FortiAuthenticator version 6.3.0 includes the following new features and enhancements:
Enhancements to the FortiAuthenticator REST API
Various improvements and endpoints added to the FortiAuthenticator 6.3.0 REST API Solutions guide.
For more information, see the REST API Solutions Guide.
Exporting MAC devices list
You can now export the list of MAC devices configured in Authentication > User Management > MAC Devices.
FortiToken Mobile logo configuration
The FortiToken configuration page now includes a separate tab where users can upload logo images for their organization which are sent to the FortiToken Mobile app during provisioning. The FortiToken Mobile app displays this logo beside the one-time password for the specific token. This can be used to distinguish between tokens when there are multiple tokens managed by the same FortiToken Mobile app.
FortiToken Mobile logos can be configured by selecting the Logos tab now available in Authentication > User Management > FortiTokens.
This option replaces the previous Organizations page which included the same features, previously available in Authentication > User Management > Organizations.
Monitor active SAML IdP sessions
A monitor for viewing active SAML IdP sessions is available in Monitor > Authentication > SAML IdP Sessions. The page contains the following elements:
- A table containing the list of IdP sessions.
- Search options at the top of the table to search by username or by user IP address.
- The total number of SAML sessions.
TACACS+ Import clients through CSV file
TACACS+ clients can be imported and assigned to TACACS+ policies through a CSV file.
Sync rule: Import RADIUS users from LDAP server
You can now configure a remote LDAP user synchronization rule that allows you to create, edit, or delete remote RADIUS users. When this synchronization rule runs, it creates remote RADIUS users available in User Management > Remote Users.
FortiToken Mobile push notification contains user IP and geolocation
FortiAuthenticator now shows user IP and/or geolocation in the FortiToken mobile push notifications in the following locations when available:
A new Look up geo-location of user IP for Web Service toggle in Authentication > User Account Policies > General.
A new Application name for FTM push notification field when creating or editing a SAML Service Provider in Authentication > SAML IdP > Service Providers.
A new Application name for FTM push notification field and Resolve user geolocation from their IP address toggle when creating or editing a self-service portal policy in Authentication > Portals > Policies.
A new Application name for FTM push notification field and Resolve user geolocation from their IP address toggle when creating or editing a captive portal policy in Authentication > Portals > Policies.
A new Application name for FTM push notification field and Resolve user geolocation from their IP address toggle when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies. RADIUS policies also contain a new RADIUS attribute for user IP field that allows you to specify the RADIUS attribute to obtain the user IP from.
RADIUS Attributes and Certificate Bindings available to users with administrator or sponsor role
RADIUS Attributes and Certificate Bindings tabs are available when you create, edit, or import a user with the role as Administrator or Sponsor in the following locations:
Authentication > User Management > Local Users.
Authentication > User Management > Remote Users: RADIUS attributes and certificate bindings are available when you import an LDAP user.
Only Certificate Bindings tab is available for RADIUS users, and SAML users do not have these tabs.
When creating, editing, or importing a user with its role as Administrator or Sponsor, this feature is available only if Sync in HA Load Balancing mode is enabled.
GUI: Improved LDAP group selection UX
The new Set Group Filter button in Create New Remote LDAP User Synchronization window allows you to set the LDAP filter by selecting one or more groups to build the LDAP filter string in Authentication > User Management > Remote User Sync Rules.
The Set Group Filter button is also available for the LDAP user groups.
Captive portal: Support for Cisco WLC
FortiAuthenticator captive portal now supports Cisco WLC devices. It recognizes and handles redirects from a Cisco WLC device.
When configuring a captive portal policy in Authentication > Portals > Policies, FortiAuthenticator offers the following new built-in HTTP parameters when you select Add Condition in Portal selection criteria > Additional source criteria:
The switch_url HTTP parameter helps recognize a Cisco WLC captive portal redirect. After the user has successfully logged in to the FortiAuthenticator captive portal, FortiAuthenticator redirects the end user to the Cisco WLC API specified in the switch_url parameter.
Understanding the captive portal workflow help in the Portal selection criteria tab offers a new Cisco WLC topic in the Access point/NAS dropdown.
The Authentication factors tab has a new tooltip for MAC address parameter that lists which MAC parameter to use with a device type.
Symmetric encryption keys for debug logs and config files
When creating a configuration backup, the administrator has the option to enable or disable encryption, and specify the encryption password. By default, encryption is disabled.
When restoring a configuration backup, the administrator enters the decryption password if encryption is enabled. By default, decryption is disabled.
SAML IdP: IAM users
FortiAuthenticator now supports configuring IAM users and accounts in Authentication > User Management > IAM.
A new IAM login setting in Authentication > SAML IdP > General that allows IAM logins. When enabled, the SAML IdP login page shows a new Sign-In as IAM user link. This link takes you to the new customizable IAM login page.
Also, when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers, it has the following new user attributes:
IAM account name
IAM account alias
A new IAM option when creating a local user that allows you to add this local user to an IAM account.
A new Sync users to IAM Account option when creating a remote LDAP user synchronization rule that allows you to synchronize the remote users with an IAM account.
A new IAM Account dropdown when importing SSO users in Fortinet SSO Methods > SSO > SSO Users that allows associating the imported users with an IAM account.
A new SAML ldP Password Change Page replacement message that allows customization of the password change page for a local user.
On successful IdP login of an IAM user associated with a local user for which Force password change on next logon is enabled, FortiAuthenticator presents a password change page same as the one for non-IAM local users.
iamusers endpoints available. A new
change_password field is now available for the
For information about the new endpoints, see the REST API Solutions Guide.
SAML IdP: Support authentication from external IdP servers
FortiAuthenticator now supports IdP initiated SAML from the remote SAML IdP using an existing SAML IdP proxy server type.
The following new changes were implemented to support IdP initiated SAML:
A new customizable SAML IdP Proxy Login Success page replacement message for successful IdP initiated login from a proxy remote SAML server.
A new Realm user attribute is available when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers. This new SAML assertion returns the realm that the end user was authenticated against.
The end user accesses the FortiAuthenticator SP login portal URL before the FortiAuthenticator IdP login page. From the SP login portal URL, the FortiAuthenticator determines the remote SAML server and identifies its associated realm.
Logging: Improvements for SIEM security analysis
The SAML IdP logs now include a new
userip field that contains the end user IP address. Also, the
nas field in the logs contains the name of the service provider.
To view log messages, go to Logging > Log Access > Logs.
SAML IdP: RADIUS attributes for assertions
FortiAuthenticator can now include attributes returned by the remote RADIUS servers into assertions returned by the SAML IdP.
There is a new option in the GUI to configure a SAML assertion containing the value of a RADIUS attribute:
A new RADIUS attribute user attribute is available when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers.
Captive portal: Support for WeChat social login
Captive portal in FortiAuthenticator now supports social login through WeChat.
Also, WeChat is now an option in the Guest Portal Social Network Page and Guest Portal Social Network Plus FAC accounts replacement messages in Authentication > Portals > Replacement Messages.
FortiAuthenticator now supports bypassing the OTP verification when the end user IP is on a trusted subnet for the following services:
RADIUS authentication- A new Adaptive Authentication toggle available when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies.
Captive portals- A new Adaptive Authentication toggle available when creating or editing a captive portal policy in Authentication > Portals > Policies.
Self-service portals- A new Adaptive Authentication toggle available when creating or editing a self-service portal policy in Authentication > Portals > Policies.
TACACS+ policies- A new Adaptive Authentication toggle available when creating or editing a TACACS+ policy in Authentication > TACACS+ Service > Policies.
SAML IdP- In Authentication > SAML IdP > Service Providers, the Bypass FortiToken authentication when user is from a trusted subnet toggle is renamed to Adaptive Authentication.
TACACS+: Support for log files of size up to 500 MB
TACACS+ audit logs support a maximum file size of 500 MB. The following new size options are available:
Certificates: GUI improvements
FortiAuthenticator now offers an improved GUI for the Enrollment Requests tab in Certificate Management > SCEP.
A new Delete & Revoke Certificate button in the Enrollment Requests tab that removes the selected SCEP enrollment request and revokes all the corresponding active user certificates. This option is available only if the Automatic request type for the selected request is Regular.
New tooltips for the Subject and the Issuer columns display the full subject and the issuer names.
FortiAuthenticator Agent for Microsoft OWA: Supports SMS, Email, and FTM push methods for 2FA
FortiAuthenticator Agent for Microsoft OWA supports SMS, Email, and FTM push methods for 2FA.
See FortiAuthenticator Agent for Microsoft OWA 2.2 Release Notes on the Fortinet Docs Library.
Group memberships when importing local users from a CSV file
You can now set group memberships when importing local users from a CSV file.
To support this feature, a new group names field is available in the CSV format.
When exporting the local users CSV file, FortiAuthenticator includes the list of local groups each user is a member of. When importing the local users CSV file, FortiAuthenticator adds the users to the specified groups.
FortiAuthenticator 800F and 300F support user license upgrades
You can now load an add-on user license to FortiAuthenticator 300F and 800F hardware models. This allows for better sizing flexibility without the need to maintain a wider number of different hardware models.
Similar to FortiAuthenticator-VM, number of additional users in the license specifies the number of additional users allowed on top of the built-in user limit. For example, if a license file with a FortiAuthenticator-300F serial number specifies 1000 additional users, uploading that license onto the FortiAuthenticator-300F will result in a maximum user limit of 2500 (1500 built-in + 1000 license).
FSSO: Retry failed DNS lookups
Enable DNS lookup to get IP from workstation name available when the DC/TS Agent Clients setting is enabled in Fortinet SSO Methods > SSO > General allows FortiAuthenticator to retry DNS lookup to obtain the workstation IP address when the logon request contains only the workstation name.
If the initial lookup fails, FortiAuthenticator retries every 10 seconds for the following 5 minutes.
VM: Support disk partition increase
FortiAuthenticator now supports increasing the disk partition size when more disk space is allocated to a FortiAuthenticator-VM.
To allocate more disk space to the VM, use the
execute expand-partition command in the CLI console. FortiAuthenticator reboots with an increased disk partition size.
In FortiAuthenticator 6.3.0, the maximum allowed disk size is 2 TB when attempting to increase the disk partition size.
Logging: Ability to send FortiAuthenticator debug logs to remote logging servers
FortiAuthenticator now supports sending debug logs to remote logging servers.
There is a new Send debug logs to remote Syslog servers toggle in Logging > Log Config > Log Settings.