New Features – Authentication

Adding certificates to VDOMs and to the global configuration

If an administrator adds a certificate to a VDOM the certificate will only be available for that VDOM. If an administrator adds a certificate to the global configuration it will available for all VDOMs.

Guest user enhancements (291042)

The password policy profile for guest Admin is improved. This is a CLI only configuration as following:

config system password-policy-guest-admin

status enable/disable Enable/disable password policy.

apply-to guest-admin-password Guest admin to which this password policy applies.

minimum-length Minimum password length.

min-lower-case-letter Minimum number of lowercase characters in password.

min-upper-case-letter Minimum number of uppercase characters in password.

min-non-alphanumeric Minimum number of non-alphanumeric characters in password.

min-number Minimum number of numeric characters in password.

change-4-characters enable/disable Enable/disable changing at least 4 characters for new password.

expire-status enable/disable Enable/disable password expiration.

reuse-password enable/disable Enable/disable reuse of password.

end

RADIUS CoA for user, user-group and captive-portal authentication (RFC 5176) (274813

270166)

RADIUS Change of Authorization (CoA) is a common feature in user authentication. User, user-group and captive-portal authentication now supports RADIUS CoA, when the back end authentication server is RADIUS.

The main use case of this feature is with external captive portal, it can be used to disconnect hotspot users when their time, credit or bandwidth had been used up.

RSSO: Enable or disable overriding old attribute value when a user logs in again (possibly on a different device) (278471)

When receiving a new start message with different group name for the same user and different IP address such as the scenario of a mobile device roaming, the original design is to override all group name information to the latest group name received from the latest start message.

This new feature adds an option to disable this override when needed. The default behavior keeps the original design.

CLI changes

Add an option to enable or disable overriding SSO attribute value.

Syntax

config user radius edit <My_Rsso> set rsso enable

set sso-attribute-value-override enable/disable // Enable/Disable override old attribute value with new value for the same endpoint.

end

FSSO supports Microsoft Exchange Server (270174)

FSSO supports monitoring Microsoft Exchange Server. This is useful for situation that the user use the domain account to access their email, but client device might or might not be in the domain. Support for Exchange server is configured on the Back-end FSSO collector agent under Advanced Settings > Exchange Server.

Select Add and enter the following information and select OK.

Domain Name                         Enter your domain name.

Server IP/Hostname               Enter the IP address or the hostname of your exchange server.

Polling forwarded event log

This option for scenarios when you do not want that CA polls the Exchange Server logs directly. In this case you need to configure event log forwarding on the Exchange server. Exchange event logs can be forwarded to any member server.

If you enable this, instead of the IP of the Exchange server configured in the pre- vious step, you must then configure the IP of this member server. CA will then con- tact the member server.

Ignore Name

Because CA will also check Windows log files for logon events and when a user authenticates to Exchange Server there is also a logon event in Windows event log, which CA will read and this will overwrite the Exchange Server logon event (ES- EventLog) on CA. So it is recommended to set the ignore list to the domain the user belongs to.

GUI Changes

Global and per-VDOM certificate configuration includes view details, download, delete, and import certificate.

A Source and a Status columns have been added.

A global icon for Name column when VDOMs are enabled is added to show that the certificate is global.

A new VDOM now has the following default certificates: Fortinet_CA_SSL, Fortinet_Factory, Fortinet_SSL, Fortinet_Wifi, Fortinet_CA, and PositiveSSL_CA. These certificates are created automatically when the VDOM is created and every VDOM will have its own individual versions of these certificates.

The Fortinet_firmware certificate has been removed. All default configurations that formerly used the Fortinet_firmware certificate now use the Fortinet_Factory certificate.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook and tagged , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.