Administration Guide

FortiAuthenticator 1.0

FortiAuthenticator: Administration Guide 17 June 2011 23-100-144822 -20110617 for FortiAuthenticator 1.0 Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks The symbols and denote respectively federally registered trademarks and unregistered trademarks of Fortinet, Inc., its subsidiaries and affiliates including, but not limited to, the following names: Fortinet, FortiGate, FortiOS, FortiASIC, FortiAnalyser, FortiSwitch, FortiBIOS, FortiLog, FortiVoIP, FortiResponse, FortiManager, FortiWiFi, FortiGuard, FortiReporter, FortiClient, FortiLog, APSecure, ABACAS. Other trademarks belong to their respective owners.

Contents

Contents
FortiAuthenticator 5

Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . 6 FortiAuthenticator initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Administrators . . . . . . . . . . . . FortiAuthenticator and FortiOS users Monitoring users . . . . . . . . . . . Dashboard . . . . . . . . . . . . Users monitor . . . . . . . . . . Password Recovery Options . . . . . User password recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 8 8 8 8 9 9 10 10 11 11 11 12 12 13 15 15 15 16 16 16 16 16 17 17 17 17 18

FortiTokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FortiAuthenticator and FortiTokens . . . . . . . . . . . . . . . . . . . . . . . . FortiToken maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NAS and RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FSSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Communicating with FortiGate units . . . . . . . . . . . . . . . . . . . . . . . . Communicating with Domain Controllers. . . . . . . . . . . . . . . . . . . . . . System maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrading the firmware . Backing up and restoring . Logging . . . . . . . . . . Search button . . . . Log entry order . . . . Log Type Reference . CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FortiGate authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FortiAuthenticator settings . . . . . . . . . . . . . . . . . . . . . . . . . . . FortiGate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Index

19

Administration Guide 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

Contents

Administration Guide for FortiAuthenticator 1.0 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

FortiAuthenticator

FortiAuthenticator
FortiAuthenticator is an Authentication, Authorization, and Accounting (AAA) server, that includes a RADIUS server and an LDAP server. It is not a firewall, and it requires a FortiGate unit to provide firewall related services. AAA servers make up an important part of an enterprise network by providing access to protected network assets, and tracking users activities to comply with security policies. FortiAuthenticator provides an easy to configure remote authentication option for FortiGate users. It centralizes authentication, and FortiToken maintenance. Additionally it replaces the FSSO Agent on a Windows AD network. Multiple FortiGate units can use a single FortiAuthenticator for FSSO, remote authentication, and FortiToken management. FortiAuthenticator is a server and can be isolated on a separate network interface, such as the DMZ interface, to enable server related firewall protection.
Figure 1: FortiAuthenticator on a multiple FortiGate unit network

t lien

Ne

two

rk

u ate rtiG Fo

nit

Fo

rtiA

uth

ent

ica

tor

rt Fo

iGa

te u

nit

tN lien

etw

ork

The following topics are included in this section: Initial setup Users and user groups FortiTokens NAS and RADIUS LDAP FSSO System maintenance Troubleshooting

Administration Guide 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

Initial setup

FortiAuthenticator

Initial setup
The following procedures assume your local subnet is 192.168.1.0/255.255.255.0, and the FortiAuthenticator will be set to 192.168.1.99. The default gateway on the subnet is 192.168.1.2. In Figure 2, this is the dmz interface on the FortiGate unit. Substitute your own addresses for these as required.
Figure 2: Basic FortiAuthenticator initial setup

t lien

Ne

rk two

Fo

ate rtiG

uni

1 dm 92.16 z 8.1 192

.2/2

4 Fo

.16

8.1 .9 por 9/24 t1

rtiA

uth

ent

ica

tor

Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.

FortiAuthenticator initial setup

Before the initial setup of FortiAuthenticator, there are some requirements for your network: One or more configured FortiGate units Security policies that allow traffic between the client network and the subnet of the FortiAuthenticator Ensure the following ports are open through all security policies: port 8000 (FSSO), ports 389 and 636 (LDAP), and 1812 (RADIUS) in addition to the usual HTTP, HTTPS, telnet, SSH, Ping, and other ports you may choose to allow.

To initially setup FortiAuthenticator hardware 1 Connect the port1 interface on the FortiAuthenticator to your local subnet. Its default IP address is 192.168.1.99 /24. 2 Power on the FortiAuthenticator. 3 Using your internet browser, go to http://192.168.1.99. 4 Logon using admin for the username. There is no password 5 Go to Network > Default Gateway. 6 Select the gateway entry for the port1 interface.

Administration Guide for FortiAuthenticator 1.0 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

FortiAuthenticator

Users and user groups

7 Set the gateway IP address to the correct value for your subnet. Generally the gateway IP address will be your FortiGate unit. 8 Go to Network > DNS. 9 Enter your primary and secondary name servers. 10 Go to Dashboard > Status. 11 Go to System Information > System Time, and select Change. 12 Select the Time zone from the list that applies to your location. 13 Either enable NTP or set the date/time manually. Enter new time and date by either typing it manually, selecting Today or Now, or select the calendar or clock icons for a more visual method of setting the date and time.
Note: If you will be using FortiTokens, Fortinet strongly recommends using NTP. FortiTokens require an accurate system clock.

14 Select OK. 15 If the FortiAuthenticator is connected to additional subnets, configure port2 through port4 as required by: going to Network > Interface to set the IP address and subnet mask for each interface. going to Network > Default Gateway to set the gateway for each interface as required.

Users and user groups

In FortiOS the two types of users are local and remote. Local users are authenticated on the FortiGate unit without requiring access to an external server. Remote user authentication requires the use of an LDAP, RADIUS, or TACACS+ server. FSSO users use LDAP and RADIUS to authenticate as well. FortiAuthenticator can replace all those remote servers, except TACACS+. FortiAuthenticator has the added benefit of being able to associate additional information with each user, as you would expect of RADIUS and LDAP servers. This information includes: if the user is an administrator, uses RADIUS authentication, uses FortiToken two-factor authentication, personal information such as first and last name and address, password recovery options, and of course which groups the user belongs to. The RADIUS server on FortiAuthenticator is configured using default settings. For a user to authenticate using RADIUS, the option Uses RADIUS Authentication must be selected for that users entry, and the authenticating client must be added to the NAS list. See NAS and RADIUS on page 11.

Administration Guide 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

Users and user groups

FortiAuthenticator

Administrators
Administrator accounts on FortiAuthenticator are standard user accounts that are flagged as administrators. Once flagged as an administrator, a user accounts administrator privileges can be set to either full access or customized to select their administrator rights for different parts FortiAuthenticator. There are log events for administrator configuration activities.

FortiAuthenticator and FortiOS users

The following are the steps to use FortiAuthenticator to authenticate users on a FortiGate unit. The FortiAuthenticator can authenticate users for multiple FortiGate units. 1 The FortiAuthenticator is configured as an LDAP server on the FortiGate unit. See LDAP on page 11. 2 A user account is created on the FortiGate unit called test, and is associated with the FortiAuthenticator LDAP server. 3 User test is added to a group called test_group of other users who authenticate using the same LDAP server. 4 An identity based security policy is created for test_group. When a member of this group wants to access the Internet, they must first authenticate. 5 When this authentication challenge occurs, the FortiGate unit verifies the users information on the FortiAuthenticator LDAP server. 6 If the user cannot remember their password, they have the option of password recovery through the FortiAuthenticator. See Password Recovery Options on page 9. 7 Once authenticated, the user can access the Internet.

Monitoring users
There are two methods for monitoring or tracking users that are logged on on the dashboard, and with the Users monitor.

Dashboard
On the dashboard there are two user related widgets. The Authentication Activity widget is a graph that tracks the number of logons over time. It can display all logons, failed only, successful logons only, or a combination of all three. Multiple occurrences of this widget can be displayed on the dashboard, and configured individually. The User Inventory widget displays the total number of configured users, groups, and FortiTokens. It also tracks the number of disabled users and FortiTokens.

Users monitor
To see the users monitor, go to Authentication > Monitor > Users. The users monitor displays a list of currently logged on FSSO users and their information.

Administration Guide for FortiAuthenticator 1.0 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

FortiAuthenticator

Users and user groups

Password Recovery Options

FortiAuthenticator allows password recovery for all users that configure a security question and email address. This option is not available in FortiOS. To configure multiple password recovery email addresses 1 Go to Authentication > Users > Users. 2 Select and edit the chosen user. 3 Expand User Information, and enter the users email address. 4 Expand Password Recovery Options. 5 Select Email, and select Manage alternative emails. 6 Enter up to three additional email addresses for this user. These email addresses will be used to contact this user for password recovery operations if needed. In the event of password recovery, the email message is sent to all configured email addresses both the user information email address and the alternative email addresses. 7 Select OK. To configure a password recovery security question 1 Go to Authentication > Users > Users. 2 Select and edit the chosen user. 3 Expand Password Recovery options. 4 Select Security Question, and select Edit. 5 Choose one of the questions in the list. If you choose to write your own question, a custom question field will be displayed where you can enter your question. 6 Enter the answer for your question. 7 Select OK.

User password recovery

When a user is authenticating, if they cannot remember their password they have the option to recover their password. Once configured, user password recovery involves the following steps. To recover a user password 1 The user browses to the IP address of the FortiAuthenticator. Security policies must be in place on the FortiGate unit to allow these sessions to be established. 2 Select Forgot my password. 3 Choose to recover by either Username, or Email. 4 Enter either your username or email as selected in the previous step. This information is used to select the user account. If your information does not match a user account, a message will be displayed stating the password recovery cannot be completed and to contact your site administrator. 5 If the user account has password recovery preferences selected, you will be taken directly to the option selected.

Administration Guide 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

FortiTokens

FortiAuthenticator

6 If the user account has no password recovery preferences selected, the following message will be displayed. The user does not have the option to set it up. We are unable to complete your request for the following reasons: We don't have enough information to reset your password. Please contact your site administrator. 7 If send a secure link was selected, the new password is sent to the email address associated with that user account. 8 If answer the question was selected, answer the question displayed correctly. 9 Once the question is answered correctly, you will be prompted to enter your new password twice and select OK. Once the password has been reset, the user can return to typical authentication.

FortiTokens
The standard logon requires only a username and password. This is one-factor authentication. Two-factor authentication adds the requirement for another piece of information for your logon. Generally the two factors are something you know (password) and something you have (certificate, token). This makes it harder for a hacker to steal your logon information. For example if you have a FortiToken device, the hacker would need to both use it and know your password to gain entry to your account.

Note: Two-factor authentication does not work with FortiOS explicit proxies.

FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a users username and password as two-factor authentication. The code displayed changes every 60 seconds. When not in use the LCD screen is blanked to extend the battery life. FortiTokens have a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and should be treated with similar care. For more information about FortiTokens and FortiOS, see the User and User Groups chapter of the User Authentication guide.

FortiAuthenticator and FortiTokens

With FortiOS, FortiToken serial numbers must be entered to the FortiGate unit, which then contacts FortiGuard servers to verify the information before activating them. If you want to add the same FortiToken to multiple FortiGate units, this process must be repeated for each. FortiAuthenticator acts as a repository for all FortiTokens used on your network it is a single point of registration and synchronization for easier installation and maintenance. When entering FortiToken serial numbers on the Create New screen, if there are multiple numbers to enter select the + icon to switch to a multiple line entry box. Drag the lower right corner of the box to change the size to suit your needs.

10

Administration Guide for FortiAuthenticator 1.0 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

FortiAuthenticator

NAS and RADIUS

FortiToken maintenance
Once entered, the FortiToken can be disabled, re-enabled, or synchronized from the edit screen. Disable a FortiToken when it is reported lost or stolen. Re-enable it when it is recovered, or delete it otherwise. Synchronize is used to synchronize the FortiAuthenticator and FortiToken clocks so they are providing and expecting the same token code. Fortinet recommends synchronizing all new FortiTokens.

NAS and RADIUS

A NAS is a network access server (NAS) that can authenticate using the FortiAuthenticator. A FortiGate unit is an example of a NAS. A NAS is a gateway that protects parts of the network, and requires authentication to gain access to what it protects. They are commonly used with Authentication, Authorization, and Accounting (AAA) servers. Every device that will use FortiAuthenticator for authentication must have a NAS entry. Every time there is a change to the list of NAS entries two log messages are generated one for the NAS change, and one to state that the RADIUS server was restarted to apply the NAS change. When a user is configured on FortiAuthenticator, there is an option to authenticate the user using the RADIUS database. There is a RADIUS server already configured and running on the FortiAuthenticator server. It is set up using default values. For a computer or other external device to access the RADIUS server on the FortiAuthenticator, that device must have a NAS entry. FortiAuthenticator allows both RADIUS and remote LDAP authentication for NAS entries. To configure a NAS 1 Go to Authentication > NAS > NAS. 2 Select Create New. 3 Enter the Name, Server name/IP, and description for the NAS unit. 4 Enter the shared secret to be used with the RADIUS server. 5 If remote LDAP authentication is to be used, enable it and select the configured remote LDAP server from the list. If the server is not listed, create it. See Remote LDAP on page 12. 6 Select OK.

LDAP
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network. To configure LDAP, go to Authentication > LDAP > Directory Tree. Configure the LDAP tree for your organization, or the just branches that will be used for this FortiAuthenticator. Keep in mind that multiple FortiGate units can use a single FortiAuthenticator for LDAP authentication. While each FortiGate may use only one branch of the LDAP tree, the FortiAuthenticator may benefit from being configured with the whole tree.

Administration Guide 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

11

FSSO

FortiAuthenticator

An example hierarchy is the top level organization (o) common name such as cn=fortinet, cn=com. This would be followed by country (c), organizational unit (ou), group (cn), and user (uid). For more information on LDAP, see the Servers chapter of the User Authentication guide.

Remote LDAP
If you already have an LDAP server or servers configured on your network, FortiAuthenticator can connect with them for remote authentication much like FortiOS remote authentication. To create a new remote LDAP server entry 1 Go to Authentication > Remote > LDAP. 2 Select Create New. 3 Enter the following information.
Name Server name/IP Common name identifier Enter the name for the remote LDAP server on FortiAuthenticator. Enter the IP address or FQDN for this remote server. The identifier used for the top of the LDAP directory tree as it applies to FortiAuthenticator users. This may be the top of the tree, or only a smaller branch of it. cn is the default, and is used by most LDAP servers. Enter the DN for the top of the LDAP tree or branch that applies o FortiAuthenticator users. Can be a maximum of 512 characters. The Bind Type determines how the authentication information is sent to the server. Select either Simple or Regular. Simple bind using the users password which is sent to the server in plaintext without a search. Regular bind using the users DN and password and then search If the user records fall under one directory, you can use simple bind type. But Regular is required to allow a search for a user across multiple domains.

Distinguished name Bind Type

4 Enter the username and security token (FortiToken) for all remote LDAP users of this server. Select Add another Remote Ldap User to add more users. 5 Select OK.

FSSO
The Fortinet Single Sign On (FSSO) agent connects FortiGate Fortinet security appliances to the corporate authentication servers, such as Microsoft Active Directory and Novell E-Directory, allowing security policies to be defined on the FortiGate unit based on the user information residing on the corporate authentication servers. FSSO, a component installed on the authentication server or a standalone server, provides user authentication information to the FortiGate unit so users can automatically gain access to the permitted resources with a single sign on. Older versions were called Fortinet Server Authentication Extension (FSAE). FortiAuthenticator acts as the FSSO Agent, or Controller Agent. It can only be configured in polling mode, not DCAgent mode. For more information on FSSO, see the FSSO integration with Windows AD chapter of the User Authentication guide.

12

Administration Guide for FortiAuthenticator 1.0 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

FortiAuthenticator

FSSO

Figure 3: FSSO topology with FortiAuthenticator

Cli

ent

o etw

rk

u ate rtiG Fo

nit

Fo

rtiA

uth

ent

ica

ng olli

log

on

eve

nts

tor

iG ort

ate

uni

client logo
W A in Co D Do dows ntr m olle ain rs

ns
Cli N ent

etw

ork

Communicating with FortiGate units

In an FSSO topology, the FortiGate units provide the firewall which acts as the authentication trigger. The FortiAuthenticator communicates logon information from the domain controllers to the FortiGate units by polling the controllers. The FortiAuthenticator is easier to configure, contains both an LDAP and RADIUS server, performs additional functions when compared to the FSSO Collector agent. The following procedure assumes the FortiGate already has a NAS entry on the FortiAuthenticator. See NAS and RADIUS on page 11.

Administration Guide 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

13

FSSO

FortiAuthenticator

To configure FortiAuthenticator to communicate with FortiGate units 1 Go to Authentication > Directory Service > General. 2 Select and edit the following fields.
Enable Authentication FortiGate listening port Log file path Set to 1 Leave at 8000 unless your network requires you to change this. Ensure this port is allowed through the firewall. Leave at the default. If you need to test or troubleshoot a configuration, change the log file path to generate a new smaller log file. Set to fortinet. This is the password that will be used when configuring the FSSO Agent on the FortiGate unit.

Secret key

User Login Expiry (in 300. This will allow FSSO users to remain logged in for up to five hours before the system logs them off automatically. minutes)

3 On the FortiGate units, go to User > Remote > LDAP. 4 Enter the following information, and select OK.
Name Server Name/IP Server port FortiAuthentLDAP Enter a unique name to describe the FortiAuthenticator 192.168.1.99 389 As configured for your network. See Initial setup on page 6. Leave this at default. FortiAuthenticator uses default values for LDAP and RADIUS servers. Ensure this port is open on the firewall. Change this to match your LDAP directory tree.

Common Name Identifier Distinguished Name

cn

cn=example,cn=c Generally this is the top level of your tree, or the branch of your tree that will be authenticated using this om FortiGate unit. Use the browse button to ensure you have a connection to the FortiAuthenticator. If not, check your information. Simple Leave unchecked.

Bind Type Secure Connection

5 Go to User > Single Sign-On > FSSO Agent. 6 Enter the following information, and select OK.
Name FSSO Agent IP/Name Port Password LDAP Server FortiAuthentFSSO Once you select OK, this entry must be deleted to change the Name. 192.168.1.99 8000 fortinet enable FortiAuthenticator As configured for your network. See Initial setup on page 6. Use the value set on the FortiAuthenticator. Ensure this port is open on the firewall. This is the secret key entered on the FortiAuthenticator. Enable LDAP server, and select FortiAuthenticator from the list.

14

Administration Guide for FortiAuthenticator 1.0 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

FortiAuthenticator

System maintenance

Communicating with Domain Controllers

As the FSSO Controller agent, FortiAuthenticator polls the Windows AD Domain Controllers for logon event information. Each Domain Controller that will be polled must be configured on the FortiAuthenticator. You can disable a Domain Controller entry without removing its configuration. This is useful when testing, troubleshooting, or moving controllers within your network. To add a domain controller to FortiAuthenticator 1 Go to Authentication > Directory Service > Domain Controllers. 2 Enter the following information, and select OK.
NetBIOS Name Display Name Network Address Account Enter the name of the Domain Controller as it appears in NetBIOS. This is a unique name to easily identify this Domain Controller. Enter the network IPv4 address of this controller. Enter the account name used to access logon events. This account should have administrator rights. To use a non-administrator account, see the FSSO chapter of the User Authentication guide. Enter the password for the Account selected above.

Password

3 Repeat step 2 for each Domain Controller FortiAuthenticator will be polling.

System maintenance
System maintenance tasks are limited to changing the firmware, and backing up or restoring the configuration file. This section includes: Upgrading the firmware Backing up and restoring Logging CLI commands

Upgrading the firmware

To upgrade the firmware, you must first register your FortiAuthenticator with Fortinet. See Registering your Fortinet product on page 6. To upgrade FortiAuthenticator firmware 1 Download the latest firmware to your local computer from the Fortinet Technical Support web site, https://support.fortinet.com. 2 On FortiAuthenticator, go to System > Maintenance > Firmware. 3 Select Browse, and locate the new firmware image on your local computer. 4 Select OK. When you select OK, the new firmware image will upload from your local computer to the FortiAuthenticator, which will then reboot. You will experience a short period of time during this reboot when the FortiAuthenticator is offline and unavailable for authentication.

Administration Guide 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

15

System maintenance

FortiAuthenticator

Backing up and restoring

You can backup the configuration of the FortiAuthenticator to your local computer. The backup file is encrypted to prevent tampering. This configuration file backup includes both the CLI and web-based manager configuration.

Logging
Accounting is a large part of any AAA server, and the same is true with FortiAuthenticator. Logging provides a record of the events that have taken place on the FortiAuthenticator. The Logs page has controls to help you find the information you are looking for in your logs.

Search button
You can enter a string to search for in the log entries. The string must appear in the Message portion of the log entry to result in a match for the search. To prevent each term being matched separately, multiple keywords must be in quotes and be an exact match. After the search is complete next to the Search button the number of positive matches will be displayed, with the total number of log entries in brackets following. Select the total number of log entries to return to the full list. Subsequent searches will search all log entries and not just the previous searchs matches.

Log entry order

You can change the order used to display the log entries. To sort the log entries by a particular column, such as Timestamp, select the title for that column. The log entries will now be displayed based on data in that column in ascending order. Ascending or descending is displayed with an arrow next to the column title up arrow for ascending, and down arrow for descending.

Log Type Reference

There are Admin Configuration, Authentication, System, and User Portal events. Each of these have multiple log message types for each major event. To see the various types of log messages, go to Logging > Log Access > Logs and select Log Type Reference. On this page, you can search for the exact text of a specific log message. The search will return any matches in any columns.

16

Administration Guide for FortiAuthenticator 1.0 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

FortiAuthenticator

Troubleshooting

CLI commands
The FortiAuthenticator has limited CLI commands that are accessed using a Telnet session port. Their purpose is to initially configure the unit, perform a factory reset, or reset the values using a telnet session if the web-based manager is inaccesssible for some reason.
set port1-ip <addr_ipv4mask> set default-gw <addr_ipv4> show help exit reboot Enter the IPv4 address and netmask for the port1 interface. Once this port is configured, you can use the web-based manager to configure the remaining ports. Enter the IPv4 address of the default gateway for this interface. This is the default route for this interface. el Display the port1 IP, netmask, and default gateway. Display list of valid CLI commands. Terminate the Telnet session Perform a hard restart the FortiAuthenticator unit. All sessions will be terminated The unit will go offline and experience a delay while it is restarting. Enter this command to reset the FortiAuthenticator settings to factory default settings. This includes clearing the user database. Note: This procedure deletes all changes that you have made to the FortiAuthenticator configuration and reverts the system to its original configuration, including resetting interface addresses.

factory-reset

Troubleshooting
Troubleshooting includes useful tips and commands to help deal with issues that may occur. For additional help, always contact customer support.

FortiGate authentication
If you have issues when attempting authentication on FortiGate using the FortiAuthenticator, there are some FortiAuthenticator settings and FortiGate settings to check. In addition to these settings you can use log entries, monitors, and debugging information to determine more information about your authentication problems. For help with FortiAuthenticator logging, see Logging on page 16. For help with FortiGate troubleshooting, see the Troubleshooting and User Authentication chapters of the FortiOS handbook.

FortiAuthenticator settings
When checking FortiAuthenticator settings, you should ensure there is a NAS entry for the FortiGate unit. See NAS and RADIUS on page 11. the user trying to authenticate has an account that is not disabled, and that the username and password are spelled as expected. the user account allows RADIUS authentication if RADIUS is enabled on the FortiGate unit the user account can be found on the LDAP directory tree the user has membership in the expected groups

Administration Guide 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

17

Troubleshooting

FortiAuthenticator

FortiGate settings
When checking FortiGate settings, you should ensure the user trying to authenticate has an account that is not disabled, and that the username and password are spelled as expected. the user has membership in the expected groups there is a valid entry for the FortiAuthenticator as a remote RADIUS or LDAP server there is a valid security policy to authenticator the users traffic

18

Administration Guide for FortiAuthenticator 1.0 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

Index
A
Authentication Activty widget, 8 Authentication, Authorization, and Accounting (AAA), 5, 11 Monitoring, 8

N
network access server (NAS), 11 NTP, 7

C
Controller Agent, 12

O
one-time password (OTP), 10

D
dashboard Authentication Activty widget, 8 User Inventory widget, 8 Domain Controllers, 15

P
ports, 6 product registration, 6 proxy, 10

E
explicit proxy, 10

R
RADIUS NAS, 11 ports, 6 server, 7 remote LDAP, 11, 12

F
firewall open ports, 6 ports, 6 firmware updates, 6 FortiGuard Antivirus, 6 Fortinet Server Authentication Extension (FSAE), 12 Fortinet Single Sign On (FSSO), 12 Agent, 12 Domain Controllers, 15 ports, 6 FortiToken, 10 NTP, 7 synchronization, 11

T
TACACS+, 7 technical support, 6 troubleshooting, 17 two-factor authentication FortiToken, 10

U
User Inventory widget, 8 users, 7 FortiOS, 8 monitor, 8 monitor, dashboard, 8 NAS, 7 RADIUS authentication, 7

L
Lightweight Directory Access Protocol (LDAP), 11 directory tree, 11 ports, 6 remote server, 11 Logging, 16 NAS, 11

W
Windows AD Domain Controllers, 15

M
monitor users, 8

Administration Guide 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback

19

Index

20

Administration Guide for FortiAuthenticator 1.0 23-100-144822 -20110617 http://docs.fortinet.com/ Feedback