Producent oprogramowania Fortinet udostępnił aktualizację dla produktu FortiAuthenticator o numerze wersji 6.3.2. W najnowszej wersji rozwiązano problem braku możliwości zalogowania się do GUI. Rozwiązano także problem z automatyczną synchronizacją użytkowników LDAP w GUI z skonfigurowanym FortiTokenem która zwracała błąd. Po więcej ciekawych informacji o najnowszej wersji oprogramowania zapraszamy do dalszej części artykułu.

Co nowego w FortiAuthenticator 6.3.2:

Failure of FortiAuthenticator FSSO poller after installing Microsoft patches KB5003646 / KB5003638 / KB5003696 resolved
After installing Microsoft patches KB5003646/KB5003638/KB5003696 NT_STATUS_CONNECTION_DISCONNECTED, FortiAuthenticator event log poller fails. Applications accessing event logs on remote devices may be unable to connect. This issue may occur if the local or remote devices are yet to install updates released on June 8, 2021, or later. You may receive an error when attempting to connect, e.g., error 5: access is denied, error 1764: The requested operation is not supported, System.InvalidOperationException, and Microsoft.PowerShell.Commands.GetEventLogCommand.

Rozwiązane problemy:

Bug ID	Description
727110	Only show FortiToken mobile public IP/FQDN „FAC only listens on 443” warning when the value is set to FortiAuthenticator’s IPs/FQDN.
726585	Unable to access login page of FortiAuthenticator GUI.
725129	FortiAuthenticator FSSO poller fails after installing Microsoft patches KB5003646 / KB5003638 / KB5003696.
680776	AP HA secondary cannot change mgmt interface access configuration, and the option does not sync from primary either.
724739	FortiAuthenticator– [pillow] precaution update.
724319	Error in the GUI logs when importing LDAP users with FortiToken mobile tokens via remote LDAP sync rule.
677433	API output „HTTP 200 OK” when the SMS gateway is down.
725880	Sync rule with FortiToken mobile assignment as well as certificate binding fails to perform certificate binding when importing remote users.
724094	Temporary backup SMS is not turning off when using MSCHAPV2.
593089	Log filter limitation.
724328	SAML adaptive authentication field not hidden when we select „password or token only auth”.
719652	DNS lookup is resolved from the cache instead directly from the DNS server.
716014	PUSH communication does not use proxy.

Znane problemy:

Bug ID	Description
666880	Hide the SNMP trap option for PSU monitoring for unsupported devices.
601603	CLI only supports configuring interfaces port1 – port4.
666636	Wrong group attributes indicator in RADIUS policy response table for EAP-TLS.
637199	Default usage profiles.
615442	No Kerberos ticket requests (negotiate) on encrypted HTTPS traffic from FortiAuthenticator.
485396	Sponsor/Admin can place created guest users into any group.
588310	FortiAuthenticator dropping FSSO login events from DC Agent on failed DNS resolution.
673303	Fine-grained menu content has misaligned pointer in SSO/General.
630041	FortiAuthenticator FSSO – TS Agent sessions are stuck at zero after server reboots until FSSOTA service is restarted.
673319	Admin cannot login to approve the self-registration when group filters are set without admin user in guest portal policy.
652072	LDAP user password expired, user not prompted for RSA Token code (chained Token Authentication).
631600	SCEP request by certmonger cannot be recognized by the automatic enrollment request.
632629	Smart Connect WPA2-Personal profile fails when WPA2-Enterprise settings are left in place.
588346	An expired certificate is delivered to WiFi authenticated users.
632637	Smart Connect missing the ability to forget an SSID.
595012	Ability to resize the column width manually by using mouse.
628815	Remote SAML user import from Azure AD fails authorization issue.
602707	Unable to add multiple alternate DNS names to certificate for user certificates.
577877	Allow bulk unlock for FortiToken mobile tokens.
670811	Issues related to remote SAML user import from Azure AD.
606562	FortiAuthenticator rejects certificate signing request from a FortiGate client with invalid password error.
637028	SSL connection fails in case when the certificate expired issue is not explicit enough.
637290	No FortiToken mobile push notification with Windows agent 3.0.
670827	FortiGate filtering stops any users sent to FortiGate even though users are member of a group/container.
671345	FortiAuthenticator Windows Agent prompts for token despite incorrect password and then does not prompt for user credentials again.
657522	SAML authentication fails when AD display name contains a coma (,) and the user has admin role.
526202	FortiAuthenticator does not check if the signature of CSR is valid.
669054	Unable to install FortiAuthenticator-VM-HV 6.2.0 on server 2012 R2.
673151	Domain controller query status shows failed even with successful queries.
566145	Usage Profile „TIME USAGE=Time used” is not triggering COA or disconnect request to FortiGate.
660357	FSSO FortiGate IP filter ignored when the global group pre-filter is enabled.
669079	HTTPS certificate chain is inconsistent/incorrect.
646299	Nutanix AHV KVM based Hypervisor FortiAuthenticator upgrade from 6.0.4 to 6.1.x hangs on „Waiting for Database”.
666782	If local CA is selected for EAP and no EAP server certificate is present on FortiAuthenticator, radiusd keeps crashing after upgrading to 6.2.0.
589219	Multiple DC’s kerberos traffic after FortiAuthenticator joining the domain with local DC.
638374	SCEP – Encryption/hash compatibility with clients.
601520	Recurrent log message: Portal was not found in the session, redirecting back to the entry point.
668337	Allowed hosts configuration through CLI not reflected in the GUI before reboot.
544691	Remote LDAP admins have no certificate bindings.
645043	GUI does not show cert UPN.
592837	Sponsor accounts can add guest user accounts to non-guest groups.
666571	„Portal was not found in the session” when registering guest with non-ASCII characters „Umlauts”.
672987	After upgrading FortiAuthenticator from 5.4 to 6.x Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.
634084	Unable to export third party signed certificate with private key when CSR is generated locally on FortiAuthenticator.
650215	FortiAuthenticator Windows Agent 3.0 – New RDP connection by the same user unable to finish due to blank login screen.
672750	FortiAuthenticator randomly sends „Please enter correct credentials. Note password is case-sensitive” error when accessing the self-service portal.
543729	RADIUS client service not working after upgrade.
668916	Subdomain users can authenticate over FortiAuthenticator Agent installed on a workstation in the main domain without the token code.
635893	Change password not working with Checkpoint VPN when 2FA is enabled.
655350	The lockout policy does not appear to apply to username/token submissions to the /auth API endpoint.
604156	Packet captures on OCI often seem to be corrupt.
604924	SAML SSO/Proxy metadata download fails with „invalid_xml”.

 

Notatki producenta: FortiAuthenticator 6.3.2

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiAuthenticator FortiAuthenticator 6.3.2