W dniu 04.01.2018 producent opublikował nową wersję FortiAuthenticator o numerze 5.2.0.
Nowe zmiany obejmują sekcje:
The following new features are introduced for Guest Portals in this release:
In order to increase parity with captive portal offerings, the guest portal now offers the option to present a disclaimer to the end-user that must be accepted before proceeding to the login page. The disclaimer is enabled in the Pre-login Services section of the portal configuration under Authentication > Guest Portals > Portals. The disclaimer page is a new guest portal replacement message configurable under the “Authentication” section named “Login Disclaimer Page”. This new replacement has the same description and HTML code as the one for the legacy captive portal (Authentication > Guest Portals > Replacement Messages).
Exceeded usage handling (446146)
Previously, when a user exceeded their utilisation profile, a disconnect message was sent from the FAC to the FGT. The user was then disabled on the FAC and could not log back in. This feature allows the administrator to configure a notification to inform the user as to why they’ve been disconnected (because their usage profile has been exceeded) and to provide a mechanism where the user can Request Usage Extension. The Request Usage Extension button will email a notification to a pre-configured email address under Authentication > Guest Portals > Portals. The GUI checks the lockout reason to determine whether to display an alternate message to the user. As part of remediation, the administrator now also has the option to clear usage data associated with a user.
Smart Connect Profiles
This feature provides the ability to set up network settings (such as WiFi configuration) on an endpoint by downloading a script or an executable, depending on the endpoint’s OS, via the FAC’s guest portal. The Smart Connect feature will show up as a new button on the guest portal’s post-login main page. When clicking on the Smart Connect button, the user is given the option to download a self-install file for the OS of their choice. In this initial release, iOS and MacOS are supported.
To further increase parity with legacy captive portals, social login is added to the guest portal feature under Authentication > Guest Portals > Portals. In order to give the option to return specific RADIUS attributes for successful social login authentications, the Profile Configuration table now offers the ability to specify the user group to use for social (and device-only) logins for each RADIUS client. This user group field is optional, even when social or device-only login is enabled. A few relevant Replacement Messages have been added:
l Social Login Page:
HTML for login page when social login is enabled.
l Social Mobile/Email Verification Page:
HTML for guest to input mobile number or email address for login using mobile or email verification.
l Social Mobile/Email Verification Message:
Message sent to user for mobile or email verification.
l Social Email Verification Page:
HTML for email verification page.
l Social Mobile Verification Page:
HTML for mobile number verification page.
l Social Network Plus FAC Accounts:
HTML for guest portal social authentication login page which also includes simple login page. When only Account Login is enabled, the guest portal presents the existing “Login Page” replacement message. When Social Login is enabled, the guest portal presents the new “Social Login Page” replacement message. When both Account Login and Social Login are enabled, the guest portal presents the new “Social Network Plus FAC Accounts” replacement message.
The option has been added to perform device-only authentication on the guest portals under Authentication > Guest Portals > Portals.
By default, User credentials is selected. When the Device only (MAC address) option is selected, the “MAC device HTTP parameter” option must also be configured. When the Device only (MAC address) option is enabled, the endpoint will not be presented with the login page.
Instead, the FAC will only use the endpoint device’s MAC address for authentication purposes. If the RADIUS client profile associated has MAC device filtering enabled, the MAC address is authenticated according to those settings. If MAC device filtering is disabled, any MAC address is accepted.
A new guest portal Replacement Message is introduced accordingly:
l Unauthorized Device Page:
HTML page presented on a failed device-only authentication attempt.
REST API enhancements
In preparation for an upcoming AaaS feature called FortiAuthentication Service (FAS), the REST API is enhanced
to handle pushauth requests originating from FAS clients.
Configurable password renewal notification (376122)
Password renewal notification timing is now configurable. Password renewal notifications were previously hardcoded to be sent 14 days, 7 days, 3 days, and 1 day before password expiry. The new option to configure password renewal notifications to any other combination (other than the defaults of 14, 7, 3, and 1) can be found under Authentication > User Account Policies > Passwords > User Password
Remote logging using IPv6 (424243)
Added support for IPv6 remote logging through FortiAnalyzer and Syslog.
FSSO: IPv6 support (367159)
Added support for injection of IPv6 addresses using Syslog-to-FSSO and API-to-FSSO (the IPv6 addresses will no longer be rejected by the backend parsing engine). In addition to Syslog and API, we also implemented RADIUS accounting, SSO login portal, Kerberos, FortiClient
Mobility Agent and Windows AD Event Polling. Support for DC/TS agent is ready, but agents were still being developed at the time of release.
FTM: New PIN policy option
Two new options for PIN policy are now offered (in addition to the “Not required” option) under System > Administration > FortiGuard > FortiToken Mobile Provisioning:
User has the option to set App PIN and delete App PIN. If user does not set App PIN or delete App PIN, FTM opens without any protection because it does not have any App protection.
User must set App PIN and cannot delete App PIN. User will always be asked to enter App PIN or TouchID based on settings in the App.
Dodatkowo producent zadbał o poprawki:
Bug ID / Category Description
466311 RADIUS auth Enable Window AD authentication not working as expected
462369 RADIUS auth 802.1x Auth failing on Windows 10 when logging in as remote users using Windows AD domain authentication
466176 FSSO RADIUS accounting daemon can crash for short-lived sessions when user is disabled
450139 FSSO FAC RSSO to SSO processing issues and signal 11 crashes of FSSO
451789 FSSO RSSO not working with sub-domain user via Global Catalog
450441 FSSO Secondary LDAP server is not used for RSSO group resolution
458772 FSSO FAC removes a logged in user if it detects more than one IP address assigned to the same user
462849 FSSO EventID 4624 Network logon (type 3) are caught by FSSO and cause user logouts /flapping on workstation
464454 FSSO FortiGate SSO monitoring fails when strong crypto is enabled 463168 FAC Agent – Windows B0012: FAC Agent 2.0.2 for Windows receiving 400 Bad Request when attempting GetOfflineTokens
463550 FAC Agent –Windows Offline token REST API doesn’t support identical usernames across realms (same-kind)
464584 FAC Agent – Outlook OWA Agent setting allowing users without assigned tokens to authenticate is broken for blank token
433858 FAC-VM VMware ESXi: virtual serial port does not work
462131 LDAP Strong Crypto for 389 & 636 (LDAP & LDAPS)
456167 Guest Portal Support guest portal token bypass when RADIUS client set to use CHAP/MSCHAP/MSCHAPv2
455699 Guest Portal Guest portal login fails when using FortiCloud with push-notifications
458132 GUI FAC does not accept email address with TLD longer than 6 characters
463586 GUI Loading RADIUS Sessions page (under Monitor section) gives a system error
457316 GUI FortiAuthenticator – CVE-2016-2183 SSL/HTTP and SSL/FSAE are vulnerable against Sweet32
461579 GUI Firmware version – patch not updated in 5.1.1 and 5.1.2
463650 GUI Keytab cannot be imported – Invalid keytab file
409345 GUI When the”Self-service Portal” is enabled, a user (remote user) with admin access can not log into FAC with 2FA
412675 SSH OpenSSH 7.6 release
Pełna wersja dokumentu producenta dostępna pod adresem:
Notatki do wydania
Bezpieczeństwo w biznesie