Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Getting Started

    Home FortiAuthenticator 8.0.0 Getting Started
    8.0.0
    8.0.0
    6.6.0

    Getting started

    Getting started

    The FortiAuthenticator device is an identity and access management solution that provides user identity services to Fortinet products and third-party devices.

    It offers a range of features designed to secure your network infrastructure including authentication, MFA, IEEE 802.1X support, user authentication, and certificate management.

    FortiAuthenticator is a critical system and should be isolated on a network interface separate from other hosts to enhance server-related firewall protection and prevent unauthorized access.

    FortiAuthenticator can also replace the Fortinet Single Sign-On (FSSO) Agent on a Windows AD network.

    Planning

    Before deploying your standalone FortiAuthenticator, review the following key areas:

    Requirements

    Ensure the following prerequisites are met for a successful FortiAuthenticator setup:

    Requirement

    Description

    Supported Environments

    FortiAuthenticator 8.0 supports virtualization environments such as:

    VMware ESXi / ESX 6/7/8

    Microsoft Hyper-V 2010, Hyper-V 2016, Hyper-V 2019, and Hyper-V 2022

    Linux Kernel-based Virtual Machine (KVM) on Virtual Machine Manager and QEMU 2.5.0

    Xen Virtual Machine (for Xen HVM)

    Nutanix

    AWS (Amazon Web Services)

    Microsoft Azure

    Oracle OCI

    Alibaba Cloud

    Saudi Cloud Computing Company (SCCC) and alibabacloud.sa domain (a standalone cloud backed by AliCloud)

    Proxmox

    Browser Support

    Microsoft Edge

    Mozilla Firefox

    Google Chrome

    For supported versions, see Web browser support in the latest FortiAuthenticator Release Notes.

    VM Resources

    Minimum 16 GB RAM required.

    Administrative Access

    You must have administrative access to both the GUI and/or CLI.

    Initial System Configuration

    Essential settings like system time, DNS settings, administrator password, and network interfaces must be configured.

    Network Time Protocol (NTP) is crucial for maintaining accurate and stable time, especially when using Time-based One-time Password (TOTP) for two-factor authentication

    Third-Party Components

    Any third-party software or servers intended for use with FortiAuthenticator should be configured according to their respective documentation.

    Open Ports

    Ensure that specific ports are open in security policies between the FortiAuthenticator and authentication clients, in addition to management protocols (HTTP, HTTPS, SSH, and ping):

    UDP/161 (SNMP)

    UDP/1812 (RADIUS Auth)

    UDP/1813 (RADIUS Accounting)

    UDP/8002 (DC/TS Agent FSSO)

    TCP/389 (LDAP)

    TCP/636 (LDAPS)

    TCP/8000 (FortiGate FSSO)

    TCP/8001 (FortiClient Single Sign-On Mobility Agent FSSO)

    TCP/8002 (DC/TS Agent FSSO)

    TCP/8003 (Hierarchical FSSO)

    TCP/2560 (OCSP)


    Licensing

    FortiAuthenticator-VM operates in evaluation mode until a license is applied, which limits the number of configurable users.

    • A stackable license can be applied to increase user count and other associated metrics.

    • For the license to be valid, one of the FortiAuthenticator interfaces must be set to the IP address specified in the license.

    • Licenses for FortiAuthenticator-VM apply to:

      • The total number of local and remote user accounts configured.

      • The number of concurrent FSSO sessions.

      • Maximum limits on all other configuration objects are derived as a ratio to the maximum user count.

    • SSO Mobility Agent (SSOMA) client limits are determined by the lowest of either "Maximum FortiClient SSO" or "Maximum users" from the onboard license.

    • SSOMA, FTM (FortiToken Mobile), and SMS licenses are purchased separately and do not scale with the FortiAuthenticator user limit.

    For High Availability (HA) clusters:

    • Primary HA clusters require each FortiAuthenticator unit to have its own license of the same size (users and SSOMA clients).

    • An HA load-balancer needs a user license size sufficient to replicate the configuration from the primary, though the SSOMA license size can differ based on which node SSOMA clients connect to.

    FortiAuthenticator-VM accepts subscription based license.

    See Subscription VM license in the latest FortiAuthenticator Administration Guide.

    Learning more

    Previous
    Next

    Getting started

    Getting started

    The FortiAuthenticator device is an identity and access management solution that provides user identity services to Fortinet products and third-party devices.

    It offers a range of features designed to secure your network infrastructure including authentication, MFA, IEEE 802.1X support, user authentication, and certificate management.

    FortiAuthenticator is a critical system and should be isolated on a network interface separate from other hosts to enhance server-related firewall protection and prevent unauthorized access.

    FortiAuthenticator can also replace the Fortinet Single Sign-On (FSSO) Agent on a Windows AD network.

    Planning

    Before deploying your standalone FortiAuthenticator, review the following key areas:

    Requirements

    Ensure the following prerequisites are met for a successful FortiAuthenticator setup:

    Requirement

    Description

    Supported Environments

    FortiAuthenticator 8.0 supports virtualization environments such as:

    VMware ESXi / ESX 6/7/8

    Microsoft Hyper-V 2010, Hyper-V 2016, Hyper-V 2019, and Hyper-V 2022

    Linux Kernel-based Virtual Machine (KVM) on Virtual Machine Manager and QEMU 2.5.0

    Xen Virtual Machine (for Xen HVM)

    Nutanix

    AWS (Amazon Web Services)

    Microsoft Azure

    Oracle OCI

    Alibaba Cloud

    Saudi Cloud Computing Company (SCCC) and alibabacloud.sa domain (a standalone cloud backed by AliCloud)

    Proxmox

    Browser Support

    Microsoft Edge

    Mozilla Firefox

    Google Chrome

    For supported versions, see Web browser support in the latest FortiAuthenticator Release Notes.

    VM Resources

    Minimum 16 GB RAM required.

    Administrative Access

    You must have administrative access to both the GUI and/or CLI.

    Initial System Configuration

    Essential settings like system time, DNS settings, administrator password, and network interfaces must be configured.

    Network Time Protocol (NTP) is crucial for maintaining accurate and stable time, especially when using Time-based One-time Password (TOTP) for two-factor authentication

    Third-Party Components

    Any third-party software or servers intended for use with FortiAuthenticator should be configured according to their respective documentation.

    Open Ports

    Ensure that specific ports are open in security policies between the FortiAuthenticator and authentication clients, in addition to management protocols (HTTP, HTTPS, SSH, and ping):

    UDP/161 (SNMP)

    UDP/1812 (RADIUS Auth)

    UDP/1813 (RADIUS Accounting)

    UDP/8002 (DC/TS Agent FSSO)

    TCP/389 (LDAP)

    TCP/636 (LDAPS)

    TCP/8000 (FortiGate FSSO)

    TCP/8001 (FortiClient Single Sign-On Mobility Agent FSSO)

    TCP/8002 (DC/TS Agent FSSO)

    TCP/8003 (Hierarchical FSSO)

    TCP/2560 (OCSP)


    Licensing

    FortiAuthenticator-VM operates in evaluation mode until a license is applied, which limits the number of configurable users.

    • A stackable license can be applied to increase user count and other associated metrics.

    • For the license to be valid, one of the FortiAuthenticator interfaces must be set to the IP address specified in the license.

    • Licenses for FortiAuthenticator-VM apply to:

      • The total number of local and remote user accounts configured.

      • The number of concurrent FSSO sessions.

      • Maximum limits on all other configuration objects are derived as a ratio to the maximum user count.

    • SSO Mobility Agent (SSOMA) client limits are determined by the lowest of either "Maximum FortiClient SSO" or "Maximum users" from the onboard license.

    • SSOMA, FTM (FortiToken Mobile), and SMS licenses are purchased separately and do not scale with the FortiAuthenticator user limit.

    For High Availability (HA) clusters:

    • Primary HA clusters require each FortiAuthenticator unit to have its own license of the same size (users and SSOMA clients).

    • An HA load-balancer needs a user license size sufficient to replicate the configuration from the primary, though the SSOMA license size can differ based on which node SSOMA clients connect to.

    FortiAuthenticator-VM accepts subscription based license.

    See Subscription VM license in the latest FortiAuthenticator Administration Guide.

    Learning more

    Previous
    Next