Fortinet white logo
Fortinet white logo

Administration Guide

FortiAuthenticator 6.5.0

FortiAuthenticator 6.5.0

The following list contains new and expanded features added in FortiAuthenticator 6.5.0.

Password history increased to 24

FortiAuthenticator can now remember up to 24 previously used passwords. See Passwords.

Last successful login information in the SAML IdP login success page

Upon successful SAML authentication, the SAML IdP Login Success Page now displays Last successful login information that includes:

  • The date and time when the user credentials were last successfully validated if the IdP session was recently created.

  • The date and time of the start of the current IdP session if the IdP session already existed.

See Replacement messages.

Captive portal: New device registration replacement messages

In captive portal, the device registration page is now customizable.

In Authentication > Portals > Replacement Messages, the following new replacement messages are available:

  • Device Registration Page

  • Device Registration with Replacement Page

See Replacement messages.

Automated Certificate Management Environment (ACME) support

FortiAuthenticator now supports ACME certificate generation.

A new Automated option in Issuer when creating a new server certificate in Certificate Management > End Entities > Local Services to automatically create a certificate using the ACME protocol with Let's Encrypt service. When the option is selected, you can enter the Acme service URL.

See End entities.

FSSO: Syslog with list of values

FortiAuthenticator can now detect login events from syslogs containing list of values without keys in additional to detecting login events with key/value pairs.

When creating or editing a matching rule in Fortinet SSO Methods > SSO > Syslog Sources, a new Mode option is available with the following two options:

  • Key-value pairs (legacy option)

  • List of values (new option)

See Syslog sources.

IP address-based admin lock out

FortiAuthenticator now blocks the source IP address upon multiple failed login attempts from gaining administrative access for a configurable period of time once the maximum number of allowed attempts have been exhausted.

New Maximum failed administrator login attempts and Administrator login lockout period options in System access.

New IP Lockout Policy Settings pane in Lockouts.

FortiAuthenticator also generates a log when a source IP address is blocked for too many failed login attempts with the following information:

  • Source IP address

  • Number of failed login attempts

  • Length of the lockout period

A new Locked-out IP Addresses page in Monitor > Authentication. The page displays a list of locked-out IP addresses. See Locked-out IP addresses.

FSSO for cloud-native Azure AD users

When receiving an SSOMA update, FortiAuthenticator now accepts Azure AD domain and Tenant ID. FortiAuthenticator can save the Azure AD domain and Tenant ID in the FSSO login session.

A new Azure AD tenant ID option when creating a remote OAuth server in Authentication > Remote Auth. Servers > OAUTH with the OAuth source set as Azure Directory. The option is available when Include for SSO is enabled.

See OAUTH.

For native Azure AD support with older versions of the SSOMA, Fortinet SSO Methods > SSO > General now has a new optional Tenant ID for legacy SSOMA field when Enable FortiClient SSO Mobility Agent Service is enabled. The option allows you to specify a default Azure AD Tenant ID for legacy SSOMA.

See General settings.

FortiAuthenticator now allows you to filter which native Azure AD FSSO sessions are sent to each FortiGate device.

FortiAuthenticator therefore offers a new Import from Azure AD option in Fortinet SSO Methods > SSO > FortiGate Filtering to include Azure AD groups in the FortiGate filter.

See FortiGate filtering.

SAML IdP resolution for IdP Proxy with multiple external IdPs

A new Legacy login sequence option when editing SAML IdP settings in Authentication > SAML IdP > General. When enabled, the legacy sequence requests username and password on the same form. When disabled, only the username is requested on the first form.

The IAM login option is now only available when Legacy login sequence is enabled.

See General.

The following replacement messages have been renamed:

  • Login Page to Login Username and Password Page.

  • Login Fido Page to Login Username Page.

  • Login Fido Password Page to Login Password Page.

See Replacement messages.

When creating or editing an SP, a new Sends username in this parameter option in the Authentication pane in Authentication > SAML IdP > Service Providers where you can specify the parameter name that the SP uses to prefill the username login field. This helps with compatibility with third-party SPs. See Service providers.

The following two new options in the IdP Metadata pane when creating or editing a remote SAML server in Authentication > Remote Auth. Servers > SAML:

  • Sends username in this parameter: specify the parameter name in which the remote IdP receives the username so as to prefill the username login field.

  • Strip realm from username before sending.

The above options help with compatibility with third-party IdPs. See SAML.

RADIUS: eduroam support

To fully support eduroam, FortiAuthenticator includes the following new settings:

  • When creating or editing a RADIUS server in Authentication > Remote Auth. Servers > RADIUS, a new Proxy option is available in Preferred auth. method.

    This enables FortiAuthenticator to proxy RADIUS authentication sessions without changing the authentication method.

  • When creating or editing a RADIUS server in Authentication > Remote Auth. Servers > RADIUS, a new Include realm in username option allows FortiAuthenticator to keep the realm portion of the username before proxying. When enabled, the username string sent to the remote RADIUS server is the same as the username string received from the RADIUS client.

    This allows FortiAuthenticator to route the RADIUS authentication requests through a hierarchy of RADIUS authentication proxy servers.

    See RADIUS.

  • When FortiAuthenticator is terminating EAP authentication sessions, FortiAuthenticator now logs the following information:

    • EAP authentication start

      • Timestamp: Start time

      • Level: Information

      • Category: Event

      • Subcategory: Authentication

      • Log type ID: 20330 (Name: EAP authentication start)

      • Action: EAP login

      • Status: Start

      • User: Outer EAP identity (User-Name attribute)

      • IP: <empty>

      • Message: EAP session start from <MAC address from Calling-Station-Id or unknown>

    • EAP authentication result

      • Timestamp: End time

      • Level: Information

      • Category: Event

      • Subcategory: Authentication

      • Log type ID: 20331 (Name: EAP authentication result)

      • Action: EAP login

      • Status: Success/Failed

      • User: Inner EAP identity

      • IP: <empty>

      • Message:

        • If Status==Success: <EAP method> login successful by <Outer EAP identity> from <MAC address from Calling-Station-Id or unknown>

        • If Status==Failed: <EAP method> login failed by <Outer EAP identity> from <MAC address from Calling-Station-Id or unknown>

    • When creating or editing a rule set in Authentication > RADIUS Service > Accounting Proxy, a new Matching RADIUS Attributes pane is available to control which RADIUS accounting requests will be proxied.

      See Rule sets.

    • FortiAuthenticator now includes the following usability changes to allow you to properly configure FortiAuthenticator in an eduroam environment:

      • A new tooltip about the new Include realm in username option when creating or editing a remote RADIUS server in Authentication > Remote Auth. Servers > RADIUS.

      • A new tooltip about EAP settings added to the Authentication type tab when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies.

      • A new Eduroam toggle added to the Identity source tab when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies.

        Enabling this option forces some settings in the Identity source tab to values required in an eduroam environment.

        See Policies.

      • Fortinet SSO Methods > Accounting Proxy is now available in

        Authentication > RADIUS Service > Accounting Proxy.

RADIUS authentication: Dynamically populates attributes in authentication responses

The RADIUS server is now able to set the values of RADIUS attributes specified in user groups to a static or dynamic value. Value Type when adding RADIUS attributes while creating or editing a user group in Authentication > User Management > User Groups now includes new Static and Dynamic options.

The dynamic value is either obtained from the user account settings on FortiAuthenticator or from a user account attribute on a remote LDAP server.

The following restrictions apply to the new Dynamic option:

  • When the user group is local or remote RADIUS groups, the Dynamic option is only available if the RADIUS attribute type is String.

  • When the user group is remote LDAP, the Dynamic option only available if RADIUS attribute type is String or IP.

  • When the user group is remote SAML or MAC groups, the Dynamic option is not available.

See User groups.

New Enter detail debug mode when the selected service is RADIUS authentication in debug logs. See Debug logs.

OAuth: Scopes support

A new Scopes tab in Authentication > OAuth Service that lists scopes. You can now add, edit, or delete scopes. See Scopes.

When editing a relying party, you can now specify a list of default and optional scopes. See Relying Party.

A new End-user must authorize scopes (authentication code grant type only) toggle in the Authentication factors tab when creating or editing an OAuth policy. See Policies.

New scope field available in /oauth/authorize/ and /oauth/token/endpoints. See REST API Solutions Guide.

Self-service portal: Smart Connect to deliver only certificates

When creating or editing Smart Connect profiles in Authentication > Portals > Smart Connect Profiles, FortiAuthenticator now includes an additional Certificate option in Connect type.

When the Connect type is Certificate, you can specify the local CA certificate in the Signing CA dropdown to use to sign the client certificates issued by the Smart Connect profile.

You can then specify which CA certificates to install on every endpoint.

See Smart Connect profiles.

WPA3 support

FortiAuthenticator now offers cipher suite support for WPA3.

Configurable SMTP timeout

When creating or editing an SMTP server in System > Messaging > SMTP Servers, you can now configure the SMTP timeout using the new SMTP connection timeout value in second field. See SMTP servers.

FortiAuthenticator 6.5.0

FortiAuthenticator 6.5.0

The following list contains new and expanded features added in FortiAuthenticator 6.5.0.

Password history increased to 24

FortiAuthenticator can now remember up to 24 previously used passwords. See Passwords.

Last successful login information in the SAML IdP login success page

Upon successful SAML authentication, the SAML IdP Login Success Page now displays Last successful login information that includes:

  • The date and time when the user credentials were last successfully validated if the IdP session was recently created.

  • The date and time of the start of the current IdP session if the IdP session already existed.

See Replacement messages.

Captive portal: New device registration replacement messages

In captive portal, the device registration page is now customizable.

In Authentication > Portals > Replacement Messages, the following new replacement messages are available:

  • Device Registration Page

  • Device Registration with Replacement Page

See Replacement messages.

Automated Certificate Management Environment (ACME) support

FortiAuthenticator now supports ACME certificate generation.

A new Automated option in Issuer when creating a new server certificate in Certificate Management > End Entities > Local Services to automatically create a certificate using the ACME protocol with Let's Encrypt service. When the option is selected, you can enter the Acme service URL.

See End entities.

FSSO: Syslog with list of values

FortiAuthenticator can now detect login events from syslogs containing list of values without keys in additional to detecting login events with key/value pairs.

When creating or editing a matching rule in Fortinet SSO Methods > SSO > Syslog Sources, a new Mode option is available with the following two options:

  • Key-value pairs (legacy option)

  • List of values (new option)

See Syslog sources.

IP address-based admin lock out

FortiAuthenticator now blocks the source IP address upon multiple failed login attempts from gaining administrative access for a configurable period of time once the maximum number of allowed attempts have been exhausted.

New Maximum failed administrator login attempts and Administrator login lockout period options in System access.

New IP Lockout Policy Settings pane in Lockouts.

FortiAuthenticator also generates a log when a source IP address is blocked for too many failed login attempts with the following information:

  • Source IP address

  • Number of failed login attempts

  • Length of the lockout period

A new Locked-out IP Addresses page in Monitor > Authentication. The page displays a list of locked-out IP addresses. See Locked-out IP addresses.

FSSO for cloud-native Azure AD users

When receiving an SSOMA update, FortiAuthenticator now accepts Azure AD domain and Tenant ID. FortiAuthenticator can save the Azure AD domain and Tenant ID in the FSSO login session.

A new Azure AD tenant ID option when creating a remote OAuth server in Authentication > Remote Auth. Servers > OAUTH with the OAuth source set as Azure Directory. The option is available when Include for SSO is enabled.

See OAUTH.

For native Azure AD support with older versions of the SSOMA, Fortinet SSO Methods > SSO > General now has a new optional Tenant ID for legacy SSOMA field when Enable FortiClient SSO Mobility Agent Service is enabled. The option allows you to specify a default Azure AD Tenant ID for legacy SSOMA.

See General settings.

FortiAuthenticator now allows you to filter which native Azure AD FSSO sessions are sent to each FortiGate device.

FortiAuthenticator therefore offers a new Import from Azure AD option in Fortinet SSO Methods > SSO > FortiGate Filtering to include Azure AD groups in the FortiGate filter.

See FortiGate filtering.

SAML IdP resolution for IdP Proxy with multiple external IdPs

A new Legacy login sequence option when editing SAML IdP settings in Authentication > SAML IdP > General. When enabled, the legacy sequence requests username and password on the same form. When disabled, only the username is requested on the first form.

The IAM login option is now only available when Legacy login sequence is enabled.

See General.

The following replacement messages have been renamed:

  • Login Page to Login Username and Password Page.

  • Login Fido Page to Login Username Page.

  • Login Fido Password Page to Login Password Page.

See Replacement messages.

When creating or editing an SP, a new Sends username in this parameter option in the Authentication pane in Authentication > SAML IdP > Service Providers where you can specify the parameter name that the SP uses to prefill the username login field. This helps with compatibility with third-party SPs. See Service providers.

The following two new options in the IdP Metadata pane when creating or editing a remote SAML server in Authentication > Remote Auth. Servers > SAML:

  • Sends username in this parameter: specify the parameter name in which the remote IdP receives the username so as to prefill the username login field.

  • Strip realm from username before sending.

The above options help with compatibility with third-party IdPs. See SAML.

RADIUS: eduroam support

To fully support eduroam, FortiAuthenticator includes the following new settings:

  • When creating or editing a RADIUS server in Authentication > Remote Auth. Servers > RADIUS, a new Proxy option is available in Preferred auth. method.

    This enables FortiAuthenticator to proxy RADIUS authentication sessions without changing the authentication method.

  • When creating or editing a RADIUS server in Authentication > Remote Auth. Servers > RADIUS, a new Include realm in username option allows FortiAuthenticator to keep the realm portion of the username before proxying. When enabled, the username string sent to the remote RADIUS server is the same as the username string received from the RADIUS client.

    This allows FortiAuthenticator to route the RADIUS authentication requests through a hierarchy of RADIUS authentication proxy servers.

    See RADIUS.

  • When FortiAuthenticator is terminating EAP authentication sessions, FortiAuthenticator now logs the following information:

    • EAP authentication start

      • Timestamp: Start time

      • Level: Information

      • Category: Event

      • Subcategory: Authentication

      • Log type ID: 20330 (Name: EAP authentication start)

      • Action: EAP login

      • Status: Start

      • User: Outer EAP identity (User-Name attribute)

      • IP: <empty>

      • Message: EAP session start from <MAC address from Calling-Station-Id or unknown>

    • EAP authentication result

      • Timestamp: End time

      • Level: Information

      • Category: Event

      • Subcategory: Authentication

      • Log type ID: 20331 (Name: EAP authentication result)

      • Action: EAP login

      • Status: Success/Failed

      • User: Inner EAP identity

      • IP: <empty>

      • Message:

        • If Status==Success: <EAP method> login successful by <Outer EAP identity> from <MAC address from Calling-Station-Id or unknown>

        • If Status==Failed: <EAP method> login failed by <Outer EAP identity> from <MAC address from Calling-Station-Id or unknown>

    • When creating or editing a rule set in Authentication > RADIUS Service > Accounting Proxy, a new Matching RADIUS Attributes pane is available to control which RADIUS accounting requests will be proxied.

      See Rule sets.

    • FortiAuthenticator now includes the following usability changes to allow you to properly configure FortiAuthenticator in an eduroam environment:

      • A new tooltip about the new Include realm in username option when creating or editing a remote RADIUS server in Authentication > Remote Auth. Servers > RADIUS.

      • A new tooltip about EAP settings added to the Authentication type tab when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies.

      • A new Eduroam toggle added to the Identity source tab when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies.

        Enabling this option forces some settings in the Identity source tab to values required in an eduroam environment.

        See Policies.

      • Fortinet SSO Methods > Accounting Proxy is now available in

        Authentication > RADIUS Service > Accounting Proxy.

RADIUS authentication: Dynamically populates attributes in authentication responses

The RADIUS server is now able to set the values of RADIUS attributes specified in user groups to a static or dynamic value. Value Type when adding RADIUS attributes while creating or editing a user group in Authentication > User Management > User Groups now includes new Static and Dynamic options.

The dynamic value is either obtained from the user account settings on FortiAuthenticator or from a user account attribute on a remote LDAP server.

The following restrictions apply to the new Dynamic option:

  • When the user group is local or remote RADIUS groups, the Dynamic option is only available if the RADIUS attribute type is String.

  • When the user group is remote LDAP, the Dynamic option only available if RADIUS attribute type is String or IP.

  • When the user group is remote SAML or MAC groups, the Dynamic option is not available.

See User groups.

New Enter detail debug mode when the selected service is RADIUS authentication in debug logs. See Debug logs.

OAuth: Scopes support

A new Scopes tab in Authentication > OAuth Service that lists scopes. You can now add, edit, or delete scopes. See Scopes.

When editing a relying party, you can now specify a list of default and optional scopes. See Relying Party.

A new End-user must authorize scopes (authentication code grant type only) toggle in the Authentication factors tab when creating or editing an OAuth policy. See Policies.

New scope field available in /oauth/authorize/ and /oauth/token/endpoints. See REST API Solutions Guide.

Self-service portal: Smart Connect to deliver only certificates

When creating or editing Smart Connect profiles in Authentication > Portals > Smart Connect Profiles, FortiAuthenticator now includes an additional Certificate option in Connect type.

When the Connect type is Certificate, you can specify the local CA certificate in the Signing CA dropdown to use to sign the client certificates issued by the Smart Connect profile.

You can then specify which CA certificates to install on every endpoint.

See Smart Connect profiles.

WPA3 support

FortiAuthenticator now offers cipher suite support for WPA3.

Configurable SMTP timeout

When creating or editing an SMTP server in System > Messaging > SMTP Servers, you can now configure the SMTP timeout using the new SMTP connection timeout value in second field. See SMTP servers.