Fortinet black logo

Administration Guide

FortiAuthenticator 6.4.1

FortiAuthenticator 6.4.1

The following list contains new and expanded features added in FortiAuthenticator 6.4.1.

Logging: Support for sending syslog messages through an encrypted tunnel

When creating or editing a syslog server in Logging > Log Config > Syslog Servers, there is a new Secure Connection pane for sending syslog messages to remote servers using a TLS connection. See Log configuration.

Windows Agent: TOTP offline cache size increased

FortiAuthenticator Agent for Microsoft Windows now allows TOTP cache sizes up to 200 days. See Tokens and the FortiAuthenticator Agent for Microsoft Windows Install Guide on Fortinet Docs Library.

RADIUS service: Import clients through CSV file or REST API

RADIUS clients can be imported and assigned to RADIUS policies through a CSV file. See Clients.

New radiusclients, radiuspolicies, and radiuspolicyclient endpoints available, see REST API Solutions Guide.

FSSO: Support for encrypted syslog sources

FortiAuthenticator now supports receiving messages from a syslog source over a TLS connection on the port 6514.

Network interfaces in System > Network > Interfaces have a new Syslog over TLS (TCP/6514) toggle in Services that allows receiving messages from a syslog source over TLS. See Interfaces.

The syslog-based FSSO feature allows enabling or disabling encrypted syslogs:

  • New Allow TLS encryption and Require client authentication toggle in Enable Syslog SSO when editing SSO configuration in Fortinet SSO Methods > SSO > General. See General settings.

A new TLS encryption toggle when creating or editing a syslog source in Fortinet SSO Methods > SSO > Syslog Sources. See Syslog sources.

FortiTokens: Ability to report inactive tokens

You can now see the last used date and time for a FortiToken when editing a FortiToken in Authentication > User Management > FortiTokens.

A new last used column in Authentication > User Management > FortiTokens. See FortiTokens.

New last_used_at field is available in the fortitokens endpoint. See REST API Solutions Guide.

User Portal: Support for the SmartConnect Android application

FortiAuthenticator now supports the SmartConnect Android application in the captive and self-service user portals. See Smart Connect profiles.

Android 11 allows the SmartConnect app to install user credential certs for EAP-TLS and PEAP to allow for user authentication.

Android 11 restricts the SmartConnect app from installing global CA certificates. As of Android 11, these certificates have to be installed manually. A warning message appears in the SmartConnect app, which prompts to install certificates manually.

Support for EAP-MSCHAPv2

FortiAuthenticator now supports EAP-MSCHAPv2 authentication mechanism against a remote AD server.

FortiAuthenticator also supports multi-factor authentication over EAP-MSCHAPv2.

When creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies, a new EAP-MSCHAPv2 toggle is now available in the Authentication type tab, given that Accept EAP toggle is enabled in Password/OTP authentication. See Policies and Extensible Authentication Protocol.

New SAML IdP and Kerberos SSO toggles

When editing an interface in System > Network > Interfaces, new SAML IdP and Kerberos SSO toggles available in the Services pane. See Interfaces.

Windows Agent: Emergency Offline Access

FortiAuthenticator now supports a new temporary token option that allows the use of emergency codes for offline end-users who find themselves without access to FortiToken, email, or SMS.

A new Enable emergency codes toggle and Emergency codes valid for option when editing the token policy settings in Authentication > User Account Policies > Tokens. See Tokens.

A new Display emergency code button that displays the emergency code from within a user account if FortiToken is provisioned for the account. See Local users and Remote users.

OpenID Connect

OpenID Connect (OIDC) provides an identity layer on top of the OAuth 2.0 protocol to verify end-user identity and obtain profile information. OIDC is a modern SSO protocol that is easier and more flexible to use than SAML.

OIDC authentication can be enabled for the OAuth client by configuring the relying party with an authorization code, policy, redirect URI, and OIDC claim(s).

OAuth Service in Authentication has been reorganized to include the following tabs:

  • General- Configure general settings for OAuth.

  • Policies - Create policies to use with OAuth authentication.

  • Relying Party - Configure OAuth clients and OIDC claims.

New OIDC endpoints are now available. The token endpoint now expanded to include new fields that support the OIDC configuration. See REST API Solutions Guide.

Secure LDAP: Support multiple CAs

When creating or editing an LDAP Server in Authentication > Remote Auth. Servers > LDAP, a new Trusted CA toggle now allows you to specify multiple trusted CAs for secure connection to a remote LDAP server. See LDAP.

Import trusted CA certificates with certificate chain

Using the new Learn Certificate button in Certificate Management > Certificate Authorities > Trusted CAs, you can now extract a certificate chain from a TLS server and show its CA certificates by entering the host name/ IP address and the port number. You can then import CA certificates. See Trusted CAs.

Self-service portal: Email templates for resetting password

New Password Reset Email Subject and Password Reset Email Message replacement messages in Authentication > Portals > Replacement Messages. See Replacement messages.

TACACS+: Stronger client secret values

You can now set stronger TACACS+ client secrets to include special characters: !@#$%^&()_+\<>?./ when adding, editing, or importing TACACS+ clients.

tacplusclients endpoint now allows special characters for the secret field. See REST API Solutions Guide.

SMTP test window provides more accurate error information

Upon a failed SMTP test, FortiAuthenticator displays a message in the GUI to help troubleshoot the source of the issue. See Troubleshooting SMTP server tests.

For SMTP servers, FortiAuthenticator logs the source of the issue to Logging > Log Access > Logs.

Also, upon a failed SMTP send attempt, i.e., when not using the Test Connection button, FortiAuthenticator logs the source of the issue to Logging > Log Access > Logs.

RADIUS service: Return user group attributes on AD computer authentication

In the RADIUS response tab, when the AD Computer Authentication Result is successful and the user is not authenticated yet, you can now select between the following RADIUS attribute response options:

  • When Return User Group Attributes is enabled, RADIUS attributes configured in the user groups that the computer is a member of are returned.

  • Return Additional Attributes.

See Policies.

SNMP: TACACS+ OIDs

FortiAuthenticator adds support for TACACS+ over SNMP which is equivalent to RADIUS.

When configuring SNMP settings in System > Administration > SNMP, there is a new TACACS+ Authentication Client Table Nearly Full Trap Threshold (%) field to adjust the TACACS+ SNMP trap threshold.

You can enable or disable TACACS+ NAS trap from within SNMP clients (SNMP v3 and SNMP v1/v2) using the new TACAS+ NAS threshold exceeded toggle. See SNMP.

OAuth service: Access token expiry

FortiAuthenticator now returns the remaining validity time for the OAuth2 access token in the verify_token endpoint.

A new expires_in field is available in the verify_token endpoint. See REST API Solutions Guide.

Built-in read-only admin profile

A new built-in read-only admin profile in System > Administration > Admin Profiles. See Admin profiles.

Additional system information via REST API

The following new fields are available in the systeminfo endpoint:

  • cpu

  • disk

  • disk_usage_detail

  • firmware

  • memory

  • memory_usage_detail

For information about the new fields, see REST API Solutions Guide.

Log out a session from the monitor page

FortiAuthenticator now allows manually logging out of IdP sessions using the new Logoff All and Logoff Selected buttons in Monitor > Authentication > SAML IdP Session.

See SAML IdP sessions.

SAML IdP: Support for multiple remote LDAP custom attributes

FortiAuthenticator now supports multiple values for a remote LDAP custom attribute in Authentication > SAML IdP > Service Providers. See Service providers.

FortiAuthenticator 6.4.1

The following list contains new and expanded features added in FortiAuthenticator 6.4.1.

Logging: Support for sending syslog messages through an encrypted tunnel

When creating or editing a syslog server in Logging > Log Config > Syslog Servers, there is a new Secure Connection pane for sending syslog messages to remote servers using a TLS connection. See Log configuration.

Windows Agent: TOTP offline cache size increased

FortiAuthenticator Agent for Microsoft Windows now allows TOTP cache sizes up to 200 days. See Tokens and the FortiAuthenticator Agent for Microsoft Windows Install Guide on Fortinet Docs Library.

RADIUS service: Import clients through CSV file or REST API

RADIUS clients can be imported and assigned to RADIUS policies through a CSV file. See Clients.

New radiusclients, radiuspolicies, and radiuspolicyclient endpoints available, see REST API Solutions Guide.

FSSO: Support for encrypted syslog sources

FortiAuthenticator now supports receiving messages from a syslog source over a TLS connection on the port 6514.

Network interfaces in System > Network > Interfaces have a new Syslog over TLS (TCP/6514) toggle in Services that allows receiving messages from a syslog source over TLS. See Interfaces.

The syslog-based FSSO feature allows enabling or disabling encrypted syslogs:

  • New Allow TLS encryption and Require client authentication toggle in Enable Syslog SSO when editing SSO configuration in Fortinet SSO Methods > SSO > General. See General settings.

A new TLS encryption toggle when creating or editing a syslog source in Fortinet SSO Methods > SSO > Syslog Sources. See Syslog sources.

FortiTokens: Ability to report inactive tokens

You can now see the last used date and time for a FortiToken when editing a FortiToken in Authentication > User Management > FortiTokens.

A new last used column in Authentication > User Management > FortiTokens. See FortiTokens.

New last_used_at field is available in the fortitokens endpoint. See REST API Solutions Guide.

User Portal: Support for the SmartConnect Android application

FortiAuthenticator now supports the SmartConnect Android application in the captive and self-service user portals. See Smart Connect profiles.

Android 11 allows the SmartConnect app to install user credential certs for EAP-TLS and PEAP to allow for user authentication.

Android 11 restricts the SmartConnect app from installing global CA certificates. As of Android 11, these certificates have to be installed manually. A warning message appears in the SmartConnect app, which prompts to install certificates manually.

Support for EAP-MSCHAPv2

FortiAuthenticator now supports EAP-MSCHAPv2 authentication mechanism against a remote AD server.

FortiAuthenticator also supports multi-factor authentication over EAP-MSCHAPv2.

When creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies, a new EAP-MSCHAPv2 toggle is now available in the Authentication type tab, given that Accept EAP toggle is enabled in Password/OTP authentication. See Policies and Extensible Authentication Protocol.

New SAML IdP and Kerberos SSO toggles

When editing an interface in System > Network > Interfaces, new SAML IdP and Kerberos SSO toggles available in the Services pane. See Interfaces.

Windows Agent: Emergency Offline Access

FortiAuthenticator now supports a new temporary token option that allows the use of emergency codes for offline end-users who find themselves without access to FortiToken, email, or SMS.

A new Enable emergency codes toggle and Emergency codes valid for option when editing the token policy settings in Authentication > User Account Policies > Tokens. See Tokens.

A new Display emergency code button that displays the emergency code from within a user account if FortiToken is provisioned for the account. See Local users and Remote users.

OpenID Connect

OpenID Connect (OIDC) provides an identity layer on top of the OAuth 2.0 protocol to verify end-user identity and obtain profile information. OIDC is a modern SSO protocol that is easier and more flexible to use than SAML.

OIDC authentication can be enabled for the OAuth client by configuring the relying party with an authorization code, policy, redirect URI, and OIDC claim(s).

OAuth Service in Authentication has been reorganized to include the following tabs:

  • General- Configure general settings for OAuth.

  • Policies - Create policies to use with OAuth authentication.

  • Relying Party - Configure OAuth clients and OIDC claims.

New OIDC endpoints are now available. The token endpoint now expanded to include new fields that support the OIDC configuration. See REST API Solutions Guide.

Secure LDAP: Support multiple CAs

When creating or editing an LDAP Server in Authentication > Remote Auth. Servers > LDAP, a new Trusted CA toggle now allows you to specify multiple trusted CAs for secure connection to a remote LDAP server. See LDAP.

Import trusted CA certificates with certificate chain

Using the new Learn Certificate button in Certificate Management > Certificate Authorities > Trusted CAs, you can now extract a certificate chain from a TLS server and show its CA certificates by entering the host name/ IP address and the port number. You can then import CA certificates. See Trusted CAs.

Self-service portal: Email templates for resetting password

New Password Reset Email Subject and Password Reset Email Message replacement messages in Authentication > Portals > Replacement Messages. See Replacement messages.

TACACS+: Stronger client secret values

You can now set stronger TACACS+ client secrets to include special characters: !@#$%^&()_+\<>?./ when adding, editing, or importing TACACS+ clients.

tacplusclients endpoint now allows special characters for the secret field. See REST API Solutions Guide.

SMTP test window provides more accurate error information

Upon a failed SMTP test, FortiAuthenticator displays a message in the GUI to help troubleshoot the source of the issue. See Troubleshooting SMTP server tests.

For SMTP servers, FortiAuthenticator logs the source of the issue to Logging > Log Access > Logs.

Also, upon a failed SMTP send attempt, i.e., when not using the Test Connection button, FortiAuthenticator logs the source of the issue to Logging > Log Access > Logs.

RADIUS service: Return user group attributes on AD computer authentication

In the RADIUS response tab, when the AD Computer Authentication Result is successful and the user is not authenticated yet, you can now select between the following RADIUS attribute response options:

  • When Return User Group Attributes is enabled, RADIUS attributes configured in the user groups that the computer is a member of are returned.

  • Return Additional Attributes.

See Policies.

SNMP: TACACS+ OIDs

FortiAuthenticator adds support for TACACS+ over SNMP which is equivalent to RADIUS.

When configuring SNMP settings in System > Administration > SNMP, there is a new TACACS+ Authentication Client Table Nearly Full Trap Threshold (%) field to adjust the TACACS+ SNMP trap threshold.

You can enable or disable TACACS+ NAS trap from within SNMP clients (SNMP v3 and SNMP v1/v2) using the new TACAS+ NAS threshold exceeded toggle. See SNMP.

OAuth service: Access token expiry

FortiAuthenticator now returns the remaining validity time for the OAuth2 access token in the verify_token endpoint.

A new expires_in field is available in the verify_token endpoint. See REST API Solutions Guide.

Built-in read-only admin profile

A new built-in read-only admin profile in System > Administration > Admin Profiles. See Admin profiles.

Additional system information via REST API

The following new fields are available in the systeminfo endpoint:

  • cpu

  • disk

  • disk_usage_detail

  • firmware

  • memory

  • memory_usage_detail

For information about the new fields, see REST API Solutions Guide.

Log out a session from the monitor page

FortiAuthenticator now allows manually logging out of IdP sessions using the new Logoff All and Logoff Selected buttons in Monitor > Authentication > SAML IdP Session.

See SAML IdP sessions.

SAML IdP: Support for multiple remote LDAP custom attributes

FortiAuthenticator now supports multiple values for a remote LDAP custom attribute in Authentication > SAML IdP > Service Providers. See Service providers.