ssh admin@192.168.1.99 At the password prompt, just press Enter. By default there is no password. When you are finished, use the exit command to end the session.
11
System maintenance
6 Either enable NTP or set the date/time manually. Enter a new time and date by either typing it manually, selecting Today or Now, or select the calendar or clock icons for a more visual method of setting the date and time. If you will be using FortiToken devices, Fortinet strongly recommends using NTP FortiToken authentication codes require an accurate system clock. 7 Select OK. 8 If the FortiAuthenticator is connected to additional subnets, configure additional FortiAuthenticator interfaces as required. Go to System > Network > Interfaces to set the IP address and subnet mask for each interface. Go to System > Network > Default Gateway to set the gateway for each interface as required.
System maintenance
System maintenance tasks are limited to changing the firmware, and backing up or restoring the configuration file. This section includes: Upgrading the firmware Backing up the configuration Logging CLI commands
12
System maintenance
Logging
Accounting is an important part of FortiAuthenticator as with any authentication server. Logging provides a record of the events that have taken place on the FortiAuthenticator. To access logs, go to Logging > Log Access > Logs. The Logs page has controls to help you search your logs for the information you need. This includes: Search button Log entry order Log Type Reference
Search button
You can enter a string to search for in the log entries. The string must appear in the Message portion of the log entry to result in a match for the search. To prevent each term in a phrase from being matched separately, multiple keywords must be in quotes and be an exact match. After the search is complete next to the Search button the number of positive matches will be displayed, with the total number of log entries in brackets following. Select the total number of log entries to return to the full list. Subsequent searches will search all log entries and not just the previous searchs matches.
13
System maintenance
CLI commands
The FortiAuthenticator has CLI commands that are accessed using the console, SSH, or Telnet. Their purpose is to initially configure the unit, perform a factory reset, or reset the values if the web-based manager is not accessible for some reason. help set port1-ip <addr_ipv4mask> Display list of valid CLI commands. You can also enter ? for help. Enter the IPv4 address and netmask for the port1 interface. Netmask is expected in the /xx format, for example 192.168.0.1/24. Once this port is configured, you can use the web-based manager to configure the remaining ports. set default-gw <addr_ipv4> Enter the IPv4 address of the default gateway for this interface. This is the default route for this interface. Enter the current date. Valid format is four digit year, 2 digit month, and 2 digit day. For example set date 2011-08-12 sets the date to August 12th, 2011. Enter the current time. Valid format is two digits each for hours, minutes, and seconds. 24-hour clock is used. For example 15:10:00 is 3:10pm. Enter the current time zone using the time zone index. To see a list of index numbers and their corresponding time zones, enter set tz ? . Restore default value. For each set command listed above, there is an unset command, for example unset port1-ip.
set tz <timezone_index>
unset <setting>
14
Display current settings of port1 IP, netmask, default gateway, and time zone. Terminate the CLI session. Perform a hard restart the FortiAuthenticator unit. All sessions will be terminated. The unit will go offline and there will be a delay while it restarts. Enter this command to reset the FortiAuthenticator settings to factory default settings. This includes clearing the user database. This procedure deletes all changes that you have made to the FortiAuthenticator configuration and reverts the system to its original configuration, including resetting interface addresses.
factory-reset
shutdown status
Turn off the FortiAuthenticator. Display basic system status information including firmware version, build number, serial number of the unit, and system time.
Interface
15
2 When one unit has become the master, connect to the web-based manager again and complete your configuration. You are configuring the Master unit. The configuration will automatically be copied to the slave unit. Refer to the other chapters of this manual for more information. Configuring the cluster is the same as configuring a single FortiAuthenticator unit.
Secure connection
Enable authentication
16
Troubleshooting
3 Optionally, select Test Connection to send a test email message. Specify a recipient and select Send. Confirm that the recipient received the message. The recipients email system might treat the test email message as spam.
4 Select OK. To set the default email server 1 Go to System > E-mails > SMTP Servers. 2 Select the check box of the server that you want to make the default. 3 Select Set as Default.
Troubleshooting
Troubleshooting includes useful tips and commands to help deal with issues that may occur. For additional help, always contact customer support. If you have issues when attempting authentication on FortiGate using the FortiAuthenticator, there are some FortiAuthenticator settings and FortiGate settings to check. In addition to these settings you can use log entries, monitors, and debugging information to determine more information about your authentication problems. For help with FortiAuthenticator logging, see Logging on page 13. For help with FortiGate troubleshooting, see the FortiOS Handbook Troubleshooting and User Authentication guides.
FortiAuthenticator settings
When checking FortiAuthenticator settings, you should ensure there is a NAS entry for the FortiGate unit. See Adding FortiGate units as NAS on page 25, the user trying to authenticate has a valid active account that is not disabled, and that the username and password are spelled as expected, the user account allows RADIUS authentication if RADIUS is enabled on the FortiGate unit, the FortiGate unit can communicate with the FortiAuthenticator unit, the user account exists as a local user on the FortiAuthenticator if using (RADIUS authentication), in the local LDAP directory (if using local LDAP authentication), in the remote LDAP directory (if using RADIUS authentication with remote LDAP password validation). the user is a member in the expected user groups and these user groups are allowed to communicate on the NAS (FortiGate unit, for example), If authentication fails with the log error bad password try resetting the password. If this fails, verify that the pre-shared secret is identical on both FortiAuthenticator and the NAS.
17
Troubleshooting
FortiGate settings
When checking FortiGate authentication settings, you should ensure the user has membership in the required user groups, and identity-based security policies, there is a valid entry for the FortiAuthenticator as a remote RADIUS or LDAP server, the user is configured explicitly or as a wildcard user.
18
What to configure
Cli
N ent
etw
ork
u ate rtiG Fo
nit
Fo
rtiA
uth
ent
ica
tor
Fo
a rtiG
te u
nit
Cli
N ent
etw
ork
The following topics are included in this section: What to configure Adding Users Adding FortiToken devices Adding FortiGate units as NAS Configuring built-in LDAP Configuring Remote LDAP Monitoring users
What to configure
You need to decide which elements of FortiAuthenticator configuration you need. Determine whether you want two-factor authentication and what form that will take. Determine the type of authentication you will use: RADIUS, built-in LDAP, or Remote LDAP. You will need to use at least one of these types. Determine which FortiGate units will use the FortiAuthenticator unit. The FortiAuthenticator unit must be configured on each FortiGate unit as an authentication server, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit must be configured on the FortiAuthenticator unit as a NAS.
19
What to configure
The FortiAuthenticator unit has multiple ways of providing the second factor something you know to the user. Digial certificates are covered in a later chapter. The other methods rely on a six-digit PIN which changes regularly and is known only to the FortiAuthenticator unit and the user. This PIN can be delivered to the user in multiple ways: a FortiToken device registered with the FortiAuthenticator and the users account an email account specified in the user account a cell phone number with SMS service specified in the user account
Authentication type
The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the use of external LDAP, which can include Windows AD servers. The built-in servers are best used where there is no existing authentication infrastructure. You build a user account database on the FortiAuthenticator unit. The database can include additional user information such as street address and phone numbers that cannot be stored in a FortiGate units user authentication database. You can use either LDAP or RADIUS protocol. The external server options are intended to integrate FortiGate authentication into networks that already have an authentication infrastructure. The Fortinet Single Sign-On (FSSO) option works on Microsoft Windows networks, enabling users already authenticated by a Windows AD server to access network resources. The Remote LDAP option adds your FortiGate units to an existing LDAP structure. Optionally, you can add two-factor authentication to Remote LDAP.
RADIUS
If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must be registered as NAS in Authentication > NAS. See Adding FortiGate units as NAS on page 25. On each FortiGate unit that will use RADIUS protocol, the FortiAuthenticator unit must be configured as a RADIUS server in User > Remote > RADIUS.
Built-in LDAP
If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users from the user database to the appropriate nodes in the LDAP hierarchy. See Creating the LDAP directory tree on page 28. On each FortiGate unit that will use LDAP protocol, the FortiAuthenticator unit must be configured as an LDAP server in User > Remote > LDAP.
20
Adding Users
Remote LDAP
Remote LDAP must be enabled in each user account. FortiGate units must be registered as NAS in Authentication > NAS. See Adding FortiGate units as NAS on page 25. FortiGate units must communicate with the FortiAuthenticator unit using RADIUS protocol, with the FortiAuthenticator unit entered as a RADIUS server in User > Remote > RADIUS. User accounts that use two-factor authentication must be imported into the FortiAuthenticator database. You can do this in the server configuration in Authentication Users > Remote.
Adding Users
FortiAuthenticators user database is similar to the local users database on FortiGate units, but it has the added benefit of being able to associate additional information with each user, as you would expect of RADIUS and LDAP servers. This information includes: whether the user is an administrator, uses RADIUS authentication, uses two-factor authentication, and personal information such as full name, address, password recovery options, and of course which groups the user belongs to. The RADIUS server on FortiAuthenticator is configured using default settings. For a user to authenticate using RADIUS, the option Allow RADIUS Authentication must be selected for that users entry, and the authenticating client must be added to the NAS list. See Adding FortiGate units as NAS on page 25.
Administrators
Administrator accounts on FortiAuthenticator are standard user accounts that are flagged as administrators. Once flagged as an administrator, a user accounts administrator privileges can be set to either full access or customized to select their administrator rights for different parts of FortiAuthenticator. There are log events for administrator configuration activities. Administrators can also be configured to authenticate to the local system using twofactor authentication.
User self-registration
Optionally, you can enable users to request registration through the FortiAuthenticator web page. The administrator will receive the request as an email message. To enable self-registration 1 Go to Authentication > General > Settings. 2 Under User Self-registration, select Enable and enter the Admins e-mail address. 3 Select OK. How the user requests registration 1 Browse to the IP address of the FortiAuthenticator unit. Security policies must be in place on the FortiGate unit to allow these sessions to be established. 2 Select Register. The User Registration page opens. 3 Fill in the required fields. Optionally, fill in the Additional Information fields. Select OK.
21
Adding Users
To approve a self-registration request 1 Select the link in the Approval Required for ... email message. The New User Approval page opens in the web browser. 2 Review the information and select either Approve or Deny, as appropriate. If the request is approved, the FortiAuthenticator unit sends the user an email message stating that the account has been activated.
22
Adding Users
23
6 On the Reset Password page, enter and confirm a new password and then select Next. The user can now authenticate using the new password.
User groups
You can assign users to user groups in Authentication > User Groups > Local. This is very similar to the firewall user group feature on FortiGate units.
24
FortiAuthenticator acts as a repository for all FortiToken devices used on your network it is a single point of registration and synchronization for easier installation and maintenance. To add FortiToken devices 1 Go to Authentication > FortiTokens > FortiTokens. 2 Do one of the following: Select Create New and enter the FortiToken device serial number. If there are multiple numbers to enter, select the + icon to switch to a resizable multiple-line entry box. Select Import to load a file containing the list of serial numbers for the tokens. (FortiToken devices have a barcode on them that can help you read serial numbers to create the import file.) 3 Select OK. To register FortiToken devices, you must have a valid FortiGuard connection. Otherwise any FortiToken devices you enter will remain at Inactive status.
25
When a user is configured on FortiAuthenticator, there is an option to authenticate the user using the RADIUS database. There is a RADIUS server already configured and running on the FortiAuthenticator server. It is set up using default values. For a computer or other external device to access the RADIUS server on the FortiAuthenticator, that device must have a NAS entry. FortiAuthenticator allows both RADIUS and remote LDAP authentication for NAS entries. If you want to use a remote LDAP server, you must configure it first so that you can be select it in the NAS configuration. You can configure the built-in LDAP server before or after creating NAS entries. To configure a NAS 1 Go to Authentication > NAS > NAS. 2 Select Create New and enter the following information: Name NAS name/IP Description A name to identify the NAS device on the FortiAuthenticator unit. The FQDN or IP address of the NAS unit. Optional information about the NAS.
3 If RADIUS or Remote LDAP authentication will be used, select NAS is a RADIUS client and enter the following information: Secret The RADIUS passphrase that the FortiGate unit will use. Select one of the following: Two-factor Authentication Mandatory all users subject to two-factor authentication Optional depends on setting in user account None all users authenticated only by password Select if Remote LDAP authentication will be used. Validate passwords using Select the configured Remote LDAP server from the an external LDAP server list. If the server is not listed, create it. See Configuring Remote LDAP on page 31. Authenticate: All local users Users from selected local groups only Limits who can authenticate. No limit. Authenticate only members of specific FortiAuthenticator user groups. Add the required user groups to the Selected local groups list.
Users using a remote Authenticate only users of the selected Remote LDAP LDAP server server. Use Radius accounting records received from this NAS as a source of FSSO user activity This is required only if you are using an external RADIUS server to notify the FortiAuthenticator unit of logon events for use by FSSO. Otherwise, leave this unselected. This feature will be described in later documentation.
4 If FSSO will be used, select NAS is an FSSO client. Refer to the Fortinet Single Sign On (FSSO) chapter for information about configuring authentication with FSSO. 5 Select OK.
Administration Guide for FortiAuthenticator 1.2 23-120-144822-20120111 http://docs.fortinet.com/
26
27
When requesting authentication, an LDAP client, such as a FortiGate unit, must specify the part of the hierarchy where the user account record can be found. This is called the Distinguished Name (DN). In the example above, DN is ou=People,dc=example,dc=com. The authentication request must also specify the particular user account entry. Although this is often called the Common Name (CN), the identifier you use is not necessarily CN. On a computer network, it is appropriate to use UID, the persons user ID, as that is the information that they will provide at logon.
28
To rename the root node 1 Go to Authentication > LDAP > Directory Tree. 2 Double-click dc=example,dc=com to edit the entry. 3 In Distinguished Name (DN), enter a new name. Example: dc=fortinet,dc=com. 4 Select OK. If your domain name has multiple parts to it, such as shiny.widgets.example.com, each part of the domain should be entered as part of the DN: dc=shiny,dc=widgets,dc=example,dc=com, for example.
29
30
Server Port
Leave at default (389). Enter the LDAP node where the user account entries can be found. For example, ou=People,dc=example,dc=com You can also use the Query button to explore the LDAP tree and select the node. The FortiGate unit can be configured to use one of three types of binding: anonymous - bind using anonymous user search regular - bind using username/password and then search simple - bind using a simple password authentication without a search
Distinguished Name
Bind Type
You can use simple authentication if the user records all fall under one distinguished name (DN). If the users are under more than one DN, use the anonymous or regular type, which can search the entire LDAP database for the required username. If your LDAP server requires authentication to perform searches, use the regular type and provide values for username and password. If you select Secure Connection, you must select LDAPS or STARTTLS protocol and the CA security certificate that verifies the FortiAuthenticator units identity.
Secure Connection
3 Add the LDAP server to a user group. Specify that user group in identity-based security policies where you require authentication.
31
3 Enter the following information. Name Server name/IP Common name identifier Enter the name for the remote LDAP server on FortiAuthenticator. Enter the IP address or FQDN for this remote server. The identifier used for the top of the LDAP directory tree as it applies to FortiAuthenticator users. This may be the top of the tree, or only a smaller branch of it. cn is the default, and is used by most LDAP servers. Enter the base distinguished name for the server using the correct X.500 or LDAP format. The maximum length of the DN is 512 characters. You can also select the Browse button to view and select the DN on the LDAP server. The Bind Type determines how the authentication information is sent to the server. Select the bind type required by the remote LDAP server. Simple bind using the users password which is sent to the server in plaintext without a search. Regular bind using the users DN and password and then search If the user records fall under one directory, you can use Simple bind type. But Regular is required to allow a search for a user across multiple domains. 4 If you want to have a secure connection between the FortiAuthenticator unit and the remote LDAP server, select Enable under Secure Connection and enter the following: Protocol CA Certificate 5 Select OK. You can now add remote LDAP users. Select LDAPS or STARTLS as the LDAP server requires. Select the CA certificate that verifies the server certificate.
Bind Type
32
Monitoring users
3 Under Two-factor authentication, do one of the following: Select FortiToken and then select the FortiToken device serial number from the list. Select Email and enter the users email address. Select SMS and enter the users mobile information. 4 Select OK. A FortiToken device already allocated to a local account cannot be allocated to an LDAP user as well it must be a different FortiToken device.
Monitoring users
There are two methods for monitoring or tracking users that are logged on on the dashboard, and with the Users monitor.
Dashboard
On the dashboard there are two user related widgets. The Authentication Activity widget is a graph that tracks the number of logons over time. It can display all logons, failed only, successful logons only, or a combination of all three. Multiple occurrences of this widget can be displayed on the dashboard, and configured individually. The User Inventory widget displays the total number of configured users, groups, and FortiTokens. It also tracks the number of disabled users and FortiTokens.
Users monitor
To see the users monitor, go to Authentication > SSO Monitor > SSO Users. The users monitor displays a list of currently logged on FSSO users and their information.
33
Monitoring users
34
Cli
ent
Ne
rk two
u ate rtiG Fo
Fo
rtiA
uth
ent
ica
po
lo ling
go
eve
nts
tor
Fo
a rtiG
te u
nit
client logo
W A in Co D Do dows ntr m olle ain rs
ns
C t lien Ne
two
rk
This section includes: Communicating with FortiGate units Communicating with Domain Controllers Monitoring FSSO units
35
To configure FortiAuthenticator to communicate with FortiGate units 1 Go to Authentication > SSO > General. 2 Select Enable Authentication and configure: Secret key Set to fortinet123. This is the password that will be used when configuring the FSSO Agent on the FortiGate unit. Select one of Debug, Info, Warning, or Error as the minimum severity level of event to log. Leave at 8000 unless your network requires you to change this. Ensure this port is allowed through the firewall. The length of time users can remain logged in User Login Expiry (in minutes) before the system logs them off automatically. The default is 300 minutes (5 hours). 3 On the FortiGate unit, go to User > Remote > LDAP and select Create New. 4 Enter the following information, and select OK. Name Server Name/IP Enter a unique name to identify the FortiAuthenticator Enter the FortiAuthenticator unit IP address. Leave this at the default (389). FortiAuthenticator uses default values for LDAP and RADIUS servers. Ensure port 389 is open on the firewall. Common Name Identifier Set this to match your LDAP directory tree. The default identifier is cn. This is the top level of your LDAP tree, or the branch of your tree that will be authenticated using this FortiGate unit. Distinguished Name Once you have entered a distinguished name, use the browse button to ensure you have a connection to the FortiAuthenticator. If not, check your information. Select the method that will be used to authenticate using the LDAP server. Leave unchecked.
Log Level
Server port
5 Go to User > Single Sign-On > FSSO Agent. 6 Enter the following information, and select OK. Name FSSO Agent IP/Name Enter a name to identify the FortiAuthenticator as an FSSO. Enter the FortiAuthenticator unit IP address.
36
Port
This entry must match the FortiGate Listening Port in the FortiAuthenticator SSO configuration. The default value is 8000. Ensure this port is open on the firewall. This entry must match the Secret Key entered on the FortiAuthenticator SSO configuration. Enable LDAP server, and select the FortiAuthenticator LDAP server from the list.
Account
Password
37
38
Certificate Management
Certificate Management
This section describes how FortiAuthenticator allows you to manage certificates including acting as a Certificate Authority. FortiAuthenticator can act as a Certificate Authority (CA) for the creation and signing of X.509 certificates such as server certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPSEC VPN. Any changes made to certificates generate log entries that can be viewed at Logging > Log Access > Logs. See Logging on page 13. This chapter includes: Certificate Authorities (CA) Users
Certificates
Do not press Enter while entering the information until you have completed entering the information, otherwise you will create the certificate with incomplete information. Subject Alternative Names (SAN) allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard. An example of where SANs are used is to protect multiple domain names such as www.example.com and www.example.net. This contrasts a wildcard certificate that can only protect all first-level subdomains on one domain, such as *.example.com. The certificate information including subject, issuer, status, and CA type are displayed on the Certificate Management > Certificate Authorities > Certificates page. If you have many certificates, you can use the search feature to find one or more specific certificates. The search will return certificates that match either subject or issuer. To create a CA certificate 1 Go to Certificate Management > Certificate Authorities > Certificates. 2 Select Create New.
39
Certificate Management
3 Enter the following information and select OK. Select one of the following types of CA certificates: Root CA certificate a self-signed CA certificate Certificate type Intermediate CA certificate a CA certificate that refers to a different root CA as the authority. Intermediate CA certificate signing request (CSR) The fields displayed change based on your certificate type. Select one of the available certificate authorities (CAs) configured on the FortiAuthenticator from the drop-down list. This field is displayed only when Intermediate CA certificate is selected. Subject information Select to enter either a Fully distinguished name (DN) or Field-by-Field. Default value is Field-by-Field. The fields displayed for subject information change based on your subject input method. Enter the full DN of the subject. For example c=CA, o=Fortinet, cn=John Smith. Valid DN attributes are C, ST, L, O, OU, CN, and emailAddress. They are casesensitive. This field is only displayed when fully distinguished name (DN) subject input method is selected. Name (CN) Company (O) Department (OU) City (L) State/Province (ST) Country (C) Subject Alternative Name Email Enter the email address of a user to map to this certificate. This field is not available if certificate type is CSR. Enter the user principal name used to find the users account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping. This field is not available if certificate type is CSR. Enter each value in the field provided. These fields need to match the information user who will be using the certificate the fields will be assembled into a distinguished name for the certificate. Select your country from the drop-down list. Each country includes its two-letter code.
Certificate Authority
Subject DN
40
Certificate Management
Additional Options Select how long before this certificate expires. Select either a set number of days and enter the total number of days before this certificate expires (such as 3650 days for a life of 10 years), or set an expiry date by entering the expiry date in YYYY-MM-DD format, selecting Today, or use the Calendar icon to help you select a date. This field is not available if certificate type is CSR. Key Type Key Size Hash Algorithm To import a CA certificate 1 Go to Certificate Management > Certificate Authorities > Certificates. 2 Select Import. 3 Enter the following information and select OK. Type Select the type of CA certificate to import: PKCS12 Certificate or Certificate and Private Key. The key type is set to RSA. Select the key size as one of 1024, 2048, or 4096 Bits long. Select the hash algorithm used as one of SHA-1 or SHA256.
Validity Period
Select the certificate file from your local computer to PKCS12 certificate upload to the FortiAuthenticator. This field is visible only if file PKCS12 type is selected. Certificate file Select the certificate file from your local computer to upload to the FortiAuthenticator. This field is visible only if you selected Certificate and Private Key type. Select the private key file from your local computer to upload to the FortiAuthenticator. This field is visible only if you selected Certificate and Private Key type. Enter the passphrase associated with this certificate. Select the radix of the serial number as either decimal or hex. Enter the starting serial number for the CA certificate.
Private key file Passphrase Serial number radix Initial serial number
41
Certificate Management
To import a Certificate Revocation List (CRL) 1 Download the most recent CRL from a CRL Distribution Point (CDP). One or more CDPs are usually listed in a certificate under the Details tab. 2 Go to Certificate Management > Certificate Authorities > CRL. 3 Select Import. 4 Select a CRL file from your local computer, and select OK. When successful, the CRL will be displayed in the CRL list on the FortiAuthenticator. You can select it to see the details.
42
Certificate Management
Users
For example, configuring OCSP in FortiGate CLI for a FortiAuthenticator with an IP address of 172.20.120.16, looks like this config vpn certificate ocsp set cert "REMOTE_Cert_1" set url "http://172.20.120.16:2560" end
Users
User certificates are required for mutual authentication on many HTTPS, SSL, and IPSec VPN network resources. You can create a user certificate on FortiAuthenticator or import and sign a Certificate Signing Request (CSR). User certificates, client certificates, or local computer certificates are the same type of certificate. To create a user certificate 1 Go to Certificate Management > Users > Certificates. 2 Select Create New. 3 Enter the following information and select OK. The Certificate Authority used must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate Authorities (CA) on page 39. Certificate Signing Options Certificate Authority Subject information Subject input method Select to enter either a Fully distinguished name (DN) or Fieldby-Field. Default value is Field-by-Field. Enter the full DN of the subject. For example C=CA, O=Fortinet, CN=John Smith. Valid DN attributes are C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive. This field is only displayed when fully distinguished name (DN) subject input method is selected. Name (CN) Company (O) Department (OU) City (L) State/Province (ST) Country (C) Enter each value in the field provided. Select one of the available certificate authorities (CAs) configured on the FortiAuthenticator from the drop-down list. The CA must be current.
Subject DN
Select your country from the drop-down list. Each country includes its two-letter code.
43
Users
Certificate Management
Subject Alternative Name Email User Principal Name (UPN) Additional Options Select how long before this certificate expires. Validity Period Select either a set number of days and enter the total number of days before this certificate expires (such as 3650 days for a life of 10 years), or set an expiry date by entering the expiry date in YYYY-MM-DD format, selecting Today, or use the Calendar icon to help you select a date. The key type is set to RSA. Select the key size as one of 1024, 2048, or 4096 Bits long. Select the hash algorithm used as one of SHA-1 or SHA-256. Enter the email address of a user to map to this certificate. Enter the user principal name used to find the users account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
4 Confirm the certificate information is correct by selecting the certificate entry. This will bring up the text of the certificate including the version, serial number, issuer, subject, effective and expiration dates, and the extensions. If any of this information is out of date or incorrect, you will not be able to use this certificate.If this is the case, delete the certificate and re-enter the information. 5 Once the information is confirmed, you can export the certificate to the users computer and import it into the proper application there, such as browser or FortiClient.
44
Index
Index
A
Authentication Activity widget, 33 Authentication, Authorization, and Accounting (AAA), 9, 25
L
LDAP servers common name, 27 distinguished names, 28 domain component, 27 hierarchy, 27 Lightweight Directory Access Protocol (LDAP), 27 ports, 11 remote server, 26 Logging, 13 NAS, 26
C
certificate authority (CA), 39 Certificate Revocation List (CRL), 41 Certificate Signing Request (CSR), 43 common name, LDAP servers, 27 Controller Agent, 35 CRL Distribution Point (CDP), 42
M
Microsoft Active Directory, 40, 44 mode, operation, 7 monitor users, 33 Monitoring, 33
D
dashboard Authentication Activity widget, 33 User Inventory widget, 33 default password, 7 distinguished names LDAP servers, 28 domain component, LDAP servers, 27 Domain Controllers, 37
N
network access server (NAS), 25 NTP, 12
E
explicit proxy, 20
O
one-time password (OTP), 24 Online Certificate Status Protocol (OCSP), 42 operation mode, 7
F
firewall open ports, 11 ports, 11 firmware updates, 7 FortiGuard, 25 FortiGuard Antivirus, 7 Fortinet Server Authentication Extension (FSAE), 35 Fortinet Single Sign On (FSSO), 35 Agent, 35 Domain Controllers, 37 ports, 11 FortiToken, 24 clock drift, 25 monitoring, 25 NTP, 12 registering, 25 synchronization, 25
P
password administrator, 7 ports, 11 product registration, 7 proxy, 20
R
RADIUS NAS, 25 ports, 11 server, 21 remote LDAP, 26
S
Subject Alternative Names (SAN), 39
H
hierarchy LDAP servers, 27
T
technical support, 7 troubleshooting, 17 two-factor authentication FortiToken, 24
45
Index
U
User Inventory widget, 33 User Principal Name (UPN), 40, 44 users, 21 monitor, 33 monitor, dashboard, 33 NAS, 21 RADIUS authentication, 21
W
Windows AD Domain Controllers, 37 Windows Server, 40, 44
46