Fortinet udostępnił aktualizację dla produktu FortiAuthenticator o numerze wersji 6.4.7. Nowa wersja systemu dostarcza usprawniony o aplikację SmartConnect self-service portal (OS Android 10+) oraz klasycznie rozwiązuje błędy zgłaszane przez administratorów. Rozwiązano między innymi problemy z funkcjonalnością umożliwiającą synchronizację obiektów z serwerem LDAP – powinna zachowywać się bardziej stabilnie. Usprawniono również łączność pomiędzy produktami FortiGate/FortiManager/FortiAuthenticator w oparciu o protokół LDAPS. W nowej wersji nie powinien wystąpić już problem z 802.1x EAP-TLS który miewał crashe z tytułu błędnej alokacji pamięci. Więcej informacji w artykule!
Rozwiązane problemy:
| Bug ID | Description |
|---|---|
| 799768 | Automatic CRL download error with two Identical DN. |
| 848324 | Remote LDAP server constantly goes offline. |
| 676985 | Unable to import all FortiToken hardware tokens from the same purchase order; need to add them all manually. |
| 791347 | Internal server error 500 when viewing RADIUS account sessions, probably caused by the Called-Station-Id attribute. |
| 796493 | LDAPS connectivity issue between FortiGate/FortiManager and FortiAuthenticator. |
| 887276 | SAML IdP breaks after upgrade from 6.0.2 – 6.0.7 – 6.4.6/6.5.0. |
| 873972 | Single group is passed by FortiAuthenticator as IdP when FIDO only authentication is used in SP setting. |
| 875536 | User account extension gives CSRF token missing or incorrect. |
| 767935 | A-P cluster, it forms when configured from the GUI, it does not when configured from the CLI without a restart. |
| 845700 | Chained token authentication fails with self service portal. |
| 856867 | Captive Portal with iPhone CNA fails when users attempt to register. |
| 878986 | FSSO connection error: Maximum FortiGate session number reached, cannot accept new connection. |
| 851676 | HA A/A status error – In sync with anomalies. |
| 845851 | Push on FortiAuthenticator portal does not work when the username exceeds 20 characters. |
| 844295 | Unable to import Guest users using CSV format in FortiAuthenticator. |
| 820035 | After change the FortiAuthenticator IP address unplugging the monitor interface did not trigger HA failover. |
| 838930 | No more than 20 realms can be added in the SAML General page under Realms. |
| 875150 | Group membership is not replicated to LB when registering over a WiFi portal. |
| 842389 | Captive portal automatic login after successful user verification is fails. |
| 859464 | SAML – VPN SSL authentication error: invalid_response. |
| 869341 | Unable to change remote LDAP user password via REST API. |
| 890184 | Allowed host changes in the CLI are not reflected in the GUI. |
| 861776 | Upgrade OpenSSL from 1.1.1n to 1.1.1s, then again to 1.1.1t. |
| 885476 | Tabs are being replaced with #011 in TACACS+ logs and potentially other places using syslog for centralized logging. |
| 859878 | SAML IdP- RelayState not being sent back to the SP for IAM logins. |
| 849750 | No login prompt in the HW serial console when the boot is extremely broken. |
| 889706 | FortiAuthenticator Remote user sync rules – Test filter not working if OU has special characters in name, e.g., ( , ) , +. |
| 886587 | Upgrading FortiAuthenticator previously downgraded from 6.4+ to pre-6.4 back to 6.5.0 causes factory reset. |
| 812651 | Sanitize portal name input. |
| 817819 | Unable to expand Rule Sets after collapsing it in GUI. |
| 884902 | Unable to import 10k plus groups from Azure via SAML in FortiAuthenticator. |
| 680776 | AP HA secondary cannot change mgmt interface access configuration, and the option does not sync from the primary either. |
| 868738 | Two FortiAuthenticator devices working in load balance mode stopped listening to port 8001. |
| 838976 | Windows log events in FSSO are dropping after some time. |
| 838918 | Despite DH modulus regeneration and device reboot, DH modulus is still equal to 2048 bits (256 bytes) instead of 4096 bits (512 bytes). |
| 850023 | HA Cluster not forming due to differing smartconnect primary key name (upgrade path mismatch, but should work). |
| 847585 | Under extensive load, FortiAuthenticator runs out of memory and TACACS+ daemon randomly crashes. |
| 838878 | Cisco WLC portal fails (callback to 192.0.2.1). |
| 847599 | 802.1x EAP-TLS crashed with error eap_tls: ERROR: Error allocating memory for SSL state. |
| 857630 | FortiGate CRL renewal over SCEP via FortiAuthenticator not working anymore. FortiGate failing with SCEP result=1: response is in wrong format. |
| 859062 | Multiple 'ERROR running’ shows when upgrading the firmware from v6.4.3 to v6.4.6. |
| 873050 | Show 403 Forbidden while performing SAML authentication after OAuth succeeds. |
| 880495 | Allow OTP for EAP-MSCHAPv2 Authentication with FortiClient feature does not toggle off on the GUI. |
| 868146 | Emergency Token is not displayed on the GUI when Yubikey is assigned. |
| 885471 | LB off-by-one issue in the change log processing logic. |
| 880038 | disk_discovery.sh cannot find OSDISK / firmware drive with enlarged partitions. |
| 881575 | FortiAuthenticator outbound email should permit partial chain certificate validation. |
| 881926 | Email verification template is missing from the legacy user registration. |
| 872981 | Remote LDAP clients cannot verify server certificates signed by LetsEncrypt and potentially other multipath CAs. |
| 875835 | db_listener failure if the json contains unescaped string. |
| 769183 | FortiAuthenticator VMs need greater resiliency/improved recovery when connectivity is lost to remote data drives. |
| 862716 | OAuth tokens can be verified with an invalid client id. |
| 841415 | [3rd party component upgrade required for security reasons] FortiAuthenticator– linux_kernel to 4.9.312/4.14.277/4.19.241/5…. |
| 852453 | [3rd party component upgrade required for security reasons] FortiAuthenticator– vmware-tools or open-vm-tools to 12.1.5. |
| 816176 | Renaming a Portal back to its original name fails triggers 500 error on the self-service portal user login. |
| 860292 | Custom RADIUS user attribute is not syncing over in HA LB setup. |
| 870097 | Machine authentication cache expiry. |
| 861611 | Smart Connect for Android running on version 12 and 13 never installs the configuration profile. |
| 849395 | TACACS+ AVPs order could prevent sending some AVPs even if those are set as mandatory. |
| 878828 | After a reboot, FortiAuthenticator shows 500 Internal Server Error when synchronizing hardware tokens. |
Znane problemy:
| Bug ID | Description |
|---|---|
| 883323 | Removing and re-adding an OAuth portal with the same name causes Error 500. |
| 855618 | Unable to delete local user accounts in Safari browser. |
| 869560 | A-P, SNMP/Syslog updates do not take effect on the passive node when HA is started from the CLI. Reboot may fix it. |
| 804238 | FortiAuthenticator 6.4.1 GA SAML logout fails. |
| 795271 | E-mail address does not appear in the logs after social login authentication. |
| 811662 | FortiAuthenticator IdP gives error 403 when returning to SP after registering on the self-service portal. |
| 849083 | FortiAuthenticator search request rejected by 389 directory server. |
| 850846 | SFTP server is not working with a long password. |
| 750134 | FortiAuthenticator as an LDAP server cannot export admin users from a local user base. |
| 757460 | Enable Django auto-translation for any end-user pages. |
| 689329 | FortiAuthenticator is unable to resolve username if the primary LDAP connection is down. |
| 809353 | Country code selection for guest portal user registration on iOS selects incorrect country prefix. |
| 791127 | Sometimes(randomly) FortiAuthenticator fails to send email notification. |
| 831114 | Ukrainian language pack is added but the legacy self-service portal shows some parts in English and some in Ukrainian. |
| 831700 | RSSO sessions are getting logged Off/flushed from FortiAuthenticator. |
| 866019 | OAuth: Attribute Error- NoneType object has no attribute id. |
| 815897 | Unable to import LDAP user from the GUI by using IBM Lotus Domino LDAP. |
| 787013 | Changing the username attribute will cause the remote sync rule to remove existing remote users and eventually re-import them. |
| 836086 | Revoked Intermediate CA are shown in the GUI as used per license. |
| 846587 | Check the reason for FortiAuthenticator deleting a remote LDAP user. |
| 830386 | Users Audit Report does not update timestamps in the Last Used column for EAP-TLS authentication used for wireless. |
| 773020 | Revoking of certificate is not being seen with OCSP until FortiAuthenticator reboots. |
| 849851 | Captive portal guest registration incorrect workflow. |
| 767745 | SNMP facSysCpuUsage returns wrong type. |
| 801009 | Remote SAML user sync rule creates one log entry for every SAML user assgined FortiToken Mobile every time the SAML sync occurs. |
| 855080 | Importing RADIUS client from a CSV file fails when the password has special characters. |
| 849700 | FortiAuthenticator does not follow best practices for the certificate SN length. |
| 864148 | First login attempt fails with SAML SP with the error: username is missing in SAML assertion attributes. |
| 825665 | Wrong client IPv4 attribute for Fortinet SSO Methods > SSO > RADIUS Accounting Sources. |
| 826424 | Registering an already existing username on the legacy self-service portal triggers 500 error. |
| 827702 | FortiAuthenticator vulnerability assessment – outdated jquery version and the missing HTTP headers requested to be fixed. |
| 829318 | Users and Devices permission set does not allow to import remote LDAP users. |
| 773083 | Enable/disable FortiToken Cloud push notification button shuts down all the authentication methods of FortiToken Cloud MFA in the Authentication/Radius Services/Policies page. |
Notatki producenta: FortiAuthenticator 6.4.7
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie