Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

FortiAuthenticator - Administration Guide VERSION 5.4 FORTINET DOCUMENT LIBRARY

FortiAuthenticator - Administration Guide VERSION 5.4 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET KNOWLEDGE BASE http://kb.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET COOKBOOK http://cookbook.fortinet.com FORTINET NSE INSTITUTE (TRAINING) https://training.fortinet.com/ FORTIGUARD CENTER https://fortiguard.com FORTICAST http://forticast.fortinet.com END USER LICENSE AGREEMENT AND PRIVACY POLICY https://www.fortinet.com/doc/legal/EULA.pdf https://www.fortinet.com/corporate/about-us/privacy.html FEEDBACK Email: techdocs@fortinet.com August 15, 2018 FortiAuthenticator - Administration Guide 23-540-507742-20180815 TABLE OF CONTENTS Change log 8 What's new in FortiAuthenticator 5.4 9 FortiToken Cloud service 9 SMS and email two-factor authentication for self-service portal 9 Chained authentication 9 Password change at first logon 9 SCEP renewal private key authenticity check 10 Remote RADIUS server timeout 10 HSTS support 10 User list report extraction 10 Introduction 11 Before you begin 12 How this guide is organized 13 Registering your Fortinet product 13 Setup 14 Initial setup 14 FortiAuthenticator VM setup 14 Administrative access 15 Adding FortiAuthenticator to your network 16 Maintenance 17 Backing up the configuration 17 Upgrading the firmware 18 Licensing 18 Swapping hard disks 18 CLI commands 19 Standardized CLI 22 Troubleshooting 22 FortiAuthenticator settings 22 FortiGate settings 23 System 24 Dashboard 24 Customizing the dashboard 25 System information widget 26 System resources widget 30 Authentication activity widget 30 User inventory widget 30 License information widget 30 Disk monitor widget 30 Top user lockouts widget 31 Network 31 Interfaces 31 DNS 33 Static routing 33 Packet capture 33 Administration 34 System access 34 High availability 36 Firmware upgrade 40 Configuring auto-backup 40 SNMP 41 Licensing 44 FortiGuard 45 FTP servers 46 Admin profiles 47 Messaging 47 SMTP servers 47 Email services 49 SMS gateways 50 Authentication 53 What to configure 53 Password-based authentication 53 Two-factor authentication 54 Authentication servers 54 Machine authentication 55 User account policies 56 General 56 Lockouts 57 Passwords 58 Custom user fields 60 Tokens 60 User management 63 Administrators 63 Local users 64 Remote users 72 Remote user sync rules 75 Social login users 76 Guest users 77 User groups 78 Usage profile 79 Organizations 80 Realms 81 FortiTokens 82 MAC devices 83 RADIUS attributes 84 FortiToken physical device and FortiToken Mobile 84 FortiAuthenticator and FortiTokens 85 Monitoring FortiTokens 86 FortiToken device maintenance 86 FortiToken drift adjustment 86 Self-service portal 87 General 87 Access control 87 Self-registration 88 Token self-provisioning 90 Replacement messages 92 Device self-enrollment 93 Captive portal 94 General 95 Access control 97 Replacement messages 97 Guest portals 101 Portals 101 Rules 107 Replacement messages 108 Smart Connect profiles 108 Remote authentication servers 111 General 111 LDAP 112 RADIUS 116 RADIUS service 117 Clients 118 Client profile attributes 121 Extensible Authentication Protocol 121 Services 121 Custom dictionaries 122 LDAP service 123 General 123 Directory tree overview 123 Creating the directory tree 124 Configuring a FortiGate unit for FortiAuthenticator LDAP 127 SAML IdP 128 General 128 Service providers 129 FortiAuthenticator agents 132 FortiAuthenticator Agent for Microsoft Windows 132 FortiAuthenticator Agent for Outlook Web Access 134 Port-based network access control 135 Extensible Authentication Protocol 135 FortiAuthenticator and EAP 136 FortiAuthenticator unit configuration 136 Configuring certificates for EAP 136 Configuring switches and wireless controllers to use 802.1X authentication 137 Non-compliant devices 137 Fortinet Single Sign-On 138 Domain controller polling 138 Windows management instrumentation polling 138 General settings 139 Configuring FortiGate units for FSSO 144 Portal services 144 Kerberos 146 SAML authentication 147 Windows event log sources 149 RADIUS accounting 151 Syslog 152 Syslog sources 153 Matching rules 154 Predefined rules 155 Fine-grained controls 156 SSO users and groups 157 FortiGate filtering 158 IP filtering rules 159 Tiered architecture 160 FortiClient SSO Mobility Agent 161 Fake client protection 162 RADIUS Single Sign-On 163 RADIUS accounting proxy 163 General 163 Rule sets 164 Sources 166 Destinations 167 Monitoring 168 SSO 168 Domains 168 SSO sessions 168 Windows event log sources 169 FortiGates 169 DC/TS agents 169 NTLM statistics 169 Authentication 169 Locked-out users 170 RADIUS sessions 170 Windows AD 170 Windows device logins 171 Learned RADIUS users 171 Certificate management 172 Policies 172 Certificate expiry 172 End entities 173 Certificate authorities 182 Local CAs 182 Certificate revocations lists 189 Trusted CAs 190 SCEP 190 General 191 Enrollment requests 191 Logging 197 Log access 197 Log configuration 199 Log settings 199 Syslog servers 201 Audit reports 202 Users audit 202 Troubleshooting 204 Troubleshooting 204 Debug logs 205 RADIUS debugging 206 TCP stack hardening 207 LDAP filter syntax 208 Examples 208 Caveats 209 Change log Date Change Description August 15, 2018 FortiAuthenticator 5.4 document release. Minor updates. FortiAuthenticator - Administration Guide Fortinet Technologies Inc. 8 What's new in FortiAuthenticator 5.4 The following list contains new and expanded features added in FortiAuthenticator 5.4. FortiToken Cloud service The FortiToken Cloud service now has the following support. Cloud-init support for KVM Support has been added to FortiAuthenticator VM for KVM (OpenStack). Upon first bootup, the config-drive will look for user data (the IP address of port1, the default gateway static route, and DNS servers), and will also looks for meta data used to set the REST API key for the default administrator, set the FortiAuthenticator's FQDN, load the license file, and reboot the FortiAuthenticator. New REST API endpoints New REST API endpoints have been introduced covering FortiGuard messaging, FortiToken Mobile licenses, email servers, user lockout policies, and system information. See the FortiAuthenticator REST API Solution Guide for more information. SMS and email two-factor authentication for self-service portal Self-service portal and guest portal users can provision themselves with either SMS or their email. This feature is useful for lower risk or short-term users. User self-provisioning via SMS and/or email can be configured under Authentication > Self-service Portal > Token self-provisioning and Authentication > Guest Portals > Portals. See Token self-provisioning and Guest portals respectively for more information. Chained authentication Chained authentication is useful for two-factor authentication where the password validation must be done against a remote LDAP server and OTP validation against a separate remote RADIUS server. Chained authentication OTP validation is conditional on the group membership of the remote LDAP user. Group filtering for chain token authentication with a RADIUS server can be configured under Authentication > User Management > Realms. See Realms for more information. Password change at first logon Users are allowed to change their local password on FortiAuthenticator at first logon. This feature prevents administrators from having to call or email the franchisee to deliver user credentials, which is not a secure method of delivery and adds additional time to the onboarding process. Forceable password change for users on first logon can be configured under Authentication > User Management > Local Users. See Local users for more information. FortiAuthenticator - Administration Guide Fortinet Technologies Inc. 9 What's new in FortiAuthenticator 5.4 Change log SCEP renewal private key authenticity check This feature allows you to enforce that the SCEP renewal request to be signed by the private key of the existing certificate being being renewed. Verification of SCEP renewal requests using the old private key can be configured under Certificate Management > SCEP > Enrollment Requests. See Enrollment requests for more information. Remote RADIUS server timeout A timeout can be configured between 1-30 seconds (3 by default) for authentication requests to remote RADIUS servers. The remote RADIUS server timeout can be configured under Authentication > Remote Auth. Servers > RADIUS. See RADIUS for more information. HSTS support HTTP Strict Transport Security (HSTS) support has been added to avoid SSL sniffing attacks. HSTS instructs browsers to always use HTTPS when accessing a host, even if the original request is for http:// or unspecified. Set the expiry between 0-730 days (where 0 means no expiry, maximum of two years). The default is set to 180 days. An HSTS expiry can be configured under System > Administration > System Access. See System access for more information. User list report extraction User audit reports can be generated in order to comply with audit requirements. Download user audit reports under Logging > Audit Reports > Users Audit. See Users audit for more information. 10 FortiAuthenticator - Administration Guide Fortinet Technologies Inc. Introduction The FortiAuthenticator device is an identity and access management solution. Identity and access management solutions are an important part of an enterprise network, providing access to protected network assets and tracking user activities to comply with security policies. FortiAuthenticator provides user identity services to the Fortinet product range, as well as third-party devices. FortiAuthenticator delivers multiple features including: l Authentication: FortiAuthenticator includes Remote Authentication Dial In User Service (RADIUS) and Lightweight Directory Access Protocol (LDAP) server authentication methods, and Security Assertion Markup Language (SAML), which is used for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). l Two-Factor Authentication: FortiAuthenticator can act as a two-factor authentication server with support for one- time passwords (OTP) using FortiToken Hardware (including FortiToken 202 SHA-256 tokens), FortiToken Mobile, Short Message Service (SMS), or email. FortiAuthenticator two-factor authentication is compatible with any system which supports RADIUS. l IEEE802.1X Support: FortiAuthenticator supports 802.1X for use in FortiGate Wireless and Wired networks. l User Identification: FortiAuthenticator can identify users through multiple data sources, including Active uploads/s1/ fac-admin-guide-54.pdf