Fortinet, producent oprogramowania, przedstawił najnowsze wydanie FortiAuthenticator 6.6.0, które wprowadza istotne innowacje w obszarze FSSO i poprawia działanie z RADIUS. Aktualizacja rozwiązuje problemy, takie jak błędy przy imporcie użytkowników z FortiGate do FortiAuthenticator oraz ryzyko utraty pulsu HA z powodu dużego ruchu DNS związanego z FSSO. To kroki naprzód w doskonaleniu funkcjonalności i stabilności platformy a więcej informacji można znaleźć w artykule poniżej.
FortiAuthenticator can now mark some of the remote LDAP groups to be included in FSSO.
When creating or editing a remote LDAP user group in Authentication > User Management > User Groups, a new Include for FSSO option is available. The option is available only when User retrieval is set to Set a list of imported remote LDAP users. The option is disabled by default.
Also, FortiGate filters now include FortiAuthenticator LDAP groups (remote LDAP user groups with User retrieval set to Set a list of imported remote LDAP users). When creating or editing a FortiGate filter in Fortinet SSO Methods > SSO > FortiGate Filtering, selecting the Select from SSO users/groups option in the SSO Filtering Objects pane offers a new Remote LDAP Groups option to select the FortiAuthenticator LDAP groups.
The feature can be enabled/disabled using the new Include locally-defined remote LDAP groups option (disabled by default) in the User Group Membership pane in Fortinet SSO Methods > SSO > General.
A new Trigger push without RADIUS challenge (warning: NOT recommended if using with FortiGate RADIUS clients) option (disabled by default) available when creating a RADIUS policy in Authentication > RADIUS Service > Policies.
When the option is enabled, FortiAuthenticator triggers the FortiToken Mobile push notification once the password is verified without requiring the end-user to respond „push” to a RADIUS challenge.
When creating or editing a relying party in Authentication > OAuth Service > Relying Party, a new Authorization code with PKCE authorization grant type is available when the Client type is Public.
codeWhen this grant type is selected, FortiAuthenticator applies the following modifications to the standard Authorization code grant type:
client_secretfield is ignored in requests to the
code_challengefields are required in requests to the
- A new
code_verifierfield is required in the requests to the
- FortiAuthenticator rejects requests to the
/oauth/token/endpoint if the SHA256 digest for
code_verifierdoes not match the
code_challengeprovided when the
codewas issued by the
The following new fields have been introduced to the
The following new fields have been introduced to the
FortiAuthenticator now offers a new No authentication authentication type when creating or editing a captive portal policy. For the new No authentication authentication type you do not require login credentials.
When creating or editing a usage profile in Authentication > User Management > Usage Profile, a new Max. devices per user option is available in the Devices pane.
The option allows you to set the maximum number of different MAC device addresses allowed concurrently for every user in the active RADIUS accounting sessions.
By default, the Max. devices per user is set to
0. When set to
0, MAC devices control is disabled, i.e., there is no limit on the number of concurrent MAC devices per user.
Also, RADIUS attribute for user IP and the RADIUS attribute options previously available in Authentication > RADIUS Service > Policies are now available in Authentication > RADIUS Service > Clients.
Login session timeout in Authentication > SAML IdP > General can now be configured with a value between 5 minutes to 120 days.
Custom fields configured in Authentication > User Account Policies > Custom User Fields are now available in the User attribute dropdown in the Assertion Attributes pane in Authentication > SAML IdP > Service Providers.
The portal configuration settings in Authentication > Portals > Portals now includes a new Remove MAC devices after option to control the MAC device expiry.
By default, the option is set to 7 days (1 – 365 days).
The HA configuration page in System > Administration > High Availability now offers new Synced settings (load-balancing) to select which subsets of the configuration to include in the LB HA sync. Synced settings (load-balancing) is available only when the Role is Standalone Primary.
FortiAuthenticator user audit reports generated from Logging > Audit Reports > Users Audit now include a new Only include administrator & sponsor accounts option. Enabling the option allows you only to include administrator and sponsor accounts in the user audit report.
The following new columns are included in the CSV file generated as part of the audit report:
FortiAuthenticator now allows you to migrate FortiToken Mobile tokens from a FortiToken Mobile license to FortiToken Cloud using the following CLI command:
execute fortitoken-cloud ftm-migrate <FTM license number>
FortiAuthenticator now provides CMPv2 server functionality.
CMPv2 is a Certificate Management Protocol designed by Safenet for the secure signing of digital certificates and complete certificate life cycle management.
A new CMP menu is available in Certificate Management. CMP contains the following two tabs:
- Enrollment Requests
FortiAuthenticator now supports SCIM client service.
You can now configure a SCIM service provider in Authentication > SCIM > Service Provider.
A new IAM login option in the Identity sources tab to enable IAM logins when configuring an OAuth policy in Authentication > OAuth Service > Policies.
When creating or editing an OAuth relying party, you can now include OIDC claims that return IAM account name, IAM account alias, and/or IAM username when the grant type is Authorization code (with/without PKCE).
The OAuth login page (Login Page replacement message) now offers a Sign-in as IAM user link when IAM login is enabled.
The OAuth service now offers a new OAuth IAM Login Page replacement message used as the login form when the Sign-in as IAM user link is clicked on the OAuth login page.
The following new fields have been introduced to the
When editing the SSO configuration in Fortinet SSO Methods > SSO > General, a new Username attribute field is available. When the Username attribute field is configured, the attribute value is obtained from the user LDAP lookup and is used as the username instead of the user login username.
Custom fields configured in Authentication > User Account Policies > Custom User Fields are now available in the User Attribute dropdown in the Claims pane in Authentication > OAuth Service > Relying Party.
The following new fields have been introduced to the
|SSOMA configuration: Misleading error message.
|Support TLS 1.3 in RADIUS EAP-TLS.
|Support TLS 1.3 in
|Error when trying to import users from FortiGate configuration to FortiAuthenticator v6.4.
|Power supplies show voltage input fault on both CLI and GUI.
|Incorrect Italian translation of the Next button displayed on the reset password page.
|[FortiAuthenticator 400E] help check the reason of FortiAuthenticator 400E auto rebooting.
|Token bypass not working for FIDO enabled self-service portal.
|Wrong client IPv4 attribute for Fortinet SSO Methods > SSO > RADIUS Accounting Sources.
|Upgrading FortiAuthenticator in HA-LB removed the MAC-address records form the LB node.
|In the session expired token page entering wrong token does not redirect to Login page.
|Heavy FSSO-linked DNS traffic could results in the loss of HA heartbeats.
|FortiAuthenticator SSO database is not updating on time when domain users switch from wireless to wired or vice-versa.
|Realm authentication performance regression with KVM FortiAuthenticator.
|FortiAuthenticator ignores the groups filtering rules and send all SSO groups to FortiGate if FortiGate is configured with FQDN.
|Selecting the cloud option for group membership on SAML SP displays 500 error if we do not select an OAuth server.
|SAML: Launching SP-initiated SAML session for a user with FIDO AUTH produces server errors.
|Admin password recheck popup should have a cancel button.
|Request FortiAuthenticator with CA only to support future new FortiGate with CA2 only.
|SAML token-only login displays password page instead of the token page.
|User lookup does not display token information with view-only admin profiles.
|Add warnings, logs, and SNMP traps on LB HA failures.
|Certificate only smart connect in iOS does not work.
|TACACS+ remote users are not being displayed in User Lookup.
|Instruction link for installing FortiToken Mobile application is blocked on the self-service portal.
|CRL download URL over http is not available.
|Improve performance in SAML login GET request.
|We can access SAML IdP initiated URL on a FortiAuthenticator using a server address that is not the FQDN or IP.
timezone = GMT, London, user audit report download fails with internal server error 500.
|FortiAuthenticator does not properly revoke a user certificate.
|Number of Users for the MAC device group is always zero.
|HA LB anomaly for the MAC device group membership upon connection.
|Refresh button for widgets gets grayed out for a while after clicking on it.
|Import hard token through the serial number file, status
|Next button to trigger FIDO authentication should be disabled when FIDO authentication is in progress.
|The self-service portal password change error is displayed in two places.
strong crypto configuration in WAD.
|Remove Certificate authority type and CA certificate that issued the server certificate from Web/LDAP server configuration page.
|Self-device enrollment is broken for FortiToken 300.
|Non-admin SAML FIDO authentication ends with error 500.
|FortiAuthenticator is not sending the userip to the Syslog server when using RADIUS authentication.
|Add more built-in tiles for SAML IdP-initiated portal.
|Some of the users logged in MAC devices are unable to get user sessions listed on FortiAuthenticator.
|Requiring a password recheck should be necessary when adding a FIDO key to the Admin user.
|Oauth relying parties should have unique name constraints.
|Unable to scroll User Registration Replacement Messages page.
|We should not be able to save Smart connect profiles if EAP type has not been selected.
|406 error when prompted for the Admin password.
|RADIUS policies matching attributes configuration should not be limited to two.
|500 error for a remote user on the SAML portal with both FIDO and FortiToken Mobile/FortiToken Cloud token.
|FortiAuthenticator unable to return more than 100 groups from the Azure AD when using SSOMA.
|GUI crashes when creating a usage profile.
|FortiAuthenticator base distinguished name- Click on the browser displayed error code if OU has special characters in the name, e.g.,
( ? ) , +.
|FortiToken sync issue after upgrading from a previous GA build.
|The User Lookup feature displays only the most recent session for active RADIUS sessions.
|When attempting to revoke a server certificate, the Certificates field is empty.
|Issue authenticating IPsecVPN IKEv2 EAP (MSCHAPv2) to FortiAuthenticator + remote RADIUS server.
|Incorrect message on landing page for
radiusd cannot handle two parallel authentication sessions and removes partially authenticated user when second attempt comes.
|Syslog over TLS enabled offers TLS 1.0 and TLS 1.1 on port 6514.
|Unable to add longer mobile phone numbers for certain country codes.
|FortiAuthenticator issues with
UserPrincipalName (UPN) and tokens.
|Self-service portal password change fails for remote LDAP users.
|Typo: Fix typo when deleting FortiToken mobile.
|HA cluster fails to provision FortiToken Mobile tokens on the primary after a failover.
|Push authentication does not work on the Windows Agent when using FortiTrust Identity.
|Coordinated upgrade from build 0073 (6.0.8) GA to 1349 results in errors in the HA cluster mode.
|CRL automatic download failed using https.
radiusd appears to be stale with unfinished request in component authenticate module facauth that matches no
|FAC2KE PSU monitor widget does not accurately reflect the actual statuses of the PSUs on the device.
|REST API –
|FortiAuthenticator allows and forwards TS-Agent and DC-Agent login for the same IP address.
|SmartConnect profile user certificate not containing the correct UPN.
|500 error when re-enabling a disabled local user with Account Expiration enabled.
|Internal Server Error (Disk full) on the users certificate GUI with 50K+ certificates.
|Language changes in LEGACY self-service portal when an admin is connected affect admin GUI language.
|Auto-redirect to the trusted endpoint SSO URL.
|REST API does not return company and department fields for local users.
|Sync rule with no OTP method generates excessive logs.
|Custom user fields in user portal settings gives 403 error when editing it.
Subject NameID under Assertion Attribute not defaulting to username.
|If a user logs in to FortiAuthenticator first, then logs in to the OAuth application, the user will be logged in with the FortiAuthenticator login session.
/api throws 500 internal server error after login, it should not be an unhandled exception.
|FortiAuthenticator – FortiOS/FortiProxy – Proxy mode with deep inspection – Stack buffer overflow.
|Create new log events for RADIUS accounting start/stop messages.
|Adding TACACS+ clients from a csv file allows to enter an incorrect IP address format
string instead of the address type.
|Syslog FSSO – Parse for multiple IPv4 and IPv6 addresses.
|FortiAuthenticator HSTS settings are not applied to the
|Post request will cause CSRF validation error if the URL contains port number other than 80 or 443.
telnetd from FortiAuthenticator.
|SAML SP FIDO OTP fallback using Azure IdP proxy with an imported remote SAML Azure with token fails.
|Improper requests to
/admin/customviews/guestportaltemplate/editor/generates server errors.
|Upgrade to 6.5.3 fails and leaves FortiAuthenticator unusable.
|LDAP group filter query fails when 3 CN is chosen.
|Remote LDAP user should be denied in RADIUS if user has not been imported.
|CSV Mac device import fails due to MAC address wildcard formatting. Previously, resolved in 0665381.
|Change in FortiToken Cloud 'balance’ API broke inventory widget.
|FortiAuthenticator keep sending non-stop traffic to
|OAuth portal is optional.
|Creating users using the
localuser endpoint fails.
|FortiToken hardware token is not assigned to the imported users if None is not selected in the sync rule.
|GUI not showing groups when trying to import user by group membership attribute from the OpenLDAP server.
|Certificate renewal failure after revocation.
|Close all of the FortiAuthenticator service ports by default.
|Unable to change Fortinet logo on one of the replacement messages.
|Avoid sharing the database session across different HTTP requests.
|Test token with email/SMS not working due to CSP error.
|Internal error 500 when trying to visualize the remote TACAC+ users.
|Dynamic RADIUS attribute feature should work for an AD user.
ftcd/pushd should close
|Using special character in the Service Provider settings breaks SAML with 403 error.
|Windows AD SSO domains randomly disconnected from FortiAuthenticator(when polling dozens).
|Unable to redirect to a page after successful kerberos authentication –
|Trusted CA deletion does not generate a log message.
|Restoring encrypted configuration with wrong password gives
not a gzip file error.
|Issues when moving users from column Available Users to Chosen Users.
pg_client crashes due to
|Allow changing access rights in the FortiAuthenticator Cloud mode.
|Translation error in OAuth Service > General > JWT private key.
|It takes around 10 seconds to create or migrate IAM user on any account.
|Do not display firmware certificates as options for CA certificate when FortiAuthenticator is in HA LB mode.
|SAML stops working with error 500 due to captcha errors.
|Internal server error 500 when viewing RADIUS Accounting Sessions in Monitor section.
|Unable to create multiple realms with the same remote SAML server.
|500 Internal server error on SAML when authenticating with SAML with captcha enabled.
|Admin login with FortiToken Mobile/Cloud push failure with an empty field.
|Windows agent authentication using FortiToken Cloud with Email and SMS delivery option fails.
|Unable to configure the fourth and the last realm in Authentication > SAML IdP > General.
|SAML trusted endpoint FSSO return internal error 500.
pg_client initiated query is active on the postgres side despite already being finished.
|Fido OAuth authentication flow is broken.
|Incorrect password with PCI mode enabled results in 500 error.
|Enable HSTS by default
Bezpieczeństwo w biznesie