FortiAuthenticator 4.0 Introduction


The FortiAuthenticator device is an identity and access management solution. Identity and access management solutions are an important part of an enterprise network, providing access to protected network assets and tracking user activities to comply with security policies.

FortiAuthenticator provides user identity services to the Fortinet product range, as well as third party devices.

FortiAuthenticator delivers multiple features including:

  • Authentication: FortiAuthenticator includes Remote Authentication Dial In User Service (RADIUS) and Lightweight Directory Access Protocol (LDAP) server authentication methods. l Two Factor Authentication: FortiAuthenticator can act as a two-factor authentication server with support for onetime passwords using FortiToken 200, FortiToken Mobile, Short Message Service (SMS), or e-mail.

FortiAuthenticator two-factor authentication is compatible with any system which supports RADIUS.

  • 1X Support: FortiAuthenticator supports 802.1X for use in FortiGate Wireless and Wired networks. l User Identification: FortiAuthenticator can identify users through multiple data sources, including Active

Directory, Desktop Client, Captive Portal Logon, RADIUS Accounting, Kerberos, and a Representational State Transfer (REST) API. It can then communicate this information to FortiGate, FortiCache, or FortiMail units for use in Identity Based Policies.

  • Certificate Management: FortiAuthenticator can create and sign digital certificates for use, for example, in FortiGate VPNs and with the FortiToken 300 USB Certificate Store.
  • Integration: FortiAuthenticator can integrate with third party RADIUS and LDAP authentication systems, allowing you to reuse existing information sources. The REST API can also be used to integrate with external provisioning systems.

FortiAuthenticator is a critical system, and should be isolated on a network interface that is separated from other hosts to facilitate server-related firewall protection. Be sure to take steps to prevent unauthorized access to the FortiAuthenticator.

Introduction                                                                                                                              Before you begin

FortiAuthenticator on a multiple FortiGate unit network

The FortiAuthenticator series of identity and access management appliances complement the FortiToken range of two-factor authentication tokens for secure remote access. FortiAuthenticator allows you to extend the support for FortiTokens across your enterprise by enabling authentication with multiple FortiGate appliances and third party devices. FortiAuthenticator and FortiToken deliver cost effective, scalable secure authentication to your entire network infrastructure.

The FortiAuthenticator device provides an easy-to-configure remote authentication option for FortiGate users. Additionally, it can replace the Fortinet Single Sign-On (FSSO) Agent on a Windows Active Directory (AD) network.

For more information about FortiTokens, see the FortiToken information page on the Fortinet web site.

This chapter contains the following topics:

l Before you begin l How this guide is organized l Registering your Fortinet product l What’s new in FortiAuthenticator 4.0

Before you begin

Before you begin using this guide, please ensure that:

  • You have administrative access to the GUI and/or CLI.

For details of how to accomplish this, see the QuickStart Guide provided with your product, or online at

  • The FortiAuthenticator unit is integrated into your network. l The operation mode has been configured.

How this guide is organized                                                                                                           Introduction

  • The system time, DNS settings, administrator password, and network interfaces have been configured.

Network Time Protocol (NTP) is critical for the time to be accurate and stable for the Time-based One-time Password (TOTP) method used in two-factor authentication to function correctly. See Configuring the system time, time zone, and date on page 27.

  • Any third party software or servers have been configured using their documentation.

While using the instructions in this guide, note that administrators are assumed to have all permissions, unless otherwise specified. Some restrictions will apply to administrators with limited permissions.

How this guide is organized

This FortiAuthenticator Administration Guide contains the following sections:

  • Setup describes initial setup for standalone and HA cluster FortiAuthenticator configurations.
  • System describes the options available in the system menu tree, including: network configuration, administration settings, and messaging settings.
  • Authentication describes how to configure built-in and remote authentication servers and manage users and user groups.
  • Port-based Network Access Control describes how to configure the FortiAuthenticator unit for IEEE 802.1X Extensible Authentication Protocol (EAP) authentication methods, Bring Your Own Device (BYOD), and MAC-based device authentication.
  • Fortinet Single Sign-On describes how to use the FortiAuthenticator unit in a Single Sign On (SSO) environment. l RADIUS Single Sign-On describes how to use the FortiAuthenticator unit RADIUS accounting proxy. l Monitoring describes how to monitor SSO and authentication information.
  • Certificate Management describes how to manage X.509 certificates and how to set up the FortiAuthenticator unit to act as an Certificate Authority (CA).
  • Logging describes how to view the logs on your FortiAuthenticator unit. l Troubleshooting provides suggestions to resolve common problems.

Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site at Many Fortinet customer services such as firmware updates, technical support, FortiGuard Antivirus, and other FortiGuard services require product registration.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiAuthenticator and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “FortiAuthenticator 4.0 Introduction

  1. vaibhav

    Is the authenticator appliance is required for creating user based policies. I mean is it mandatory or can we have our fortigate directly integrate with the domain controller directly.

    1. Mike Post author


      You do NOT need the FortiAuthenticator in order to create policy based on your AD and users. The Fortigate can poll AD directly or you can use a polling agent from Fortinet. In my environment, the FortiGate ties directly into my AD to make things as smooth as possible. Now, with that being said, the FortiAuthenticator does give you some cool advantages. You can tie it into AD and from there allow it to perform remote self service for your users (including AD Password Resets). Thanks for the question. Please let me know if you have any others!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.