Configuring remote authentication

Configuring remote authentication

To authenticate users and administrators, FortiRecorder can connect with FortiAuthenticator or a remote authentication server such as Microsoft Active Directory, Red Hat Identity Management, or Ping Identity, via LDAP, RADIUS, or SAML SSO.

Configuring RADIUS authentication

If your users must log in to a RADIUS server, then configure a RADIUS profile that defines how FortiRecorder sends authentication queries to the RADIUS server.

To configure a RADIUS query

1. Go to System > Authentication > RADIUS.
2. Click New.

3. Configure the following settings:

   Setting Name	Description
   Profile name	Enter a unique name (such as RADIUS-query1) that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
   Server name/IP	Enter the fully qualified domain name (FQDN) or IP address of the RADIUS server that will be queried when an account referencing this profile attempts to authenticate.
   Server port	Enter the port number on which the authentication server listens for queries. The IANA standard port number for RADIUS is 1812.
   Protocol	Select which authentication method is used by the RADIUS server: Password Authentication Challenge Handshake Authentication (CHAP) Microsoft Challenge Handshake Authentication (CHAP) Microsoft Challenge Handshake Authentication V2 (CHAP version 2) Default Authentication Scheme
   NAS IP/Called station ID	Type the NAS IP address or Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address of the FortiRecorder network interface used to communicate with the RADIUS server will be applied.
   Server secret	Type the secret required by the RADIUS server. It must be the same as the secret that is configured on the RADIUS server.
   Server requires domain	Enable if the authentication server requires that users authenticate using their full email address (such as user1@example.com) and not just the user name (such as user1).

4. Click OK.

   To test the query, select this profile when configuring a user account, and then attempt to authenticate using that account's login credentials.

Configuring LDAP authentication

If your users must log in to a LDAP server, then configure a LDAP profile that defines how FortiRecorder sends authentication queries to the LDAP server.

To configure an LDAP query

1. Go to System > Authentication > LDAP.
2. Click New.

3. Configure the following settings:

   Setting Name	Description
   Profile name	Type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
   Server name/IP	Type the fully qualified domain name (FQDN) or IP address of the LDAP server (for example, Microsoft Active Directory) that will be queried when an account referencing this profile attempts to authenticate.
   Fallback server name/IP	Type the fully qualified domain name (FQDN) or IP address of a secondary LDAP or Active Directory server, if any, that can be queried if the primary server fails to respond according to the threshold configured in Timeout.
   Port	Type the port number on which the authentication server listens for queries. The IANA standard port number for LDAP is 389. LDAPS (SSL/TLS-secured LDAP) is 636.
   Use secure connection	If your directory server uses SSL/TLS to encrypt query connections, select it then upload the certificate of the CA that signed the LDAP server's certificate (see Uploading trusted CAs' certificates ).
   Base DN	Enter the distinguished name (DN) of the part of the LDAP directory tree within which FortiRecorder will search for user objects, such as: ou=People,dc=example,dc=com User objects should be child nodes of this location.
   Bind DN	Enter the bind DN, such as: cn=FortiRecorderA,dc=example,dc=com of an LDAP user account with permissions to query the Base DN. Leave this field blank if you have enabled Allow unauthenticated bind.
   Bind password	Enter the password of the Bind DN. Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree. Browsing the LDAP tree can be useful if you need to find your Base DN, or can't remember the attribute names. Before using, first configure Server name/IP, Use secure connection, Bind DN, Bind password, and then click Create or OK. These fields provide minimum information required to establish the directory browsing connection.
   LDAP user query	Enter an LDAP query filter that selects a set of user objects from the LDAP directory. The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects. For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be: (& (objectClass=inetOrgPerson) (mail=$m)) where $m is the FortiRecorder variable for a user's email address. This option is pre-configured and read-only if Schema is not User Defined. For details on query syntax, refer to any standard LDAP query filter reference manual.
   Scope	Select which level of depth to query, starting from Base DN. One level — Query only the one level directly below the Base DN in the LDAP directory tree. Subtree — Query recursively all levels below the Base DN in the LDAP directory tree.
   Derefer	Select when, if ever, to dereference attributes whose values are references. Never — Do not dereference. Always — Always dereference. Search — Dereference only when searching. Find — Dereference only when finding the base search object.
   User Authentication Options	Select how, if the query requires authentication, the FortiRecorder appliance will form the bind DN. The default setting is the third option: Search user and try bind DN. Try UPN or email address as bind DN — Select to form the user's bind DN by prepending the user name portion of the email address ($u) to the User Principle Name (UPN, such as example.com). By default, the FortiRecorder appliance will use the mail domain as the UPN. If you want to use a UPN other than the mail domain, enter that UPN in the field named Alternative UPN suffix. This can be useful if users authenticate with a domain other than the mail server's principal domain name. Try common name with base DN as bind DN — Select to form the user's bind DN by establishing a common name to the base DN. Also enter the name of the user objects' common name attribute, such as cn or uid into the field. Search user and try bind DN — Select to form the user's bind DN by using the DN retrieved for that user by User Query Options.
   Allow Access Control Attribute	Select this option to define the access control.
   Allow Admin Profile Attribute	Select this option to define the administrator profile.
   Notification Options	Select the Allow notification attributes option to enable notifications. FortiRecorder supports the following notifications: Email attribute: This attribute specifies the user's email address for notifications. SMS profile attribute: This attribute specifies which SMS profile the user will use. The SMS profile attribute must match the name of the profile configured in FortiRecorder. SMS number attribute: This attribute specifies the user SMS number for notification. The number format must be the same as the number in the user entry settings. Method attribute: This attribute specifies the method used to notify a user. The two valid entries are email and sms. Embedded email images attribute: This attribute specifies whether images are included in email messages to the user. The two valid entries are yes and no.
   Timeout	Type the number of seconds that the FortiRecorder appliance will wait for a reply to the query before assuming that the primary LDAP server has failed, and will therefore query the secondary LDAP server. The default value is 20.
   Protocol version	Select the LDAP protocol version (either 2 or 3) used by the LDAP server.
   Allow unauthenticated bind	Enable to allow unauthenticated bind.
   Enable cache	Enable to cache LDAP query results. Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiRecorder appliance begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently. If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching.
   TTL	Enter the amount of time, in minutes, that the FortiRecorder unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiRecorder appliance to query the LDAP server, refreshing the cache. The default TTL value is 1440 minutes (one day). The maximum value is 10080 minutes (one week). Entering a value of 0 effectively disables caching. This option is applicable only if is enabled.

4. Click Create.

   To test the query, configure an account where this profile is used, then attempt to authenticate using that account's credentials.

   Alternatively, click the row to select the query, click Edit, then click Test LDAP Query. From the Select query type drop-down list, select Authentication, then complete the Password and Mail address fields that appear. Click Test. After a few seconds, a dialog should appear to indicate that either the query succeeded, or the reason for its failure, such as a network connectivity error.

Configuring single sign-on (SSO) authentication

Single sign-on (SSO) can save time for users by reducing the number of times that they must log in when using many network services. Once they log in, they can access all other authorized services that use SSO until their session expires.

In Security Assertion Markup Language (SAML) SSO, you must configure both of these to connect and authenticate with each other:

• FortiRecorder, which is the service provider (SP)
• FortiAuthenticator or other remote authentication server, which is the identity provider (IdP)

In addition to SSO, FortiRecorder also supports single log off (SLO). When someone logs out of FortiRecorder, they will also be logged out of all services that use the same federated SSO authentication.

To configure FortiRecorder SSO with Ping Identity, see the FortiRecorder Cookbook.

To configure SAML SSO

1. On the IdP server, download its IdP metadata XML.

   Alternatively, copy the URL where FortiRecorder can download it.

2. If you are integrating with FortiAuthenticator or Ping Identity, then on FortiRecorder, use the CLI to enable Security Fabric and the default administrator account named admin_sso:

   config system csf

   set status enable

   end

   config system admin

   edit admin_sso

   set status enable

   end

   The admin_sso account acts like a wildcard, so that you do not need to configure all FortiRecorder accounts on the IdP too. The Security Fabric provides communication for this feature. See also Connecting to the Security Fabric.

3. Go to System > Customization > Single Sign On.

4. Configure the following:

   GUI Item	Description
   Enabled	Enable or disable SSO.
   Identity Provider (IDP) Metadata	Enter the IdP metadata. To do this, either: Paste the metadata XML into the text area. Click Upload and select a file that contains the XML. Click Retrieve from URL, and then enter the URL where FortiRecorder can download the XML.

5. Click Apply.

   Now FortiRecorder automatically generates its SP metadata, entity ID, and ACS URL. (You might need to navigate away from the tab and return in order for it to display.)

6. Copy the following:

   GUI Item	Description
   Entity ID	A globally unique identifier for FortiRecorder when it connects to the IdP, such as: https://FortiRecorder.example.com/sp
   ACS URL	The URL where FortiRecorder will receive authentication responses from the IdP (the assertion consumer service (ACS)), such as: https://FortiRecorder.example.com/sso/SAML2/POST
   Metadata URL	The URL where the IdP can download SP metadata XML from FortiRecorder, such as: https://FortiRecorder.example.com/sso/Metadata

7. On the IdP server:

   1. Paste the entity ID, SP metadata URL, and ACS URL from FortiRecorder.

   2. Select to identify users by their email addresses attribute, and then enter the attribute object identifier (OID) that authentication requests from FortiRecorder use:

      urn:oid:0.9.2342.19200300.100.1.3

   3. Optionally, enable and configure multi-factor authentication (MFA).

   4. If required, add the FortiRecorder unit's certificate to the list of trusted CAs ("trust store").

      (Skip this step if your IdP already trusts the certificate, directly or indirectly, via a CA certificate signing chain.)

8. On FortiRecorder, go to System > Administrator > Administrator. For each administrator or user account that will use SAML SSO, set Authentication to Single Sign On.

   To test SSO, attempt to authenticate on FortiRecorder using one of those accounts, and then access another service that also uses SSO. If successful, the other service should not prompt you to log in.