FortiAuthenticator 4.0 Introduction


The FortiAuthenticator device is an identity and access management solution. Identity and access management solutions are an important part of an enterprise network, providing access to protected network assets and tracking user activities to comply with security policies.

FortiAuthenticator provides user identity services to the Fortinet product range, as well as third party devices.

FortiAuthenticator delivers multiple features including:

  • Authentication: FortiAuthenticator includes Remote Authentication Dial In User Service (RADIUS) and Lightweight Directory Access Protocol (LDAP) server authentication methods. l Two Factor Authentication: FortiAuthenticator can act as a two-factor authentication server with support for onetime passwords using FortiToken 200, FortiToken Mobile, Short Message Service (SMS), or e-mail.

FortiAuthenticator two-factor authentication is compatible with any system which supports RADIUS.

  • 1X Support: FortiAuthenticator supports 802.1X for use in FortiGate Wireless and Wired networks. l User Identification: FortiAuthenticator can identify users through multiple data sources, including Active

Directory, Desktop Client, Captive Portal Logon, RADIUS Accounting, Kerberos, and a Representational State Transfer (REST) API. It can then communicate this information to FortiGate, FortiCache, or FortiMail units for use in Identity Based Policies.

  • Certificate Management: FortiAuthenticator can create and sign digital certificates for use, for example, in FortiGate VPNs and with the FortiToken 300 USB Certificate Store.
  • Integration: FortiAuthenticator can integrate with third party RADIUS and LDAP authentication systems, allowing you to reuse existing information sources. The REST API can also be used to integrate with external provisioning systems.

FortiAuthenticator is a critical system, and should be isolated on a network interface that is separated from other hosts to facilitate server-related firewall protection. Be sure to take steps to prevent unauthorized access to the FortiAuthenticator.

Introduction                                                                                                                              Before you begin

FortiAuthenticator on a multiple FortiGate unit network

The FortiAuthenticator series of identity and access management appliances complement the FortiToken range of two-factor authentication tokens for secure remote access. FortiAuthenticator allows you to extend the support for FortiTokens across your enterprise by enabling authentication with multiple FortiGate appliances and third party devices. FortiAuthenticator and FortiToken deliver cost effective, scalable secure authentication to your entire network infrastructure.

The FortiAuthenticator device provides an easy-to-configure remote authentication option for FortiGate users. Additionally, it can replace the Fortinet Single Sign-On (FSSO) Agent on a Windows Active Directory (AD) network.

For more information about FortiTokens, see the FortiToken information page on the Fortinet web site.

This chapter contains the following topics:

l Before you begin l How this guide is organized l Registering your Fortinet product l What’s new in FortiAuthenticator 4.0

Before you begin

Before you begin using this guide, please ensure that:

  • You have administrative access to the GUI and/or CLI.

For details of how to accomplish this, see the QuickStart Guide provided with your product, or online at

  • The FortiAuthenticator unit is integrated into your network. l The operation mode has been configured.

How this guide is organized                                                                                                           Introduction

  • The system time, DNS settings, administrator password, and network interfaces have been configured.

Network Time Protocol (NTP) is critical for the time to be accurate and stable for the Time-based One-time Password (TOTP) method used in two-factor authentication to function correctly. See Configuring the system time, time zone, and date on page 27.

  • Any third party software or servers have been configured using their documentation.

While using the instructions in this guide, note that administrators are assumed to have all permissions, unless otherwise specified. Some restrictions will apply to administrators with limited permissions.

How this guide is organized

This FortiAuthenticator Administration Guide contains the following sections:

  • Setup describes initial setup for standalone and HA cluster FortiAuthenticator configurations.
  • System describes the options available in the system menu tree, including: network configuration, administration settings, and messaging settings.
  • Authentication describes how to configure built-in and remote authentication servers and manage users and user groups.
  • Port-based Network Access Control describes how to configure the FortiAuthenticator unit for IEEE 802.1X Extensible Authentication Protocol (EAP) authentication methods, Bring Your Own Device (BYOD), and MAC-based device authentication.
  • Fortinet Single Sign-On describes how to use the FortiAuthenticator unit in a Single Sign On (SSO) environment. l RADIUS Single Sign-On describes how to use the FortiAuthenticator unit RADIUS accounting proxy. l Monitoring describes how to monitor SSO and authentication information.
  • Certificate Management describes how to manage X.509 certificates and how to set up the FortiAuthenticator unit to act as an Certificate Authority (CA).
  • Logging describes how to view the logs on your FortiAuthenticator unit. l Troubleshooting provides suggestions to resolve common problems.

Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site at Many Fortinet customer services such as firmware updates, technical support, FortiGuard Antivirus, and other FortiGuard services require product registration.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos