FortiAuthenticator 4.0 Authentication
Configuring certificate bindings
To use a local certificate as part of authenticating a user, you need to:
l Create a user certificate for the user, see To create a new certificate: on page 134. l Create a binding to that certificate in the user’s account.
To create a binding to a certificate in a user’s account:
- Go to the Change user window for the requisite user account.
- Expand the Certificate Bindings
- Select Add Binding. The Create New Local UserCertificate Binding window opens.
- Select either Local CA or Trusted CA and then select the applicable CA certificate from the drop-down list.
- Enter the Common Name on the certificate. For example, if the certificate says CN=rgreen then enter rgreen.
- Select OK to add the new binding.
Remote LDAP users must be imported into the FortiAuthenticator user database from LDAP servers, see LDAP on page 88. A maximum of five users can be imported.
Remote RADIUS users can be created, migrated to LDAP users, edited, and deleted.
To import remote LDAP users:
- Go to Authentication > UserManagement > Remote Users, ensure that LDAP users is selected, then select Import. The Import Remote LDAP Users screen open.
- Select a remote LDAP server from the Remote LDAP Server drop-down list, then select Import Users.
The Import Remote LDAP Users window opens in a new browser window.
- Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
- The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select Configure userattributes to edit the remote LDAP user mapping attributes. Selecting the field, FirstName for example, presents a list of attributes which have been detected and can be selected. This list is not exhaustive and additional, non-displayed attributes may be available for import.
Consult your LDAP administrator for a list of available attributes.
- Select the entries you want to import.
- Optionally, select an organization from the Organization drop-down to associated the imported users with a specific organization. See Organizations on page 70.
- Select OK.
The amount of time required to import the remote users will vary depending on the number of users being imported.
To add two-factor authentication to a remote LDAP user:
- From the remote user list, select the user you are editing. The Edit Remote LDAP User window opens.
- Select Token-based authentication, then follow the same steps as when editing a local user (Editing a user on page 60).
- Configure the UserRole, UserInformation, Radius Attributes, and Certificate Bindings for the user as needed.
- Select OK to apply the changes.
To view remote RADIUS users, go to Authentication > UserManagement > Remote Users and select RADIUS users in the toolbar. See RADIUS on page 91 for more information about remote RADIUS servers.
The following options are available:
|Create New||Select to create a new remote RADIUS user.|
|Delete||Select to delete the selected user or users.|
|Edit||Select to edit the selected user.|
|Migrate||Select to migrate the selected user or users. See To migrate RADIUS users to LDAP users: on page 68.|
|Token-based Auth||Select to enforce or bypass token-based authentication for the selected user or users.|
|Search||Search the remote RADIUS user list.|
|Username||The remote user’s name.|
|Remote RADIUS server||The remote RADIUS server or which the user resides.|
|Token||The FortiToken used by the user, if applicable.|
|Enforce token-based authentication||Whether or not token-based authentication is enforced.|
To create a new remote RADIUS user:
- From the remote user list, select RADIUS users, then select Create New. The Create New Remote RADIUS User window opens.
- Enter the following information:
|Remote RADIUS||Select the remote RADIUS server on which the user will be created from the drop-down list. For more information on remote RADIUS servers, see RADIUS on page 91.|
|Username||Enter a username.|
|Enforce token- based
authentication if configured below
|Select to enforce the token-based authentication, if you are configuring token-based authentication.|
|Token-based authentication||Select to configure token-based authentication.|
|Deliver token code by||Select the method by which token code will be delivered. One of:
l FortiToken: select the FortiToken device serial number from the FortiToken 200 or FortiToken Mobile drop-down lists, as appropriate.
1. The device must be known to the FortiAuthenticator unit. See FortiToken devices and mobile apps on page 72.
2. Optionally, select Configure a temporary e-mail/SMS token to receive a temporary token code via email or SMS.
l Email: enter the user’s email address in the UserInformation section.
l SMS: enter the user’s mobile number in the UserInformation section.
|User Information||Enter user information as needed. The following options are available:
l Email address
l Mobile number and SMS gateway l Language l Organization – see Organizations on page 70.
- Select OK to create the new remote RADIUS user.
To migrate RADIUS users to LDAP users:
- From the remote RADIUS users list (see Learned RADIUS users on page 131), select the user or users you need to migrate, then select Migrate from the toolbar. The Migrate RADIUS Users to LDAP Users window opens.
- Select a LDAP server from the drop down list to which the selected RADIUS user or users will be located, then select Next.
- Enter the distinguished names for the users that are being migrated, or browse the LDAP tree (see Directory tree overview on page 95) to find the users.
- Select Migrate to migrate the user or users.
Remote user sync rules
Synchronization rules can be created to control how and when remote users are synchronized. To view a list of the remote user synchronization rules, go to Authentication > User Management > Remote UserSync Rules.
To create a new remote user synchronization rule:
- From the Remote UserSync Rules page, select Create New. The Create New Remote UserSynchronization Rule windows opens.
- Configure the following settings:
|Name||Enter a name for the synchronization rule.|
|Remote LDAP||Select a remote LDAP server from the drop-down list. To configure a remote LDAP server, see Remote authentication servers on page 88.|
|Sync every||Select the amount of time between synchronizations.|
|LDAP filter||Optionally, enter an LDAP filter. Select Test Filter to test that the filter functions as expected.|
|Token-based authentication sync priorities||Select the required authentication synchronization priorities. Drag the priorities up and down in the list change the priority order.|
|Sync as||Select to synchronize as a remote user or as a local user. Selecting either option will open a pop-up dialog box displaying the user fields that will be synchronized for that selection.|
|Group to associate users with||Optionally, select a group from the drop-down list with which to associate the users with, or select Create New to create a new user group. See User groups on page 69.|
|Organization||Optionally, select an organization from the drop-down list with which to associate the users with, or select Create New to create a new organization. See Organizations on page 70.|
|LDAP User Mapping
|Optionally, edit the remote LDAP user mapping attributes.|
|Preview Mapping||Select to preview the LDAP user sync mappings in a new window.|
|Show Sync Fields||Select to view the user fields that will be synchronized.|
- Select OK to create the new synchronization rule.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
I am trying to get uses to be able to do a password change when they VPN into the network after their password expire’s.
One issue i am running into is on the Authenticaticator under monitor the status of the Connection only says “Joined AD” and “not connected” do you know why ?
I am experiencing the same problem