Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
VERSION 5.3.0
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
FORTICAST
http://forticast.fortinet.com
FEEDBACK
Email: techdocs@fortinet.com
05/04/2018
Revision 1
TABLE OF CONTENTS
Introduction 4
Special Notices 5
TFTP boot process 5
Monitor settings for web-based manager access 5
Before any upgrade 5
After any upgrade 5
What's new in FortiAuthenticator 5.3 6
DNS statistics 8
Upgrade Instructions 9
Hardware & VM support 9
Image checksums 9
Upgrading from FortiAuthenticator 4.x/5.0/5.1/5.2 10
Product Integration and Support 12
Web browser support 12
FortiOS support 12
Fortinet agent support 12
Virtualization software support 13
Third party RADIUS authentication 13
Resolved Issues 14
Known Issues 17
Appendix A: FortiAuthenticator VM 19
FortiAuthenticator VM system requirements 19
FortiAuthenticator VM firmware 19
Appendix B: Maximum values 20
Hardware appliances 20
VM appliances 22
Introduction
This document provides a summary of new features, enhancements, support information, installation
instructions, caveats, and resolved and known issues for FortiAuthenticator™ 5.3.0, build 0232.
FortiAuthenticator is a User and Identity Management solution that provides Strong Authentication, Wireless
802.1X Authentication, Certificate Management, and Fortinet Single Sign-On.
http://docs.fortinet.com/fortiauthenticator/
The TFTP boot process erases all current FortiAuthenticator configuration and replaces it with the factory default
settings.
Fortinet recommends setting your monitor to a screen resolution of 1600x1200. This allows for all the objects in
the Web-based Manager to be viewed properly without need for scrolling.
Save a copy of your FortiAuthenticator unit configuration prior to upgrading. Go to System > Dashboard > Status
and select Backup/Restore > Download backup file to backup the configuration.
If you are using the Web-based Manager, clear your browser cache prior to login on the FortiAuthenticator to
ensure the Web-based Manager screens are displayed properly.
Note that this is a patch release. See Resolved Issues and Known Issues for more information.
For more detailed information, see the FortiAuthenticator 5.3 Administration Guide.
Device tracking
Note: This feature requires FortiOS v6.0 or newer to function correctly.
When enabled, this feature allows end users to self-register their devices, and to have those devices tracked,
based on the device MAC.
Self-service URL
When using the device tracking feature, users are no longer redirected by the FortiGate after initial device
registration. Instead, the FortiAuthenticator provides a specific URL for each guest portal, as derived from the
guest portal name (under Authentication > Guest Portals > Portals).
Firmware upgrade
When upgrading to this release, as a result of the device tracking feature, the following occurs:
l MAB Unauthorized devices are set to Deny access by default for existing RADIUS clients.
l MAB Blocked groups are set to empty by default for existing RADIUS clients.
l Device tracking and device management are disabled by default for existing guest portals.
l Existing replacement messages are left unchanged for existing guest portals.
l New (default) replacement messages are added to existing guest portals.
The new option to Enable token transfer feature is available under Authentication > User Account Policies >
Tokens.
Load-balancing HA configurations
Customers with a load-balancing HA configuration can now configure the FortiAuthenticator Agent to try to reach
the secondary FortiAuthenticator if the primary is unreachable, with retries occurring in the same order (in round-
robin fashion).
DNS statistics
DNS query statistics are now available in the FortiAuthenticator GUI, which can help to improve FSSO
troubleshooting and avoid confusion about potentially slow response times from the DNS server.
Back up your configuration before beginning this procedure. While no data loss should
occur if the procedures below are correctly followed, it is recommended a full backup is
made before proceeding and the user will be prompted to do so as part of the upgrade
process.
l FortiAuthenticator 200D
l FortiAuthenticator 200E
l FortiAuthenticator 400C
l FortiAuthenticator 400E
l FortiAuthenticator 1000C
l FortiAuthenticator 1000D
l FortiAuthenticator 2000E
l FortiAuthenticator 3000B
l FortiAuthenticator 3000D
l FortiAuthenticator 3000E
l FortiAuthenticator VM (VMWare, Hyper-V, KVM, and Xen)
Image checksums
To verify the integrity of the firmware file, use a checksum tool to compute the firmware file’s MD5 checksum.
Compare it with the checksum indicated by Fortinet. If the checksums match, the file is intact.
MD5 checksums for software releases are available from the Fortinet Support website.
After logging in to the web site, in the menus at the top of the page, click Download, then click Firmware Image
Checksums.
Alternatively, near the bottom of the page, click the Firmware Image Checksums button. (The button appears
only if one or more of your devices has a current support contract.) In the File Name field, enter the firmware
image file name including its extension, then click Get Checksum Code.
FortiAuthenticator™ 5.3.0 build 0232 officially supports upgrade from all versions of FortiAuthenticator™ 4.x.x.,
5.0.x, 5.1.x, and 5.2.x.
Upgrading the FortiAuthenticator 3000D from 4.0.x to 4.1.x is not supported. The
workaround for this model is to upgrade from any 4.0.x version directly to 4.2.0 or
higher (skipping all 4.1.x versions).
Before you can install FortiAuthenticator™ firmware, you must download the firmware package from the
Customer Service & Support web site, then upload it from your computer to the FortiAuthenticator™ unit.
1. Log in to the Fortinet Support website. In the Download section of the page, select the Firmware Images link to
download the firmware.
2. To verify the integrity of the download, go back to the Download section of the login page, then click the Firmware
Image Checksums link.
3. Log in to the FortiAuthenticator unit’s Web-based Manager using the admin administrator account.
4. Go to System > Dashboard > Status.
5. In the System Information widget, in the Firmware Version row, select Upgrade. The Firmware Upgrade or
Downgrade dialog box opens.
6. In the Firmware section, select Choose File, and locate the upgrade package that you downloaded.
7. Select OK to upload the file to the FortiAuthenticator.
Your browser uploads the firmware file. The time required varies by the size of the file and the speed of your
network connection. When the file transfer is complete, the following message is shown:
It is recommended that a system backup is taken at this point. Once complete, click Start Upgrade.
Wait until the unpacking, upgrade and reboot process completes (usually 3-5 minutes), then refresh the page.
There is a known bug which exists in Google Chrome versions 44 and 45 where initially
the GUI loads correctly, however after some time, pages will stop loading with the
error on the chrome debug console "Failed to load resource: net::ERR_INSECURE_
RESPONSE".
This is a known issue and affects all sites using self-signed certificates and is fixed in
Google Chrome version 46. Chrome bug reference:
https://code.google.com/p/chromium/issues/detail?id=516808
To work around this issue in the meantime, use a different browser or Upgrade to the
Chrome Beta Channel.
Other web browsers may function correctly, but are not supported by Fortinet.
FortiOS support
l FortiOS v5.4.8
l FortiOS v5.6.3
l FortiOS v6.0.0
The above versions have been verified by QA. Other FortiOS versions may function correctly, but may not be
supported by Fortinet. Refer to the What's new in FortiAuthenticator 5.3 section and Known Issues for version
compatibility information.
For details of which Operating Systems are supported by each Agent, please see the Install Guides provided with
the software.
l VMware ESXi / ESX 4.0, 4.1, 5.0, 5.1, 5.5 and 6.0
l Microsoft Hyper-V 2010 and Microsoft Hyper-V 2012 R2
l Linux Kernel-based Virtual Machine (KVM) on Virtual Machine Manager and QEMU 2.5.0
l Xen Virtual Machine (for Xen HVM and AWS)
Support for HA in Active-Passive and Active-Active modes has not been confirmed on
the FortiAuthenticator for Xen VM at the time of the release.
FortiAuthenticator uses standards based RADIUS for authentication and can deliver two-factor authentication via
multiple methods for the greatest compatibility:
The resolved issues listed below may not list every bug that has been corrected with this release. For inquiries
about a particular bug, please visit the Fortinet Support website.
Bug ID Description
480450 Unable to re-request certificate whose enrollment status has been reset and old certificate
revoked.
481459 When remote user and local user have the same name, push notification doesn't work for either.
460319 Push notifications aren't being sent out to remote admin users.
471146 Automatically add FortiToken Mobile push reply destination as allowed host/domain name.
477398 FSSO polling inconsistent behavior, Missing/dropping Logon FSSO user sessions.
461156 The FortiClient/SSOMA and DC agent overwrite each other FSSO IP information.
478955 End-user with multiple IPs gets logged-off if another end-user overlaps one of those IPs.
452042 Using IE11 to display/export the Guest user info doesn't work properly.
476697 Import local users from FortiGate config file - password incorrect, email, telephone number not
imported.
481880 Recommend including Push Daemon log in the FortiAuthenticator debug logs section.
480646 After creating a Smart Connect profile when configuring guest portal, the dialog box doesn't
close.
Bug ID Description
Web Server crashes when we try to reset user password via email and more than one user has the
475276
same email address.
471945 Can't display on the browser more than 300 CN LDAP groups from the remote LDAP server.
481623 Unable to open when there are more than 300+ user group in the SSO groups import option.
464123 GUI is not clear enough about user account expiry dates.
481268 XSS against CSRF failure page due referer not been XSS escaped.
452839 FortiToken Mobile license activation error on the slave unit in a HA load-balance cluster.
467611 Remote LDAP user sync rules do not associate users to group after synchronization.
264680 Hyper-V fails to detect importable FortiAuthenticator-VM in archive on most Windows versions.
474255 LDAP sync rule problem leads to RADIUS daemon restart if sAMAccountName is used.
FortiAuthenticator event logs ending with space character causing log search issues on
473716
FortiAnalyzer.
461439 OWA Agent Exchange Admin Center logon redirects to /owa instead of /ecp.
Bug ID Description
460544 RADIUS accounting packets are not received when multiple RADIUS clients with RADIUS
accounting enabled are present.
User can login with no password when using CHAP, "Password Only authentication", and "Use
474496
Windows AD domain authentication".
480667 Push notification response accepted by FortiAuthenticator, but fails to authorize local user who
provided realm.
479986 Wireless RADIUS MAC authentication failing between FortiAuthenticator and FortiGate.
470355 FortiAuthenticator 400E incorrectly displays redundant PSU status on the dashboard widget.
480582 Social login user fails to be added to the group after successful authentication.
480075 Social login doesn't work for FortiAuthenticator ebook, works for other three.
482799 OpenSSL Security Advisory [27 Mar 2018] (1.1.0h and 1.0.2o).
482256 SSL and TLS 1.0 No Longer Acceptable for PCI Compliance.
464240 User Type value in RADIUS Sessions page should not be set to "local" if the user isn't present
locally on the FortiAuthenticator.
479517 CVE-2018-1065 Linux kernel netfilter rule insertion may panic system.
481122 Windows Agent not detecting all AD "User password has expired" codes.
404902 FortiAuthenticator Agent for MSWindows: Domain Name containing hyphens don't work correctly.
451841 FortiAuthenticator Agent service fails to start and/or disconnects after windows update.
463436 FortiAuthenticator Windows and OWA Agents need to use TLS 1.2 to communicate with
FortiAuthenticator.
456560 Offline Tokens - No visibility for how much longer user can be offline.
This section lists the known issues of this release, but is not a complete list. For inquires about a particular bug,
please visit the Fortinet Support website.
Bug ID Description
Single Sign-On Mobility Agent fails if remote LDAP server is configured with Hostname instead of
483582
IP address.
409763 SLS (logout) url doesn't work. Returns error page instead.
410566 Group list does not include selected implicit group when LDAP lookup option is selected.
485621 After resetting password when logging in via Guest Portal, the success page links the user to the
Self-service Portal instead.
Sponsor selection dropdown doesn't get added to Guest Portal self-registration replacement
488991
messages after upgrading to build 232.
488992 Restoring the default replacement messages for a modified Guest Portal self-registration page
doesn't add Sponsor field (after upgrading).
Should not allow FortiToken self-revocation actions to proceed if password is invalid (in PCI
485559
mode).
468827 When a basic user is promoted to Admin role, their account's expiration date should be removed.
481203 Click OK button right after Save button can have some bad consequences.
462772 Demoting a remote admin account who has an FortiToken assigned to a user account causes
system error.
Incorrect passwords and emails, and telephone numbers not being imported when local users
476697
from FortiGate are imported using a config file.
488149 PCI - Do not allow AD users with expired passwords to change them without token entry.
Bug ID Description
399417 Failover to seconday LDAP server does not occur immediately, and then is not effective.
482913 Information from authorityKeyIdentifier is not used to check the correct CRL for revocation status
of user cert.
486198 Token Self-Provisioning doesn't work for remote users who belong to a group that uses an LDAP
filter.
Time-based user expiry configured in usage profile isn't applied to users when they already have
464556
an expiry date configured.
FortiAuthenticator Agent For Microsoft Windows does not display the user credentials when
449443
access the server through RDP.
The following table provides a detailed summary on FortiAuthenticator VM system requirements. Installing
FortiAuthenticator VM requires that you have already installed a supported virtual machine (VM) environment.
For details, see the Install Guide for FortiAuthenticator VM available at http://docs.fortinet.com.
VM Requirements
FortiAuthenticator VM firmware
l .out
Use this image for new and upgrades to physical appliance installations. Upgrades to existing virtual machine
installations are also distributed in this format.
l ovf.zip
Use this image for new VM installations. It contains a deployable Open Virtualization Format (OVF) virtual machine
package for initial VMware ESXi installations.
For more information see the FortiAuthenticator product datasheet available on the Fortinet web site,
http://www.fortinet.com/products/fortiauthenticator/index.html.
This section lists the maximum number of configuration objects per FortiAuthenticator appliance that can be
added to the configuration database for different FortiAuthenticator hardware and VM configurations.
The maximum values in this document are the maximum configurable values and are
not a commitment of performance.
Hardware appliances
The following table describes the maximum values set for the various hardware models.
System
SMS Gateways 20 20 20 20 20
SNMP Hosts 20 20 20 20 20
Language Files 50 50 50 50 50
Authentication
Users
500 2000 10000 20000 40000
(Local + Remote)1
Certificates
Certificate CA Certificates 10 10 50 50 50
Authorities
Trusted CA Certificates 200 200 200 200 200
1 Note that there is one metric used for the number of allowed users which is Users . Local Users and Remote
Users share the same limit value. This enables Local Users or Remote Users to be equal to Users or for there to
be a mixture of user types, however, the total number of Local and Remote Users cannot exceed the Users
metric.
2 FortiToken Mobile Licenses refers to the licenses that can be applied to a FortiAuthenticator, not the number
of FortiToken Mobile instances that can be managed. The total number is limited by the FortiToken metric.
3 For the 3000E, the total number of concurrent SSO Users is set to a higher level to cater for large
deployments.
VM appliances
The FortiAuthenticator-VM Appliance is licensed based on the total number of users and licensed on a stacking
basis. All installations must start with a FortiAuthenticator VM-Base license and users can be stacked with
upgrade licenses in blocks of 100, 1,000, 10,000 and 100,000 users. Due to the dynamic nature of this licensing
model, most other metrics are set relative to the number of licensed users. The Calculating Metric column below
shows how the feature size is calculated relative to the number of licensed users for example, on a 100 user
FortiAuthenticator-VM Base License, the number of Auth Clients (NAS Devices) that can authenticate to the
system is:
100 / 10 = 10
Where this relative system is not used e.g. for static routes, the calculating metric is denoted by a ‘-’. The
supported figures are shown for both the base VM and a 5000 user licensed VM system by way of example.
Maximum Values - Virtual Machines
Feature Model
System
SMS Gateways 2 20 20 20
SNMP Hosts 2 20 20 20
Language Files 5 50 50 50
Authentication
Group RADIUS
9 Users x 3 300 15000
Attributes
FortiToken Mobile
3 200 200 200
Licenses (Stacked) 2
Device (MAC-based
1 Users / 10 10 500
Auth.)
Feature Model
Users / 100
Domain Controllers 3 10 50
(min=10)
Users /100
FSSO Tier Nodes 3 5 50
(min=5)
Certificates
Feature Model
Certificate Revocation
5 200 200 200
Lists
1 Note that there is one metric used for the number of allowed users which is Users . Local Users and Remote
Users share the same limit value. This enables Local Users or Remote Users to be equal to Users or for there to
be a mixture of user types, however, the total number of Local and Remote Users cannot exceed the Users
metric.
2 FortiToken Mobile Licenses refers to the licenses that can be applied to a FortiAuthenticator, not the number
of FortiToken Mobile instances that can be managed. The total number is limited by the FortiToken metric.