Documente Academic
Documente Profesional
Documente Cultură
FortiAuthenticator 1.2
Trademarks
The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
Visit these links for more information and documentation for your Fortinet products:
Fortinet Knowledge Base - http://kb.fortinet.com
Technical Documentation - http://docs.fortinet.com
Training Services - http://campus.training.fortinet.com
Technical Support - http://support.fortinet.com
You can report errors or omissions in this or any Fortinet technical document to
techdoc@fortinet.com.
Contents
Contents
Introduction
Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FortiAuthenticator VM setup . . . . . . . . . . . . . . . . . .
System requirements . . . . . . . . . . . . . . . . . . .
FortiAuthenticator-VM image installation and initial setup
Administrative access - VM and hardware. . . . . . . . . . .
Web-based manager access . . . . . . . . . . . . . . .
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
10
10
10
11
11
11
11
System maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
10
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
12
13
13
13
14
14
14
14
15
16
16
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
FortiAuthenticator settings. . . . . . . . . . . . . . . . . . . . . . . . . . .
FortiGate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
18
19
What to configure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
20
20
20
20
21
Contents
Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Administrators . . . . . . . . . . . . . . . . . . . . .
User self-registration . . . . . . . . . . . . . . . . . .
Adding a user account . . . . . . . . . . . . . . . . .
Configuring two-factor authentication for a user .
Configuring the users password recovery options
Setting a password policy . . . . . . . . . . . . .
User groups . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
21
21
22
22
23
24
24
24
24
25
25
25
27
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
27
28
28
29
29
30
30
30
31
31
32
Monitoring users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Users monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
33
35
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
35
37
37
37
37
38
Certificate Management
39
39
Certificates . . . . . . . . . . . . . . . . . . . . .
Certificate Revocation List (CRL) . . . . . . . . .
Locally created CRL . . . . . . . . . . . . . .
Configuring Online Certificate Status Protocol
21
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
39
41
42
42
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
Contents
Index
45
Contents
Introduction
Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
This chapter contains the following topics:
Before you begin
How this guide is organized
Introduction
nit
ork
etw
te u
iGa
t
r
Fo
N
ent
Cli
Fo
rtiA
uth
ent
ica
tor
nit
te u
a
rtiG
Fo
ork
etw
N
ent
Cli
Initial setup
Initial setup
For information about installing the FortiAuthenticator unit and accessing the CLI or webbased manager, refer to the Quick Start Guide provided with your unit. The following
section provides information about setting up the Virtual Machine (VM) version of the
product.
FortiAuthenticator VM setup
Before using FortiAuthenticator-VM, you need to install the VMware application to host
the FortiAuthenticator-VM device. The installation instructions for FortiAuthenticator-VM
assume you are familiar with VMware products and terminology.
System requirements
The minimum system requirements for a computer running the FortiAuthenticator VM
image include:
Installed latest version of VMware Player, Fusion, or Workstation
512 MB of RAM minimum
one virtual NICs minimum, to a maximum of four virtual NICs
minimum of 3 GB free space
10
Telnet
CLI access is available using telnet to the port1 interface IP address, default
192.168.1.99. Use the telnet -K option so that telnet does not attempt to log on using
your user ID. For example:
$ telnet -K 192.168.1.99
At the FortiAuthenticator login prompt, enter admin. When prompted for password, just
press Enter. By default there is no password. When you are finished, use the exit
command to end the telnet session.
SSH
SSH provides secure access to the CLI. Connect to the port1 interface IP address,
default 192.168.1.99. Specify the user name admin or SSH will attempt to log on with
your user name. For example:
$ ssh admin@192.168.1.99
At the password prompt, just press Enter. By default there is no password. When you are
finished, use the exit command to end the session.
11
System maintenance
System maintenance
System maintenance tasks are limited to changing the firmware, and backing up or
restoring the configuration file.
This section includes:
Upgrading the firmware
Backing up the configuration
Logging
CLI commands
12
System maintenance
Logging
Accounting is an important part of FortiAuthenticator as with any authentication server.
Logging provides a record of the events that have taken place on the FortiAuthenticator.
To access logs, go to Logging > Log Access > Logs. The Logs page has controls to help
you search your logs for the information you need. This includes:
Search button
Log entry order
Log Type Reference
Search button
You can enter a string to search for in the log entries. The string must appear in the
Message portion of the log entry to result in a match for the search. To prevent each term
in a phrase from being matched separately, multiple keywords must be in quotes and be
an exact match.
After the search is complete next to the Search button the number of positive matches
will be displayed, with the total number of log entries in brackets following. Select the
total number of log entries to return to the full list. Subsequent searches will search all log
entries and not just the previous searchs matches.
13
System maintenance
CLI commands
The FortiAuthenticator has CLI commands that are accessed using the console, SSH, or
Telnet. Their purpose is to initially configure the unit, perform a factory reset, or reset the
values if the web-based manager is not accessible for some reason.
help
set port1-ip
<addr_ipv4mask>
14
set tz <timezone_index>
unset <setting>
show
exit
reboot
factory-reset
shutdown
status
Enable
Interface
Cluster member
IP address
Admin access
Priority
Set to Low on one unit and High on the other. Normally, the
unit with High priority is the master unit.
Password
15
2 When one unit has become the master, connect to the web-based manager again and
complete your configuration. You are configuring the Master unit. The configuration
will automatically be copied to the slave unit.
Refer to the other chapters of this manual for more information. Configuring the
cluster is the same as configuring a single FortiAuthenticator unit.
16
Name
Server Name/IP
Secure connection
Enable authentication
Troubleshooting
3 Optionally, select Test Connection to send a test email message. Specify a recipient
and select Send. Confirm that the recipient received the message.
The recipients email system might treat the test email message as spam.
4 Select OK.
To set the default email server
1 Go to System > E-mails > SMTP Servers.
2 Select the check box of the server that you want to make the default.
3 Select Set as Default.
Troubleshooting
Troubleshooting includes useful tips and commands to help deal with issues that may
occur. For additional help, always contact customer support.
If you have issues when attempting authentication on FortiGate using the
FortiAuthenticator, there are some FortiAuthenticator settings and FortiGate settings to
check.
In addition to these settings you can use log entries, monitors, and debugging
information to determine more information about your authentication problems. For help
with FortiAuthenticator logging, see Logging on page 13. For help with FortiGate
troubleshooting, see the FortiOS Handbook Troubleshooting and User Authentication
guides.
FortiAuthenticator settings
When checking FortiAuthenticator settings, you should ensure
there is a NAS entry for the FortiGate unit. See Adding FortiGate units as NAS on
page 25,
the user trying to authenticate has a valid active account that is not disabled, and that
the username and password are spelled as expected,
the user account allows RADIUS authentication if RADIUS is enabled on the FortiGate
unit,
the FortiGate unit can communicate with the FortiAuthenticator unit,
the user account exists
as a local user on the FortiAuthenticator if using (RADIUS authentication),
in the local LDAP directory (if using local LDAP authentication),
in the remote LDAP directory (if using RADIUS authentication with remote LDAP
password validation).
the user is a member in the expected user groups and these user groups are allowed
to communicate on the NAS (FortiGate unit, for example),
If authentication fails with the log error bad password try resetting the password. If
this fails, verify that the pre-shared secret is identical on both FortiAuthenticator and
the NAS.
17
Troubleshooting
FortiGate settings
When checking FortiGate authentication settings, you should ensure
the user has membership in the required user groups, and identity-based security
policies,
there is a valid entry for the FortiAuthenticator as a remote RADIUS or LDAP server,
the user is configured explicitly or as a wildcard user.
18
What to configure
nit
ork
etw
te u
iGa
t
r
Fo
N
ent
Cli
Fo
rtiA
uth
ent
ica
tor
nit
te u
a
rtiG
Fo
ork
etw
N
ent
Cli
What to configure
You need to decide which elements of FortiAuthenticator configuration you need.
Determine whether you want two-factor authentication and what form that will take.
Determine the type of authentication you will use: RADIUS, built-in LDAP, or Remote
LDAP. You will need to use at least one of these types.
Determine which FortiGate units will use the FortiAuthenticator unit. The
FortiAuthenticator unit must be configured on each FortiGate unit as an authentication
server, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit must
be configured on the FortiAuthenticator unit as a NAS.
19
What to configure
The FortiAuthenticator unit has multiple ways of providing the second factor
something you know to the user. Digial certificates are covered in a later chapter. The
other methods rely on a six-digit PIN which changes regularly and is known only to the
FortiAuthenticator unit and the user. This PIN can be delivered to the user in multiple
ways:
a FortiToken device registered with the FortiAuthenticator and the users account
an email account specified in the user account
a cell phone number with SMS service specified in the user account
Authentication type
The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the
use of external LDAP, which can include Windows AD servers.
The built-in servers are best used where there is no existing authentication infrastructure.
You build a user account database on the FortiAuthenticator unit. The database can
include additional user information such as street address and phone numbers that
cannot be stored in a FortiGate units user authentication database. You can use either
LDAP or RADIUS protocol.
The external server options are intended to integrate FortiGate authentication into
networks that already have an authentication infrastructure. The Fortinet Single Sign-On
(FSSO) option works on Microsoft Windows networks, enabling users already
authenticated by a Windows AD server to access network resources. The Remote LDAP
option adds your FortiGate units to an existing LDAP structure. Optionally, you can add
two-factor authentication to Remote LDAP.
RADIUS
If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must
be registered as NAS in Authentication > NAS. See Adding FortiGate units as NAS on
page 25. On each FortiGate unit that will use RADIUS protocol, the FortiAuthenticator
unit must be configured as a RADIUS server in User > Remote > RADIUS.
Built-in LDAP
If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users
from the user database to the appropriate nodes in the LDAP hierarchy. See Creating the
LDAP directory tree on page 28. On each FortiGate unit that will use LDAP protocol, the
FortiAuthenticator unit must be configured as an LDAP server in User > Remote > LDAP.
20
Adding Users
Remote LDAP
Remote LDAP must be enabled in each user account. FortiGate units must be registered
as NAS in Authentication > NAS. See Adding FortiGate units as NAS on page 25.
FortiGate units must communicate with the FortiAuthenticator unit using RADIUS
protocol, with the FortiAuthenticator unit entered as a RADIUS server in User > Remote >
RADIUS.
User accounts that use two-factor authentication must be imported into the
FortiAuthenticator database. You can do this in the server configuration in Authentication
Users > Remote.
Adding Users
FortiAuthenticators user database is similar to the local users database on FortiGate
units, but it has the added benefit of being able to associate additional information with
each user, as you would expect of RADIUS and LDAP servers. This information includes:
whether the user is an administrator, uses RADIUS authentication, uses two-factor
authentication, and personal information such as full name, address, password recovery
options, and of course which groups the user belongs to.
The RADIUS server on FortiAuthenticator is configured using default settings. For a user
to authenticate using RADIUS, the option Allow RADIUS Authentication must be selected
for that users entry, and the authenticating client must be added to the NAS list. See
Adding FortiGate units as NAS on page 25.
Administrators
Administrator accounts on FortiAuthenticator are standard user accounts that are flagged
as administrators.
Once flagged as an administrator, a user accounts administrator privileges can be set to
either full access or customized to select their administrator rights for different parts of
FortiAuthenticator. There are log events for administrator configuration activities.
Administrators can also be configured to authenticate to the local system using twofactor authentication.
User self-registration
Optionally, you can enable users to request registration through the FortiAuthenticator
web page. The administrator will receive the request as an email message.
To enable self-registration
1 Go to Authentication > General > Settings.
2 Under User Self-registration, select Enable and enter the Admins e-mail address.
3 Select OK.
How the user requests registration
1 Browse to the IP address of the FortiAuthenticator unit.
Security policies must be in place on the FortiGate unit to allow these sessions to be
established.
2 Select Register.
The User Registration page opens.
3 Fill in the required fields. Optionally, fill in the Additional Information fields. Select OK.
21
Adding Users
22
Adding Users
23
6 On the Reset Password page, enter and confirm a new password and then select
Next.
The user can now authenticate using the new password.
User groups
You can assign users to user groups in Authentication > User Groups > Local. This is very
similar to the firewall user group feature on FortiGate units.
24
FortiAuthenticator acts as a repository for all FortiToken devices used on your network
it is a single point of registration and synchronization for easier installation and
maintenance.
To add FortiToken devices
1 Go to Authentication > FortiTokens > FortiTokens.
2 Do one of the following:
Select Create New and enter the FortiToken device serial number. If there are multiple
numbers to enter, select the + icon to switch to a resizable multiple-line entry box.
Select Import to load a file containing the list of serial numbers for the tokens.
(FortiToken devices have a barcode on them that can help you read serial numbers to
create the import file.)
3 Select OK.
To register FortiToken devices, you must have a valid FortiGuard connection. Otherwise
any FortiToken devices you enter will remain at Inactive status.
25
NAS name/IP
Description
3 If RADIUS or Remote LDAP authentication will be used, select NAS is a RADIUS client
and enter the following information:
Secret
Two-factor
Authentication
No limit.
Users using a remote Authenticate only users of the selected Remote LDAP
LDAP server
server.
Use Radius accounting
records received from
this NAS as a source of
FSSO user activity
26
27
When requesting authentication, an LDAP client, such as a FortiGate unit, must specify
the part of the hierarchy where the user account record can be found. This is called the
Distinguished Name (DN). In the example above, DN is
ou=People,dc=example,dc=com.
The authentication request must also specify the particular user account entry. Although
this is often called the Common Name (CN), the identifier you use is not necessarily CN.
On a computer network, it is appropriate to use UID, the persons user ID, as that is the
information that they will provide at logon.
28
29
30
Name
Server Name / IP
Server Port
Distinguished Name
Bind Type
Secure Connection
3 Add the LDAP server to a user group. Specify that user group in identity-based
security policies where you require authentication.
31
Server name/IP
Common name
identifier
The identifier used for the top of the LDAP directory tree as it
applies to FortiAuthenticator users. This may be the top of the
tree, or only a smaller branch of it.
cn is the default, and is used by most LDAP servers.
Base distinguished
name
Enter the base distinguished name for the server using the
correct X.500 or LDAP format. The maximum length of the DN
is 512 characters.
You can also select the Browse button to view and select the
DN on the LDAP server.
The Bind Type determines how the authentication information
is sent to the server. Select the bind type required by the
remote LDAP server.
Bind Type
4 If you want to have a secure connection between the FortiAuthenticator unit and the
remote LDAP server, select Enable under Secure Connection and enter the following:
Protocol
CA Certificate
5 Select OK.
You can now add remote LDAP users.
32
Monitoring users
Monitoring users
There are two methods for monitoring or tracking users that are logged on on the
dashboard, and with the Users monitor.
Dashboard
On the dashboard there are two user related widgets.
The Authentication Activity widget is a graph that tracks the number of logons over time.
It can display all logons, failed only, successful logons only, or a combination of all three.
Multiple occurrences of this widget can be displayed on the dashboard, and configured
individually.
The User Inventory widget displays the total number of configured users, groups, and
FortiTokens. It also tracks the number of disabled users and FortiTokens.
Users monitor
To see the users monitor, go to Authentication > SSO Monitor > SSO Users.
The users monitor displays a list of currently logged on FSSO users and their information.
33
Monitoring users
34
ent
Cli
rk
two
Ne
u
ate
rtiG
Fo
Fo
rtiA
uth
nts
go
lo
ling
ent
ica
tor
eve
nit
te u
a
rtiG
po
Fo
ns
client logo
W
A in
Co D Do dows
ntr m
olle ain
rs
t
lien
rk
two
Ne
35
Log Level
Server Name/IP
Server port
Distinguished Name
Bind Type
Secure Connection
Leave unchecked.
36
Name
Port
Password
LDAP Server
Display Name
Network Address
Account
Password
37
38
Certificate Management
Certificate Management
This section describes how FortiAuthenticator allows you to manage certificates
including acting as a Certificate Authority.
FortiAuthenticator can act as a Certificate Authority (CA) for the creation and signing of
X.509 certificates such as server certificates for HTTPS and SSH, and client certificates
for HTTPS, SSL, and IPSEC VPN.
Any changes made to certificates generate log entries that can be viewed at Logging >
Log Access > Logs. See Logging on page 13.
This chapter includes:
Certificate Authorities (CA)
Users
Certificates
Do not press Enter while entering the information until you have completed entering the
information, otherwise you will create the certificate with incomplete information.
Subject Alternative Names (SAN) allow you to protect multiple host names with a single
SSL certificate. SAN is part of the X.509 certificate standard. An example of where SANs
are used is to protect multiple domain names such as www.example.com and
www.example.net. This contrasts a wildcard certificate that can only protect all first-level
subdomains on one domain, such as *.example.com.
The certificate information including subject, issuer, status, and CA type are displayed on
the Certificate Management > Certificate Authorities > Certificates page.
If you have many certificates, you can use the search feature to find one or more specific
certificates. The search will return certificates that match either subject or issuer.
To create a CA certificate
1 Go to Certificate Management > Certificate Authorities > Certificates.
2 Select Create New.
39
Certificate Management
Certificate Authority
Subject information
Subject DN
Name (CN)
Company (O)
Department (OU)
City (L)
State/Province (ST)
Country (C)
40
Certificate Management
Additional Options
Select how long before this certificate expires.
Select either a set number of days and enter the total
number of days before this certificate expires (such as
3650 days for a life of 10 years), or set an expiry date by
entering the expiry date in YYYY-MM-DD format, selecting
Today, or use the Calendar icon to help you select a date.
Validity Period
Key Size
Hash Algorithm
To import a CA certificate
1 Go to Certificate Management > Certificate Authorities > Certificates.
2 Select Import.
3 Enter the following information and select OK.
Type
Passphrase
Serial number
radix
Initial serial
number
41
Certificate Management
42
Certificate Management
Users
Users
User certificates are required for mutual authentication on many HTTPS, SSL, and IPSec
VPN network resources. You can create a user certificate on FortiAuthenticator or import
and sign a Certificate Signing Request (CSR). User certificates, client certificates, or local
computer certificates are the same type of certificate.
To create a user certificate
1 Go to Certificate Management > Users > Certificates.
2 Select Create New.
3 Enter the following information and select OK.
The Certificate Authority used must be valid and current. If it is not you will have to
create or import a CA certificate before continuing. See Certificate Authorities (CA) on
page 39.
Certificate Signing Options
Certificate Authority
Subject information
Subject input
method
Select to enter either a Fully distinguished name (DN) or Fieldby-Field. Default value is Field-by-Field.
Subject DN
Name (CN)
Company (O)
Department (OU)
City (L)
State/Province
(ST)
Country (C)
43
Users
Certificate Management
User Principal
Name (UPN)
Enter the user principal name used to find the users account
in Microsoft Active Directory. This will map the certificate to
this specific user. The UPN is unique for the Windows Server
domain. This is a form of one-to-one mapping.
Additional Options
Select how long before this certificate expires.
Validity Period
Select either a set number of days and enter the total number
of days before this certificate expires (such as 3650 days for a
life of 10 years), or set an expiry date by entering the expiry
date in YYYY-MM-DD format, selecting Today, or use the
Calendar icon to help you select a date.
Key Type
Key Size
Select the key size as one of 1024, 2048, or 4096 Bits long.
Hash Algorithm
44
Index
Index
A
LDAP servers
common name, 27
distinguished names, 28
domain component, 27
hierarchy, 27
Lightweight Directory Access Protocol (LDAP), 27
ports, 11
remote server, 26
Logging, 13
NAS, 26
C
certificate authority (CA), 39
Certificate Revocation List (CRL), 41
Certificate Signing Request (CSR), 43
common name, LDAP servers, 27
Controller Agent, 35
CRL Distribution Point (CDP), 42
D
dashboard
Authentication Activity widget, 33
User Inventory widget, 33
default password, 7
distinguished names
LDAP servers, 28
domain component, LDAP servers, 27
Domain Controllers, 37
E
explicit proxy, 20
F
firewall
open ports, 11
ports, 11
firmware updates, 7
FortiGuard, 25
FortiGuard Antivirus, 7
Fortinet Server Authentication Extension (FSAE), 35
Fortinet Single Sign On (FSSO), 35
Agent, 35
Domain Controllers, 37
ports, 11
FortiToken, 24
clock drift, 25
monitoring, 25
NTP, 12
registering, 25
synchronization, 25
M
Microsoft Active Directory, 40, 44
mode, operation, 7
monitor
users, 33
Monitoring, 33
N
network access server (NAS), 25
NTP, 12
O
one-time password (OTP), 24
Online Certificate Status Protocol (OCSP), 42
operation mode, 7
P
password
administrator, 7
ports, 11
product registration, 7
proxy, 20
R
RADIUS
NAS, 25
ports, 11
server, 21
remote LDAP, 26
hierarchy
LDAP servers, 27
T
technical support, 7
troubleshooting, 17
two-factor authentication
FortiToken, 24
45
Index
46