Najnowsza wersja produktu FortiAuthenticator oznaczona numerem 6.2.0 zostala właśnie udostępniona przez producenta! W najnowszej aktualizacji dodano min. takie funkcje jak: do interfejsu API REST FortiAuthenticator dodano filtrowanie certyfikatów użytkowników oraz konfigurowalny separator znaków dla członkostwa w grupie FSSO. Dodano również żądanie rejestracji zawierające pole wyszukiwania, które umożliwia wyszukiwanie żądań rejestracji SCEP z polami tematu pasującymi do wejściowego ciągu wyszukiwania, obsługę filtru grup LDAP dla zdalnych dziedzin RADIUS. W tej wersji FortiAuthenticator’a dodano również obsługę 2FA dla Windows przez SMS / e-mail.
Rozwiązane problemy:
| Bug ID | Description |
|---|---|
| 449443 | FortiAuthenticator Agent For Microsoft Windows does not display the user credentials when access the server through RDP. |
| 481255 | Gpart root shell implant against VM appliances. |
| 530392 | Cannot log in with social users on guest portal if their account has expired. |
| 548527 | Cannot unlock a user account that has been locked due to repeated invalid password entry from User Lookup page. |
| 548689 | Don’t delete a revoked local service cert until expiry. |
| 567598 | FortiAuthenticator doesn’t check that converted-format organization image meets file size requirements. |
| 571782 | Misc-Reverse-Tabnabbing. |
| 573346 | FortiAuthenticator delays forwarding authentication request to remote RADIUS. |
| 575128 | Allow deletion of imported Local Service certificates. |
| 575261 | RADIUS authentication is successful when using an invalid realm. |
| 578190 | Cancel button does not work throughout creation of a Guest Portal Smart Connect Profile. |
| 580360 | OK button doesn’t do anything under when importing an SSO User. |
| 583516 | Gateway timeout error when downloading user audit report. |
| 587113 | RADIUS daemon needs to be restarted after adding a custom dictionary. |
| 587370 | Make it easier to use strings with RADIUS attributes of OCTETS type. |
| 596985 | Anonymous PEAP/TTLS issues. |
| 598856 | Cannot revoke localservices cert with Remote CA issuer. |
| 600388 | CVE-2019-9193 postgresql allow run system commands through COPY SQL command. |
| 604222 | Use bcrypt hash for initial blank admin password after factory reset. |
| 604270 | HTTP access logs doesn’t include the source IP address. |
| 604496 | CLI „exec restore” and „exec backup” commands appear not to check permissions. |
| 607920 | Unable to add some RADIUS attribute types to Custom Dictionaries. |
| 609383 | Update VMware OVF – Provide HW13 or HW14 profile. |
| 610318 | Using X-forwaded-for header to verify source IP allows spoofing and inaccurate logging. |
| 610360 | FortiAuthenticator agent doesn’t send the domain information once checking the token code. |
| 610790 | Admin user without permissions trying to enter local page/guest users page will crash. |
| 610792 | Admin Profile with read and write access to widget cannot access Locked Out Users. |
| 610827 | Social Login users should show how many more available users can be created. |
| 611424 | Group membership is currently „+” delimited. Move or provide option to use „,” as the delimeter. |
| 611722 | FortiAuthenticator as LDAP server changing eisting LDAP local user UID and select more GUI crashes. |
| 612955 | HA status page no response if anomalies are very large. |
| 613996 | Nested group search fix for SAML IdP. |
| 614105 | Reboot required prompt when loading or changing FortiClient license. |
| 614673 | Remote User Sync Rule preview mapping for mobile number shows attribute even if field is incorrectly formatted. |
| 617282 | FTM Token activated in mobile app has inaccurate issuer info. |
| 617890 | REST API – Cannot retrieve complete schema of everything. |
| 619070 | Exposed HA maintenance mode on CLI. |
| 620314 | Last login time for remote users not updated on standalone primary after logins on load balancers. |
| 620496 | Typo in HTML doc on infosite. |
| 621089 | RADIUS accounting response not being sent from FortiAuthenticator to a second client if another RADIUS client is added first. |
| 622299 | HA coordinated upgrade should not show up for load balancing. |
| 623421 | FortiAuthenticator 6.1.0 RUSR GUI – add user group. |
| 624293 | FortiAuthenticator displays UTC instead of configured time. |
| 625179 | Admin profiles permission sets Users and Devices unable to add remote LDAP users. |
| 626438 | CRL link displayed on the cert creation page for cert signed by intermediate certificate is improperly formatted. |
| 626926 | Remote User Sync Rule downgrades the role of a local admin with identical username. |
| 627230 | FTM Push for SSLVPN Fails, not possible see push notification in mobile. |
| 627608 | GUI log search in /debug section always returns „No results found”. |
| 628027 | While downloading the debug logs from Web GUI getting „Gateway timeout” error message. |
| 628649 | Upgrades with a lot of social users is very slow. |
| 629370 | HA communication doesn’t work over networks with effective MTU smaller than 1500 bytes. |
| 630044 | Request for a single-page config overview for RADIUS and Portal policies. |
| 631603 | Refreshing Access Token for fabric API causes Django crash. |
| 632033 | Unable to change local user password after upgrade – „You do not have permission to perform such operation”. |
| 632109 | Unable to „set and email random password” when creating new user. |
| 634017 | PSKC Output shows HOTP when in fact token is TOTP. |
| 634215 | FortiAuthenticator adds escape character (backslash) to SMS gateway when HTTP is used. |
| 634637 | Unable to list Social Login Users: „An error has occurred”. |
| 634783 | SAML unable to download metadata until the form is saved. |
| 637162 | Removed Certificate is still included in a Smart Connect Profile. |
| 637625 | Change default user retrieval selection to „Set a list of imported remote LDAP users” in new user group menu. |
| 637998 | REST API for localusers stopped working. |
| 638359 | Social login captive portal login page showing default HTML instead of customized one. |
| 638885 | AD authentication failed if cleartext password with character ” received by FortiAuthenticator. |
| 638970 | Heartbeat interval and lost threshold doesn’t get edited on first HA connection. |
| 639366 | Load balancer goes out of sync for FTM continuously. |
| 639601 | 802.1x authentication failing with „request queueing too long and discarded”. |
| 639724 | Close button on sync attributes help dialog doesn’t work. |
| 639937 | PoV issue with Certificate Binding CA in Remote LDAP user sync rule not showing up. |
| 642052 | Organization validation. |
| 642056 | Show FTM info to help with troubleshooting push. |
| 642961 | DCAgents marked as offline randomly in SSO Monitor. |
| 644618 | Second OTP screen should be bypassed if the user or the usergroup is exempted. |
| 644657 | GET, POST, DELETE methods are not working for RADIUS attributes. |
| 645705 | Spelling error on SMTP Test Connection Dialog. |
| 645983 | Syslog SSO service does not start unless FortiAuthenticator is rebooted. |
| 646901 | User with admin role cannot import users from remote LDAP. |
| 647160 | Not able to bind trusted CA to remote user if no local CA is created. |
| 647329 | FortiAuthenticator Windows Agent not honoring 2FA group exemption. |
| 647500 | User look up fails to show information of a locked user. |
| 648441 | Routing configuration changes when rebooting Azure VM. |
| 649141 | Unable to update certificate. |
| 652079 | SAML IdP – Signature verification of SP request fails. |
| 652254 | CLI login always times out after FortiAuthenticator boots up during authentication. |
| 652279 | API: Make realm input case-insensitive. |
| 655804 | FortiAuthenticator is sending FSSO logoffs to FGT when receiving the same user info again from TS-agent. |
| 657660 | Upgrading standalone primary unit from 6.0.4 to 6.1.2 gets stuck in „Loading /rootfs.gz…ok”. |
| 658148 | Remote User with the same username different DN override. |
| 658152 | Importing Fortioken FTK211 seed file gets error „unable to decrypt seed for FortiToken”. |
| 659131 | Oauth Api TFA Broken, various issues after Django upgrade. |
| 663132 | User is locked out after one failed OTP login where it’s configured to three. |
Znane problemy do rozwiązania:
| Mantis ID | Description |
|---|---|
| 526202 | FortiAuthenticator does not check if signature of CSR is valid. |
| 543729 | RADIUS client service not working after upgrade. |
| 586570 | FortiToken self-reprovision fails when token does not belong to product, allows user/admin to login without 2FA. |
| 588346 | An expired certificate is delivered toward Wifi authenticated users. |
| 589219 | Multiple DC’s Kerberos traffic after FortiAuthenticator joining the domain with local DC. |
| 600509 | FTM Push „Accept” shouldn’t fail because it’s already been accepted. |
| 601883 | Test SMS doesn’t work in adding a gateway. |
| 602707 | Can not add multiple alternate DNS names into certificate for user certificates. |
| 604156 | Packet captures on OCI often seem to be corrupt. |
| 604924 | SAML SSO/Proxy metadata download fails with „invalid_xml”. |
| 606562 | FortiAuthenticator rejects certificate signing request from FortiGate client with invalid password error. |
| 616181 | SAML IdP – Post-login debug page does not show relevant SAML attributes. |
| 620127 | Changing from maint-mode-no-sync to maint-mode-sync doesn’t appear to restore syncing. |
| 628815 | Remote SAML user import from Azure AD fails Authorization issue. |
| 630041 | FAC FSSO – TS Agent sessions stuck at zero after server reboot until FSSOTA service is restarted. |
| 631600 | SCEP request by certmonger can’t be recognized by automatic enrollment request. |
| 632411 | Crash when setting non-blank password that doesn’t comply to password policy rule. |
| 632629 | Smart Connect WPA2-Personal profile fails when WPA2-Enterprise settings are left in place. |
| 634084 | Cannot export third party signed certificate with private key when CSR is generated locally on FortiAuthenticator |
| 635893 | Change password not working with Checkpoint VPN when 2FA is enabled. |
| 637040 | HA Status showing „out of sync” when load balancer has synced user changed to role Admin. |
| 640048 | FortiAuthenticator failed to load the license. |
| 643334 | If MAC filter is enabled, but the configured RADIUS attribute is missing from the packet, we deny the authentication. |
| 646299 | Nutanix AHV KVM based Hypervisor FortiAuthenticator upgrades from 6.0.4 to 6.1.x and hangs on „Waiting for Database”. |
| 646764 | CLI „get disk * ” commands fail on KVM. |
| 652072 | LDAP user password expired, user not prompted for RSA Token code (chained Token Authentication). |
| 655350 | The lockout policy does not appear to apply to username/token submissions to the /auth API endpoint. |
| 657522 | 0396: SAML Authentication Fails When AD Display Name Contains a Coma (,) and User has Admin Role |
| 660357 | FSSO FGT IP Filter ignored when Global Group Prefilter is enabled |
| 660851 | Force password change on next logon produces 403 forbidden with local user after login to selfservice or captive portal |
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie