Fortinet udostępnił aktualizację dla produktu FortiAuthenticator o numerze wersji 6.4.6. Dzięki aktualizacji, zostały poprawione błędy dotyczące obsługi 2FA dla oprogramowania FortiClient, ponadto skorygowano błędne działanie uwierzytelniania SAML, problem dotyczył błędu ,,500 Internal Server Error” po pomyślnym uwierzytelnieniu SAML. Od wersji 6.4.6, nie będzie już problemu z konfiguracją klastra active-active na hoście Hyper-V. Po więcej ciekawych informacji zapraszamy do dalszej części posta.

Rozwiązane problemy:

Bug ID	Description
838043	FSSO Enable encryption option should not be enabled by default.
846732	2FA support for FortiClient IKEv2 VPN is broken.
837679	Upgrade to FortiAuthenticator 6.4.5 causes SSOMA connection failure.
787156	FortiAuthenticator 6.4.1 GA OIDC HTTP Error 500.
806544	HA halts at „Forming Cluster” due to remote RADIUS user database format issue.
837428	FortiAuthenticator remote syslog did not include the correct hostname information.
837219	FortiAuthenticator VM on same Hyper-V host cannot form HA A/A cluster after July 2022 Windows Updates.
840637	500 Internal Server Error after successful SAML authentication.
837246	Unable to access Captive Portals directly on 6.4.5 GA.
838837	[FACCloud] Readd SSO section to the Monitor tab.
837691	SAML IdP fails to process the request containing more than one RequestedAuthnContext.
834377	Accessing GUI event logs gives 500 Error on FortiAuthenticator devices upgraded all the way from <= FAC 2.0.

Znane problemy:

Bug ID	Description
809353	Country code selection for guest portal user registration on iOS selects incorrect country prefix.
831114	Ukrainian language pack is added but the legacy self-service portal shows some parts in English and some in Ukraine.
653638	Locked out user account should have status as disbled in user lookup page.
793838	Password not defined after importing users from LDAP as a local user via sync rule.
799641	FIDO key user should have information in User Lookup.
817915	Hide RADIUS attribute substring match option for non-string types.
821315	Unable to set Group Filter for remote user group.
836463	After configuring initial IP settings in CLI, https GUI access does not work.
680776	AP HA secondary cannot change mgmt interface access configuration, and the option does not sync from the primary either.
637028	SSL connection fails if the certificate expired issue is not explicit enough.
676532	When FortiAuthenticator has RADIUS client set as subnet, RADIUS accounting disconnect messages are not sent.
689329	Unable to resolve the username if the primary LDAP connection is down.
751108	FortiAuthenticator does not support admin OIDs from FORTINET-CORE-MIB properly.
767745	SNMP facSysCpuUsage returns wrong type.
767935	A-P cluster, it forms when configured from the GUI, it does not when configured from CLI without a restart.
773083	Enable/disable FortiToken Cloud push notification button shuts down all the authentication methods.
775542	When an admin with 2FA tries to authentcate to the CLI, before being prompted for the token code, an „Access denied” message is shown. Once the token is typed in, the auth goes through.
781168	RADIUS client cannot connect to the RADIUS server caused by an unknown client.
808748	Self-service portal password change fails for remote LDAP users if UPN format is used.
830386	„Users Audit Report” does not update timestamps in the „Last Used” Column for EAP-TLS authentication used for Wireless.
830884	Username is not populated in Logs, when changes are done via API in FortiAuthenticator.
836086	Revoked intermediate CA are shown in the GUI as used per license.
837728	Local services: Unable to use certificates when the subject length is more than 97 characters.
838918	Despite DH modulus regeneration and device reboot, DH modulus is still equal to 2048 bits (256 bytes) instead of 4096 bits (512 bytes).
842389	Captive portal automatic log in after successful user verification is failing.
844295	Unable to import Guest users using CSV format in FortiAuthenticator.
845700	Chained token authentication fails with self service portal.
845851	Push on FortiAuthenticator portal does not work when the username exceeds 20 characters.
566145	Usage Profile 'TIME USAGE=Time used' is not triggering COA or disconnect request to FortiGate.
761482	FIDO2 authentication not compatible with Apple’s WiFi popup.
806837	FortiAuthenticator license file is too large for AWS.
815896	FortiAuthenticator does not log an error when it cannot communicate to an external SMS provider due to invalid or expired certificate.
816070	DB issue if power down during a short window when booting from factory reset.
743775	SCEP Get CA requests intermittently fails under high SCEP load.
750134	FortiAuthenticator as LDAP server cannot export admin users from the local user base.
757460	Enable Django auto-translation for any end user pages.
787013	Changing the username attribute will cause the remote sync rule to remove existing remote users and eventually reimport them.
791127	Sometimes(randomly) FortiAuthenticator fails to send email notification.
795271	E-mail address does not appear in the logs after social login authentication.
796834	Captive portal loops between /portal/server?, 200 OK to /portal/login/server? 302 OK back to /portal/server? on Chrome browsers.
799768	Automatic CRL download error with two Identical DN.
801009	Remote SAML user sync rule creates one log entry for every SAML user assgined FortiToken Mobile every time the SAML sync occurs.
804238	FortiAuthenticator 6.4.1 GA SAML Logout fails.
815000	TACACS consuming CPU resources 100% with zero connections.
815897	Unable to import LDAP user from GUI by using IBM Lotus Domino LDAP.
826424	Registering an already existing username on Legacy Self-serve Portal triggers 500 error.
829318	„Users and Devices” permission set does not allow to import remote LDAP users.
773020	Revoking of certificate is not seen with OCSP until FortiAuthenticator reboots.

Notatki producenta: FortiAuthenticator 6.4.6

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

6.4.6 FortiAuthenticator FortiAuthenticator 6.4.6