Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Release Notes

What's new

FortiAuthenticator version 6.2.0 includes the following new features and enhancements:

The following list contains new and expanded features added in FortiAuthenticator 6.2.0.

REST API enhancements

The following enhancements have been added for the FortiAuthenticator REST API:

  • Filtering for user certificates.
  • Configurable character delimiter for FSSO group membership.

TACACS+ support

FortiAuthenticator now includes TACACS+ authentication capabilities. TACACS+ settings can be configured in Authentication > TACACS+ Service. Before FortiAuthenticator can accept TACACS+ authentication requests from a client, the device must be registered on FortiAuthenticator, and it must be assigned to a policy. TACACS+ authorization can be specified by creating authorization rules that can be applied to users and user groups in FortiAuthenticator.

SAML IdP Proxy: 0365 Azure/ADFS hybrid support

SAML IdP proxy O365 Azure/ADFS hybrid support added.

Get Windows AD nested groups during SAML IdP configuration

A new configuration option to Get nested groups for user is available during IdP configuration. Enabling this feature allows the IdP to perform nested group lookup for Windows AD. See SAML IdP.

REST API key visibility for Admin users

After enabling Web service access on a local admin account and saving changes, the User API Access Key window is displayed where you can view, copy, and/or email the REST API key. Web service access can be enabled for admin users in Authentication > User Management > Local Users.

RADSEC support

RADSEC is now supported for RADIUS authentication by adding a RADSEC server certificate in Authentication > RADIUS Service > Certificates. All TLS communication on the specified RADSEC port will be treated as a regular RADIUS request. Access to RADSEC can be enabled or disabled on each network interface.

SCEP enrollment requests search

Certificate Management > SCEP > Enrollment Requests now includes a search field, allowing you to search for SCEP enrollment requests with subject fields matching the input search string.

LDAP group filter support for remote RADIUS realms

When using a RADIUS realm in a RADIUS policy, you can use a group filter to specify a previously configured LDAP group. Select Allow remote LDAP groups to see available LDAP groups.

When configured, the RADIUS authentication requires that a successfully authenticated user be a member of the specified LDAP group (through an LDAP lookup) in order to return an Access-Accept response.

Sync certificate bindings to load balancers

Certificate bindings settings for local and remote users are now synced to load balancers in HA load balancing configurations. This feature adds support for syncing the configuration objects required to effectively support EAP-TLS RADIUS authentication on load balancers.

Show Password toggle included in replacement messages

Each default replacement message for a login page containing an input password field now includes a "show password" toggle.

Legacy Self-service Portal disabled by default

In FortiAuthenticator 6.1.0, self-service portal configuration was added to Authentication > Portals.

In 6.2.0, the legacy Self-service Portal configuration is disabled by default in the GUI and can be manually re-enabled by going to System > Administration > Features and selecting Enable legacy self-service portal.

The Replacement Messages sub-menu is available in System > Administration > Replacement Messages.

Additional SCEP CRL/OCSP enrollment options

Two new optional settings are available for SCEP enrollment request configuration, located under the Other Extensions section in Certificate Management > SCEP > Enrollment Requests.

Settings include Add CRL Distribution Points Extension and Add OCSP Responder URL.

Revoked/expired user certificates hidden by default

By default, the user certificates page only displays valid (active and pending) user certificates. In Certificate Management > End Entities > Users, you can select Revoked or Expired in the filter menu to view revoked or expired certificates.

Richer logs for self-registered users

When a local user account is created through self-registration, log messages generated by FortiAuthenticator now contain the value of all non-blank fields from the registration form in addition to the username in the log's Message field. To view log messages, go to Logging > Log Access > Logs.

Usernames included in FTM activation messages

Usernames are now displayed in FortiToken Mobile activation messages. The following replacement messages will now display usernames.

  • System > Administration > Replacement Messages > Account > FortiToken Mobile Activation Email Message
  • System > Administration > Replacement Messages > Account > FortiToken Mobile Activation SMS Message
  • Authentication > Portals > Replacement Messages > Post-Login > FortiToken Mobile Activation Email Message
  • Authentication > Portals > Replacement Messages > Post-Login > FortiToken Mobile Activation SMS Message

FTC: Sync email and mobile number

FortiAuthenticator will now sync emails and mobile numbers to FTC.

SNMP trap for RAID status changes

A new SNMP trap for notification of RAID status changes is available. When configuring SNMP v1/v2c and v3 in System > Administration > SNMP select RAID status changed.

Administrator password required before changes can be made to administrator accounts

When adding, editing, or deleting an admin account in FortiAuthenticator, a dialog is displayed requesting the password for the currently logged in administrator before settings can be saved.

FortiAuthenticator Windows Agent: SMS/email 2FA support

SMS and email two-factor authentication support added for Microsoft Windows Agent.

What's new

FortiAuthenticator version 6.2.0 includes the following new features and enhancements:

The following list contains new and expanded features added in FortiAuthenticator 6.2.0.

REST API enhancements

The following enhancements have been added for the FortiAuthenticator REST API:

  • Filtering for user certificates.
  • Configurable character delimiter for FSSO group membership.

TACACS+ support

FortiAuthenticator now includes TACACS+ authentication capabilities. TACACS+ settings can be configured in Authentication > TACACS+ Service. Before FortiAuthenticator can accept TACACS+ authentication requests from a client, the device must be registered on FortiAuthenticator, and it must be assigned to a policy. TACACS+ authorization can be specified by creating authorization rules that can be applied to users and user groups in FortiAuthenticator.

SAML IdP Proxy: 0365 Azure/ADFS hybrid support

SAML IdP proxy O365 Azure/ADFS hybrid support added.

Get Windows AD nested groups during SAML IdP configuration

A new configuration option to Get nested groups for user is available during IdP configuration. Enabling this feature allows the IdP to perform nested group lookup for Windows AD. See SAML IdP.

REST API key visibility for Admin users

After enabling Web service access on a local admin account and saving changes, the User API Access Key window is displayed where you can view, copy, and/or email the REST API key. Web service access can be enabled for admin users in Authentication > User Management > Local Users.

RADSEC support

RADSEC is now supported for RADIUS authentication by adding a RADSEC server certificate in Authentication > RADIUS Service > Certificates. All TLS communication on the specified RADSEC port will be treated as a regular RADIUS request. Access to RADSEC can be enabled or disabled on each network interface.

SCEP enrollment requests search

Certificate Management > SCEP > Enrollment Requests now includes a search field, allowing you to search for SCEP enrollment requests with subject fields matching the input search string.

LDAP group filter support for remote RADIUS realms

When using a RADIUS realm in a RADIUS policy, you can use a group filter to specify a previously configured LDAP group. Select Allow remote LDAP groups to see available LDAP groups.

When configured, the RADIUS authentication requires that a successfully authenticated user be a member of the specified LDAP group (through an LDAP lookup) in order to return an Access-Accept response.

Sync certificate bindings to load balancers

Certificate bindings settings for local and remote users are now synced to load balancers in HA load balancing configurations. This feature adds support for syncing the configuration objects required to effectively support EAP-TLS RADIUS authentication on load balancers.

Show Password toggle included in replacement messages

Each default replacement message for a login page containing an input password field now includes a "show password" toggle.

Legacy Self-service Portal disabled by default

In FortiAuthenticator 6.1.0, self-service portal configuration was added to Authentication > Portals.

In 6.2.0, the legacy Self-service Portal configuration is disabled by default in the GUI and can be manually re-enabled by going to System > Administration > Features and selecting Enable legacy self-service portal.

The Replacement Messages sub-menu is available in System > Administration > Replacement Messages.

Additional SCEP CRL/OCSP enrollment options

Two new optional settings are available for SCEP enrollment request configuration, located under the Other Extensions section in Certificate Management > SCEP > Enrollment Requests.

Settings include Add CRL Distribution Points Extension and Add OCSP Responder URL.

Revoked/expired user certificates hidden by default

By default, the user certificates page only displays valid (active and pending) user certificates. In Certificate Management > End Entities > Users, you can select Revoked or Expired in the filter menu to view revoked or expired certificates.

Richer logs for self-registered users

When a local user account is created through self-registration, log messages generated by FortiAuthenticator now contain the value of all non-blank fields from the registration form in addition to the username in the log's Message field. To view log messages, go to Logging > Log Access > Logs.

Usernames included in FTM activation messages

Usernames are now displayed in FortiToken Mobile activation messages. The following replacement messages will now display usernames.

  • System > Administration > Replacement Messages > Account > FortiToken Mobile Activation Email Message
  • System > Administration > Replacement Messages > Account > FortiToken Mobile Activation SMS Message
  • Authentication > Portals > Replacement Messages > Post-Login > FortiToken Mobile Activation Email Message
  • Authentication > Portals > Replacement Messages > Post-Login > FortiToken Mobile Activation SMS Message

FTC: Sync email and mobile number

FortiAuthenticator will now sync emails and mobile numbers to FTC.

SNMP trap for RAID status changes

A new SNMP trap for notification of RAID status changes is available. When configuring SNMP v1/v2c and v3 in System > Administration > SNMP select RAID status changed.

Administrator password required before changes can be made to administrator accounts

When adding, editing, or deleting an admin account in FortiAuthenticator, a dialog is displayed requesting the password for the currently logged in administrator before settings can be saved.

FortiAuthenticator Windows Agent: SMS/email 2FA support

SMS and email two-factor authentication support added for Microsoft Windows Agent.