Fortinet, producent oprogramowania, przedstawił najnowsze wydanie FortiAuthenticator 6.6.0,  które wprowadza  istotne innowacje w obszarze FSSO i poprawia działanie z RADIUS. Aktualizacja rozwiązuje problemy, takie jak błędy przy imporcie użytkowników z FortiGate do FortiAuthenticator oraz ryzyko utraty pulsu HA z powodu dużego ruchu DNS związanego z FSSO. To kroki naprzód w doskonaleniu funkcjonalności i stabilności platformy a więcej informacji można znaleźć w artykule poniżej.

Co nowego:

FSSO: Include LDAP user groups defined on FortiAuthenticator

FortiAuthenticator can now mark some of the remote LDAP groups to be included in FSSO.

When creating or editing a remote LDAP user group in Authentication > User Management > User Groups, a new Include for FSSO option is available. The option is available only when User retrieval is set to Set a list of imported remote LDAP users. The option is disabled by default.

Also, FortiGate filters now include FortiAuthenticator LDAP groups (remote LDAP user groups with User retrieval set to Set a list of imported remote LDAP users). When creating or editing a FortiGate filter in Fortinet SSO Methods > SSO > FortiGate Filtering, selecting the Select from SSO users/groups option in the SSO Filtering Objects pane offers a new Remote LDAP Groups option to select the FortiAuthenticator LDAP groups.

The feature can be enabled/disabled using the new Include locally-defined remote LDAP groups option (disabled by default) in the User Group Membership pane in Fortinet SSO Methods > SSO > General.

RADIUS: Option to send FortiToken push without an Access-Challenge

A new Trigger push without RADIUS challenge (warning: NOT recommended if using with FortiGate RADIUS clients) option (disabled by default) available when creating a RADIUS policy in Authentication > RADIUS Service > Policies.

When the option is enabled, FortiAuthenticator triggers the FortiToken Mobile push notification once the password is verified without requiring the end-user to respond „push” to a RADIUS challenge.

OAuth: Add PKCE to authorization code flow

When creating or editing a relying party in Authentication > OAuth Service > Relying Party, a new Authorization code with PKCE authorization grant type is available when the Client type is Public.

• • code_verifier
  • codeWhen this grant type is selected, FortiAuthenticator applies the following modifications to the standard Authorization code grant type:
    • The client_secret field is ignored in requests to the /oauth/authorize/ endpoint.
    • New code_challenge_method and code_challenge fields are required in requests to the /oauth/authorize/ endpoint.
    • A new code_verifier field is required in the requests to the /oauth/token/ endpoint.
    • FortiAuthenticator rejects requests to the /oauth/token/ endpoint if the SHA256 digest for code_verifier does not match the code_challenge provided when the code was issued by the /oauth/authorize/endpoint.

    The following new fields have been introduced to the oauth/authorize/ endpoint:

    • code_challenge_method
    • code_challenge

    The following new fields have been introduced to the /oauth/token/ endpoint:

Captive portal: New „No authentication” authentication type

FortiAuthenticator now offers a new No authentication authentication type when creating or editing a captive portal policy. For the new No authentication authentication type you do not require login credentials.

RADIUS: Limit the number of concurrent MAC devices per user

When creating or editing a usage profile in Authentication > User Management > Usage Profile, a new Max. devices per user option is available in the Devices pane.

The option allows you to set the maximum number of different MAC device addresses allowed concurrently for every user in the active RADIUS accounting sessions.

By default, the Max. devices per user is set to 0. When set to 0, MAC devices control is disabled, i.e., there is no limit on the number of concurrent MAC devices per user.

Also, RADIUS attribute for user IP and the RADIUS attribute options previously available in Authentication > RADIUS Service > Policies are now available in Authentication > RADIUS Service > Clients.

SAML IdP: Extend login sessions

Login session timeout in Authentication > SAML IdP > General can now be configured with a value between 5 minutes to 120 days.

Support custom user account attributes in SAML SP assertions

Custom fields configured in Authentication > User Account Policies > Custom User Fields are now available in the User attribute dropdown in the Assertion Attributes pane in Authentication > SAML IdP > Service Providers.

Captive portal: Expiry for tracked devices

The portal configuration settings in Authentication > Portals > Portals now includes a new Remove MAC devices after option to control the MAC device expiry.

By default, the option is set to 7 days (1 – 365 days).

LB HA: Wider and customizable configuration subsets

The HA configuration page in System > Administration > High Availability now offers new Synced settings (load-balancing) to select which subsets of the configuration to include in the LB HA sync. Synced settings (load-balancing) is available only when the Role is Standalone Primary.

Exporting the admin user list for audit reports

FortiAuthenticator user audit reports generated from Logging > Audit Reports > Users Audit now include a new Only include administrator & sponsor accounts option. Enabling the option allows you only to include administrator and sponsor accounts in the user audit report.

The following new columns are included in the CSV file generated as part of the audit report:

• lb synced
• trusted subnets
• password auth

FortiToken Cloud: Migrating FortiToken Mobile to FortiToken Cloud

FortiAuthenticator now allows you to migrate FortiToken Mobile tokens from a FortiToken Mobile license to FortiToken Cloud using the following CLI command:

execute fortitoken-cloud ftm-migrate <FTM license number>

Certificate enrollment via CMPv2

FortiAuthenticator now provides CMPv2 server functionality.

CMPv2 is a Certificate Management Protocol designed by Safenet for the secure signing of digital certificates and complete certificate life cycle management.

A new CMP menu is available in Certificate Management. CMP contains the following two tabs:

• General
• Enrollment Requests

Support for SCIM client

FortiAuthenticator now supports SCIM client service.

You can now configure a SCIM service provider in Authentication > SCIM > Service Provider.

OAuth: Support for IAM

A new IAM login option in the Identity sources tab to enable IAM logins when configuring an OAuth policy in Authentication > OAuth Service > Policies.

When creating or editing an OAuth relying party, you can now include OIDC claims that return IAM account name, IAM account alias, and/or IAM username when the grant type is Authorization code (with/without PKCE).

The OAuth login page (Login Page replacement message) now offers a Sign-in as IAM user link when IAM login is enabled.

The OAuth service now offers a new OAuth IAM Login Page replacement message used as the login form when the Sign-in as IAM user link is clicked on the OAuth login page.

The following new fields have been introduced to the /oauth/token endpoint:

• iam_account
• iam_user

FSSO: New field for FortiGate expected LDAP username attribute

When editing the SSO configuration in Fortinet SSO Methods > SSO > General, a new Username attribute field is available. When the Username attribute field is configured, the attribute value is obtained from the user LDAP lookup and is used as the username instead of the user login username.

Support custom user account attributes in OAuth relying parties

Custom fields configured in Authentication > User Account Policies > Custom User Fields are now available in the User Attribute dropdown in the Claims pane in Authentication > OAuth Service > Relying Party.

New fields for local, LDAP, and RADIUS users endpoints

The following new fields have been introduced to the /localusers/, /ldapusers/, and /radiususers/ endpoints:

• company
• department

Rozwiązane problemy:

Bug ID	Description
505547	SSOMA configuration: Misleading error message.
558390	Support TLS 1.3 in RADIUS EAP-TLS.
599496	Support TLS 1.3 in curl / libcurl.
741495	Error when trying to import users from FortiGate configuration to FortiAuthenticator v6.4.
755752	Power supplies show voltage input fault on both CLI and GUI.
756414	Incorrect Italian translation of the Next button displayed on the reset password page.
766453	[FortiAuthenticator 400E] help check the reason of FortiAuthenticator 400E auto rebooting.
781832	Token bypass not working for FIDO enabled self-service portal.
825665	Wrong client IPv4 attribute for Fortinet SSO Methods > SSO > RADIUS Accounting Sources.
842886	Upgrading FortiAuthenticator in HA-LB removed the MAC-address records form the LB node.
853068	In the session expired token page entering wrong token does not redirect to Login page.
868810	Heavy FSSO-linked DNS traffic could results in the loss of HA heartbeats.
869867	FortiAuthenticator SSO database is not updating on time when domain users switch from wireless to wired or vice-versa.
874450	Realm authentication performance regression with KVM FortiAuthenticator.
876009	FortiAuthenticator ignores the groups filtering rules and send all SSO groups to FortiGate if FortiGate is configured with FQDN.
877432	Selecting the cloud option for group membership on SAML SP displays 500 error if we do not select an OAuth server.
887081	SAML: Launching SP-initiated SAML session for a user with FIDO AUTH produces server errors.
887135	Admin password recheck popup should have a cancel button.
887487	Request FortiAuthenticator with CA only to support future new FortiGate with CA2 only.
890725	SAML token-only login displays password page instead of the token page.
894888	User lookup does not display token information with view-only admin profiles.
897852	Add warnings, logs, and SNMP traps on LB HA failures.
900664	Certificate only smart connect in iOS does not work.
903714	TACACS+ remote users are not being displayed in User Lookup.
903747	Instruction link for installing FortiToken Mobile application is blocked on the self-service portal.
904647	HA status table header giving JavaScript errors when we clicked on.
905423	CRL download URL over http is not available.
906150	Improve performance in SAML login GET request.
906634	We can access SAML IdP initiated URL on a FortiAuthenticator using a server address that is not the FQDN or IP.
908091	When timezone = GMT, London, user audit report download fails with internal server error 500.
908291	FortiAuthenticator does not properly revoke a user certificate.
908753	Number of Users for the MAC device group is always zero.
908759	HA LB anomaly for the MAC device group membership upon connection.
909099	Refresh button for widgets gets grayed out for a while after clicking on it.
909342	Import hard token through the serial number file, status Missing seed.
910331	Next button to trigger FIDO authentication should be disabled when FIDO authentication is in progress.
911300	The self-service portal password change error is displayed in two places.
911347	Proper fix strong crypto configuration in WAD.
911389	Remove Certificate authority type and CA certificate that issued the server certificate from Web/LDAP server configuration page.
913354	Self-device enrollment is broken for FortiToken 300.
913981	Non-admin SAML FIDO authentication ends with error 500.
914755	FortiAuthenticator is not sending the userip to the Syslog server when using RADIUS authentication.
917189	Add more built-in tiles for SAML IdP-initiated portal.
920262	Some of the users logged in MAC devices are unable to get user sessions listed on FortiAuthenticator.
920702	Requiring a password recheck should be necessary when adding a FIDO key to the Admin user.
921147	Oauth relying parties should have unique name constraints.
921851	Unable to scroll User Registration Replacement Messages page.
921949	We should not be able to save Smart connect profiles if EAP type has not been selected.
922974	406 error when prompted for the Admin password.
923697	RADIUS policies matching attributes configuration should not be limited to two.
924446	500 error for a remote user on the SAML portal with both FIDO and FortiToken Mobile/FortiToken Cloud token.
924632	FortiAuthenticator unable to return more than 100 groups from the Azure AD when using SSOMA.
924867	GUI crashes when creating a usage profile.
925402	FortiAuthenticator base distinguished name- Click on the browser displayed error code if OU has special characters in the name, e.g., ( ? ) , +.
926385	FortiToken sync issue after upgrading from a previous GA build.
927104	The User Lookup feature displays only the most recent session for active RADIUS sessions.
927117	When attempting to revoke a server certificate, the Certificates field is empty.
928034	Issue authenticating IPsecVPN IKEv2 EAP (MSCHAPv2) to FortiAuthenticator + remote RADIUS server.
928334	Incorrect message on landing page for No-Access-Admin login.
928643	radiusd cannot handle two parallel authentication sessions and removes partially authenticated user when second attempt comes.
928803	Syslog over TLS enabled offers TLS 1.0 and TLS 1.1 on port 6514.
929004	Unable to add longer mobile phone numbers for certain country codes.
929090	FortiAuthenticator issues with UserPrincipalName (UPN) and tokens.
929279	Self-service portal password change fails for remote LDAP users.
929380	Typo: Fix typo when deleting FortiToken mobile.
929726	HA cluster fails to provision FortiToken Mobile tokens on the primary after a failover.
929943	Push authentication does not work on the Windows Agent when using FortiTrust Identity.
931034	Coordinated upgrade from build 0073 (6.0.8) GA to 1349 results in errors in the HA cluster mode.
931246	CRL automatic download failed using https.
931960	radiusd appears to be stale with unfinished request in component authenticate module facauth that matches no Access-request ID.
932783	FAC2KE PSU monitor widget does not accurately reflect the actual statuses of the PSUs on the device.
933747	REST API – RuntimeError on localgroup-memberships post.
934078	FortiAuthenticator allows and forwards TS-Agent and DC-Agent login for the same IP address.
934489	SmartConnect profile user certificate not containing the correct UPN.
934535	500 error when re-enabling a disabled local user with Account Expiration enabled.
934567	Internal Server Error (Disk full) on the users certificate GUI with 50K+ certificates.
934573	Language changes in LEGACY self-service portal when an admin is connected affect admin GUI language.
934872	Auto-redirect to the trusted endpoint SSO URL.
935590	REST API does not return company and department fields for local users.
937201	Sync rule with no OTP method generates excessive logs.
937917	Custom user fields in user portal settings gives 403 error when editing it.
939073	Subject NameID under Assertion Attribute not defaulting to username.
939829	If a user logs in to FortiAuthenticator first, then logs in to the OAuth application, the user will be logged in with the FortiAuthenticator login session.
939909	/api throws 500 internal server error after login, it should not be an unhandled exception.
940443	FortiAuthenticator – FortiOS/FortiProxy – Proxy mode with deep inspection – Stack buffer overflow.
941685	Create new log events for RADIUS accounting start/stop messages.
941695	Adding TACACS+ clients from a csv file allows to enter an incorrect IP address format string instead of the address type.
942419	Syslog FSSO – Parse for multiple IPv4 and IPv6 addresses.
943843	FortiAuthenticator HSTS settings are not applied to the facwad webserver.
944392	Post request will cause CSRF validation error if the URL contains port number other than 80 or 443.
946677	Eliminate telnetd from FortiAuthenticator.
947031	SAML SP FIDO OTP fallback using Azure IdP proxy with an imported remote SAML Azure with token fails.
948072	Improper requests to /admin/customviews/guestportaltemplate/editor/generates server errors.
948184	Upgrade to 6.5.3 fails and leaves FortiAuthenticator unusable.
948606	LDAP group filter query fails when 3 CN is chosen.
949269	Remote LDAP user should be denied in RADIUS if user has not been imported.
950252	CSV Mac device import fails due to MAC address wildcard formatting. Previously, resolved in 0665381.
950260	Change in FortiToken Cloud 'balance’ API broke inventory widget.
950326	FortiAuthenticator keep sending non-stop traffic to ftc.fortinet.com.
950696	OAuth portal is optional.
950709	Creating users using the localuser endpoint fails.
951049	FortiToken hardware token is not assigned to the imported users if None is not selected in the sync rule.
951966	GUI not showing groups when trying to import user by group membership attribute from the OpenLDAP server.
952537	Certificate renewal failure after revocation.
953096	Close all of the FortiAuthenticator service ports by default.
953106	Unable to change Fortinet logo on one of the replacement messages.
954178	Avoid sharing the database session across different HTTP requests.
954681	Test token with email/SMS not working due to CSP error.
955548	Internal error 500 when trying to visualize the remote TACAC+ users.
957153	Dynamic RADIUS attribute feature should work for an AD user.
957281	ftcd/pushd should close http_request explicitly.
958112	Using special character in the Service Provider settings breaks SAML with 403 error.
958660	Windows AD SSO domains randomly disconnected from FortiAuthenticator(when polling dozens).
960241	Unable to redirect to a page after successful kerberos authentication – unsafe-eval error.
960694	Trusted CA deletion does not generate a log message.
961100	Restoring encrypted configuration with wrong password gives not a gzip file error.
962037	Issues when moving users from column Available Users to Chosen Users.
962222	wad pg_client crashes due to use-after-free error.
962359	Allow changing access rights in the FortiAuthenticator Cloud mode.
963519	Translation error in OAuth Service > General > JWT private key.
964676	It takes around 10 seconds to create or migrate IAM user on any account.
964839	Do not display firmware certificates as options for CA certificate when FortiAuthenticator is in HA LB mode.
965871	SAML stops working with error 500 due to captcha errors.
966223	Internal server error 500 when viewing RADIUS Accounting Sessions in Monitor section.
966225	Unable to create multiple realms with the same remote SAML server.
967020	500 Internal server error on SAML when authenticating with SAML with captcha enabled.
967065	Admin login with FortiToken Mobile/Cloud push failure with an empty field.
967789	Windows agent authentication using FortiToken Cloud with Email and SMS delivery option fails.
968656	Unable to configure the fourth and the last realm in Authentication > SAML IdP > General.
970809	SAML trusted endpoint FSSO return internal error 500.
971069	wad/pg_client initiated query is active on the postgres side despite already being finished.
973586	Fido OAuth authentication flow is broken.
973754	Incorrect password with PCI mode enabled results in 500 error.
977602	Enable HSTS by default

Notatki producenta: FortiAuthenticator 6.6.0

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiAuthenticator FortiAuthenticator 6.6.0