Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.2.2 Administration Guide
    6.2.2
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    FortiAuthenticator 6.2.0

    FortiAuthenticator 6.2.0

    The following list contains new and expanded features added in FortiAuthenticator 6.2.0.

    REST API enhancements

    The following enhancements have been added for the FortiAuthenticator REST API:

    • Filtering for user certificates.
    • Configurable character delimiter for FSSO group membership.

    TACACS+ support

    FortiAuthenticator now includes TACACS+ AAA (Authentication, Authorization and Accounting) capabilities. TACACS+ settings can be configured in Authentication > TACACS+ Service. Before FortiAuthenticator can accept TACACS+ authentication requests from a client, the device must be registered on FortiAuthenticator, and it must be assigned to a policy. TACACS+ authorization can be specified by creating authorization rules that can be applied to users and user groups in FortiAuthenticator.

    See TACACS+ service.

    SAML IdP Proxy: 0365 Azure/ADFS hybrid support

    SAML IdP proxy O365 Azure/ADFS hybrid support added.

    Get Windows AD nested groups during SAML IdP configuration

    A new configuration option to Get nested groups for user is available during IdP configuration. Enabling this feature allows the IdP to perform nested group lookup for Windows AD.

    REST API key visibility for Admin users

    After enabling Web service access on a local admin account and saving changes, the User API Access Key window is displayed where you can view, copy, and/or email the REST API key. Web service access can be enabled for admin users in Authentication > User Management > Local Users.

    See Local users.

    RADSEC support

    RADSEC is now supported for RADIUS authentication by adding a RADSEC server certificate in Authentication > RADIUS Service > Certificates. All TLS communication on the specified RADSEC port will be treated as a regular RADIUS request. Access to RADSEC can be enabled or disabled on each network interface.

    See Certificates.

    SCEP enrollment requests search

    Certificate Management > SCEP > Enrollment Requests now includes a search field, allowing you to search for SCEP enrollment requests with subject fields matching the input search string.

    See Enrollment requests.

    LDAP group filter support for remote RADIUS realms

    When using a RADIUS realm in a RADIUS policy, you can use a group filter to specify a previously configured LDAP group. Select Allow remote LDAP groups to see available LDAP groups.

    When configured, the RADIUS authentication requires that a successfully authenticated user be a member of the specified LDAP group (through an LDAP lookup) in order to return an Access-Accept response.

    See Policies.

    Sync certificate bindings to load balancers

    Certificate bindings settings for local and remote users are now synced to load balancers in HA load balancing configurations. This feature adds support for syncing the configuration objects required to effectively support EAP-TLS RADIUS authentication on load balancers.

    Show Password toggle included in replacement messages

    Each default replacement message for a login page containing an input password field now includes a "show password" toggle.

    Legacy Self-service Portal disabled by default

    In FortiAuthenticator 6.1.0, self-service portal configuration was added to Authentication > Portals.

    In 6.2.0, the legacy Self-service Portal configuration is disabled by default in the GUI and can be manually re-enabled by going to System > Administration > Features and selecting Enable legacy self-service portal.

    The Replacement Messages sub-menu is available in System > Administration > Replacement Messages.

    See Features and Replacement messages.

    Additional SCEP CRL/OCSP enrollment options

    Two new optional settings are available for SCEP enrollment request configuration, located under the Other Extensions section in Certificate Management > SCEP > Enrollment Requests.

    Settings include Add CRL Distribution Points Extension and Add OCSP Responder URL.

    See Enrollment requests.

    Revoked/expired user certificates hidden by default

    By default, the user certificates page only displays valid (active and pending) user certificates. In Certificate Management > End Entities > Users, you can select Revoked or Expired in the filter menu to view revoked or expired certificates.

    See End entities.

    Richer logs for self-registered users

    When a local user account is created through self-registration, log messages generated by FortiAuthenticator now contain the value of all non-blank fields from the registration form in addition to the username in the log's Message field. To view log messages, go to Logging > Log Access > Logs.

    Usernames included in FTM activation messages

    Usernames are now displayed in FortiToken Mobile activation messages. The following replacement messages will now display usernames.

    • System > Administration > Replacement Messages > Account > FortiToken Mobile Activation Email Message
    • System > Administration > Replacement Messages > Account > FortiToken Mobile Activation SMS Message
    • Authentication > Portals > Replacement Messages > Post-Login > FortiToken Mobile Activation Email Message
    • Authentication > Portals > Replacement Messages > Post-Login > FortiToken Mobile Activation SMS Message

    FTC: Sync email and mobile number

    FortiAuthenticator will now sync emails and mobile numbers to FTC.

    SNMP trap for RAID status changes

    A new SNMP trap for notification of RAID status changes is available. When configuring SNMP v1/v2c and v3 in System > Administration > SNMP select RAID status changed.

    See SNMP.

    Administrator password required before changes can be made to administrator accounts

    When adding, editing, or deleting an admin account in FortiAuthenticator, a dialog is displayed requesting the password for the currently logged in administrator before settings can be saved.

    See Administrators.

    FortiAuthenticator Windows Agent: SMS/email 2FA support

    SMS and email two-factor authentication support added for Microsoft Windows Agent.

    Previous
    Next

    FortiAuthenticator 6.2.0

    FortiAuthenticator 6.2.0

    The following list contains new and expanded features added in FortiAuthenticator 6.2.0.

    REST API enhancements

    The following enhancements have been added for the FortiAuthenticator REST API:

    • Filtering for user certificates.
    • Configurable character delimiter for FSSO group membership.

    TACACS+ support

    FortiAuthenticator now includes TACACS+ AAA (Authentication, Authorization and Accounting) capabilities. TACACS+ settings can be configured in Authentication > TACACS+ Service. Before FortiAuthenticator can accept TACACS+ authentication requests from a client, the device must be registered on FortiAuthenticator, and it must be assigned to a policy. TACACS+ authorization can be specified by creating authorization rules that can be applied to users and user groups in FortiAuthenticator.

    See TACACS+ service.

    SAML IdP Proxy: 0365 Azure/ADFS hybrid support

    SAML IdP proxy O365 Azure/ADFS hybrid support added.

    Get Windows AD nested groups during SAML IdP configuration

    A new configuration option to Get nested groups for user is available during IdP configuration. Enabling this feature allows the IdP to perform nested group lookup for Windows AD.

    REST API key visibility for Admin users

    After enabling Web service access on a local admin account and saving changes, the User API Access Key window is displayed where you can view, copy, and/or email the REST API key. Web service access can be enabled for admin users in Authentication > User Management > Local Users.

    See Local users.

    RADSEC support

    RADSEC is now supported for RADIUS authentication by adding a RADSEC server certificate in Authentication > RADIUS Service > Certificates. All TLS communication on the specified RADSEC port will be treated as a regular RADIUS request. Access to RADSEC can be enabled or disabled on each network interface.

    See Certificates.

    SCEP enrollment requests search

    Certificate Management > SCEP > Enrollment Requests now includes a search field, allowing you to search for SCEP enrollment requests with subject fields matching the input search string.

    See Enrollment requests.

    LDAP group filter support for remote RADIUS realms

    When using a RADIUS realm in a RADIUS policy, you can use a group filter to specify a previously configured LDAP group. Select Allow remote LDAP groups to see available LDAP groups.

    When configured, the RADIUS authentication requires that a successfully authenticated user be a member of the specified LDAP group (through an LDAP lookup) in order to return an Access-Accept response.

    See Policies.

    Sync certificate bindings to load balancers

    Certificate bindings settings for local and remote users are now synced to load balancers in HA load balancing configurations. This feature adds support for syncing the configuration objects required to effectively support EAP-TLS RADIUS authentication on load balancers.

    Show Password toggle included in replacement messages

    Each default replacement message for a login page containing an input password field now includes a "show password" toggle.

    Legacy Self-service Portal disabled by default

    In FortiAuthenticator 6.1.0, self-service portal configuration was added to Authentication > Portals.

    In 6.2.0, the legacy Self-service Portal configuration is disabled by default in the GUI and can be manually re-enabled by going to System > Administration > Features and selecting Enable legacy self-service portal.

    The Replacement Messages sub-menu is available in System > Administration > Replacement Messages.

    See Features and Replacement messages.

    Additional SCEP CRL/OCSP enrollment options

    Two new optional settings are available for SCEP enrollment request configuration, located under the Other Extensions section in Certificate Management > SCEP > Enrollment Requests.

    Settings include Add CRL Distribution Points Extension and Add OCSP Responder URL.

    See Enrollment requests.

    Revoked/expired user certificates hidden by default

    By default, the user certificates page only displays valid (active and pending) user certificates. In Certificate Management > End Entities > Users, you can select Revoked or Expired in the filter menu to view revoked or expired certificates.

    See End entities.

    Richer logs for self-registered users

    When a local user account is created through self-registration, log messages generated by FortiAuthenticator now contain the value of all non-blank fields from the registration form in addition to the username in the log's Message field. To view log messages, go to Logging > Log Access > Logs.

    Usernames included in FTM activation messages

    Usernames are now displayed in FortiToken Mobile activation messages. The following replacement messages will now display usernames.

    • System > Administration > Replacement Messages > Account > FortiToken Mobile Activation Email Message
    • System > Administration > Replacement Messages > Account > FortiToken Mobile Activation SMS Message
    • Authentication > Portals > Replacement Messages > Post-Login > FortiToken Mobile Activation Email Message
    • Authentication > Portals > Replacement Messages > Post-Login > FortiToken Mobile Activation SMS Message

    FTC: Sync email and mobile number

    FortiAuthenticator will now sync emails and mobile numbers to FTC.

    SNMP trap for RAID status changes

    A new SNMP trap for notification of RAID status changes is available. When configuring SNMP v1/v2c and v3 in System > Administration > SNMP select RAID status changed.

    See SNMP.

    Administrator password required before changes can be made to administrator accounts

    When adding, editing, or deleting an admin account in FortiAuthenticator, a dialog is displayed requesting the password for the currently logged in administrator before settings can be saved.

    See Administrators.

    FortiAuthenticator Windows Agent: SMS/email 2FA support

    SMS and email two-factor authentication support added for Microsoft Windows Agent.

    Previous
    Next