FortiAuthenticator version 6.4.1 includes the following enhancement:
When creating or editing a syslog server in Logging > Log Config > Syslog Servers, there is a new Secure Connection pane for sending syslog messages to remote servers using a TLS connection.
FortiAuthenticator Agent for Microsoft Windows now allows TOTP cache sizes up to 200 days. See Tokens and the FortiAuthenticator Agent for Microsoft Windows Install Guide on Fortinet Docs Library.
RADIUS clients can be imported and assigned to RADIUS policies through a CSV file.
radiuspolicyclient endpoints available, see REST API Solutions Guide.
FortiAuthenticator now supports receiving messages from a syslog source over a TLS connection on the port 6514.
Network interfaces in System > Network > Interfaces have a new Syslog over TLS (TCP/6514) toggle in Services that allows receiving messages from a syslog source over TLS.
The syslog-based FSSO feature allows enabling or disabling encrypted syslogs:
New Allow TLS encryption and Require client authentication toggle in Enable Syslog SSO when editing SSO configuration in Fortinet SSO Methods > SSO > General.
A new TLS encryption toggle when creating or editing a syslog source in Fortinet SSO Methods > SSO > Syslog Sources.
You can now see the last used date and time for a FortiToken when editing a FortiToken in Authentication > User Management > FortiTokens.
A new last used column in Authentication > User Management > FortiTokens.
last_used_at field is available in the
fortitokens endpoint. See REST API Solutions Guide.
FortiAuthenticator now supports the SmartConnect Android application in the captive and self-service user portals.
Android 11 allows the SmartConnect app to install user credential certificates for EAP-TLS and PEAP to allow for user authentication.
Android 11 restricts the SmartConnect app from installing global CA certificates. As of Android 11, these certificates have to be installed manually. A warning message appears in the SmartConnect app, which prompts to install certificates manually.
FortiAuthenticator now supports EAP-MSCHAPv2 authentication mechanism against a remote AD server.
FortiAuthenticator also supports multi-factor authentication over EAP-MSCHAPv2.
When creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies, a new EAP-MSCHAPv2 toggle is now available in the Authentication type tab, given that Accept EAP toggle is enabled in Password/OTP authentication.
When editing an interface in System > Network > Interfaces, new SAML IdP and Kerberos SSO toggles available in the Services pane.
FortiAuthenticator now supports a new temporary token option that allows the use of emergency codes for offline end-users who find themselves without access to FortiToken, email, or SMS.
A new Enable emergency codes toggle and Emergency codes valid for option when editing the token policy settings in Authentication > User Account Policies > Tokens.
A new Display emergency code button that displays the emergency code from within a user account if FortiToken is provisioned for the account.
OpenID Connect (OIDC) provides an identity layer on top of the OAuth 2.0 protocol to verify end-user identity and obtain profile information. OIDC is a modern SSO protocol that is easier and more flexible to use than SAML.
OIDC authentication can be enabled for the OAuth client by configuring the relying party with an authorization code, policy, redirect URI, and OIDC claim(s).
OAuth Service in Authentication has been reorganized to include the following tabs:
General- Configure general settings for OAuth.
Policies - Create policies to use with OAuth authentication.
Relying Party - Configure OAuth clients and OIDC claims.
New OIDC endpoints are now available. The
token endpoint now expanded to include new fields that support the OIDC configuration. See REST API Solutions Guide.
When creating or editing an LDAP Server in Authentication > Remote Auth. Servers > LDAP, a new Trusted CA toggle now allows you to specify multiple trusted CAs for secure connection to a remote LDAP server.
Using the new Learn Certificate button in Certificate Management > Certificate Authorities > Trusted CAs, you can now extract a certificate chain from a TLS server and show its CA certificates by entering the host name/ IP address and the port number. You can then import CA certificates.
New Password Reset Email Subject and Password Reset Email Message replacement messages in Authentication > Portals > Replacement Messages.
You can now set stronger TACACS+ client secrets to include special characters:
!@#$%^&()_+\<>?./ when adding, editing, or importing TACACS+ clients.
tacplusclients endpoint now allows special characters for the
secret field. See REST API Solutions Guide.
Upon a failed SMTP test, FortiAuthenticator displays a message in the GUI to help troubleshoot the source of the issue.
For SMTP servers, FortiAuthenticator logs the source of the issue to Logging > Log Access > Logs.
Also, upon a failed SMTP send attempt, i.e., when not using the Test Connection button, FortiAuthenticator logs the source of the issue to Logging > Log Access > Logs.
In the RADIUS response tab, when the AD Computer Authentication Result is successful and the user is not authenticated yet, you can now select between the following RADIUS attribute response options:
When Return User Group Attributes is enabled, RADIUS attributes configured in the user groups that the computer is a member of are returned.
Return Additional Attributes. .
FortiAuthenticator adds support for TACACS+ over SNMP which is equivalent to RADIUS.
When configuring SNMP settings in System > Administration > SNMP, there is a new TACACS+ Authentication Client Table Nearly Full Trap Threshold (%) field to adjust the TACACS+ SNMP trap threshold.
You can enable or disable TACACS+ NAS trap from within SNMP clients (SNMP v3 and SNMP v1/v2) using the new TACAS+ NAS threshold exceeded toggle.
FortiAuthenticator now returns the remaining validity time for the OAuth2 access token in the
expires_in field is available in the
verify_token endpoint. See REST API Solutions Guide.
A new built-in read-only admin profile in System > Administration > Admin Profiles.
The following new fields are available in the
For information about the new fields, see REST API Solutions Guide.
FortiAuthenticator now allows manually logging out of IdP sessions using the new Logoff All and Logoff Selected buttons in Monitor > Authentication > SAML IdP Session.
FortiAuthenticator now supports multiple values for a remote LDAP custom attribute in Authentication > SAML IdP > Service Providers.