Scribd
Upload
47 views47 pages

FAC-Use_Cases

The document discusses FortiAuthenticator, a centralized management system for identity and access management, emphasizing its role in multi-factor authentication and secure access in hybrid environments. It highlights the risks associated with credential mismanagement and the prevalence of stolen credentials leading to security breaches. Additionally, it outlines various products and services offered by Fortinet, including FortiToken for two-factor authentication and the integration capabilities with different identity providers and authentication methods.

Uploaded by

MELLO FF
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
47 views47 pages

FAC-Use_Cases

The document discusses FortiAuthenticator, a centralized management system for identity and access management, emphasizing its role in multi-factor authentication and secure access in hybrid environments. It highlights the risks associated with credential mismanagement and the prevalence of stolen credentials leading to security breaches. Additionally, it outlines various products and services offered by Fortinet, including FortiToken for two-factor authentication and the integration capabilities with different identity providers and authentication methods.

Uploaded by

MELLO FF
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 47

FORTIAUTHENTICATOR

IT Trends

Cloud
Identity Providers

Hybrid
Environment
Siloed Identity Systems
Work From Anywhere cause Security Gaps and
increase IT Workload
Increased risks as users work
outside their business network
On-premises
Identity Providers

© Fortinet Inc. All Rights Reserved. 2


Credential mis-management has led to …

44 million accounts*
using breached passwords
81% (ZDnet)

617 million user accounts


up for sale on dark web (
of breaches result from Use SC Media)
of Stolen Credentials

Source: Verizon 2020 Data Breach Investigation Report *


https://www.pcmag.com/news/microsoft-found-44m-
accounts-using-breached-passwords

Fast Track Workshops © Fortinet Inc. All Rights Reserved. 3


FortiAuthenticator Use-cases
Adaptive
SaaS Multi-Factor Authentication
Token • OTP Token, Physical and Mobile
• SMS and Email
• FortiToken Cloud
Mobile • FIDO2
• Adaptive Authentication
On-Premises
Apps & Services • Certificates

Multi-Factor Authentication
SSL/VPN Authentication & Authorization
Internet • SSL/VPN, IPSEC VPN
Wired, • LDAP, 802.1X, RADIUS, RADSEC, TACACS*
Wireless • OAuth, SAML, Web Portal, RestAPI
• Self-Service, Guest service
VPN,
• Certificate Authority
FortiAuthenticator Web • X509 Cert Sign, Issue, Revoke
• OCSP, SCEP

User Identity

Fortinet SSO
• AD/LDAP, Kerberos
FSSO • SSO Mobile Agent, Agentless
• Third party system integration via SAML (IdP, SP,
IdP Proxy), RADIUS, Syslog and API Integration

© Fortinet Inc. All Rights Reserved. 4


Secure Access for All Users

SaaS
Kerberos
(*Web)
FortiAuthenticator RSSO
Authentication System of Record Generic RADIUS Accounting
integration Source Syslog
MFA aaS
FSSO
FortiToken (Network)
Cloud Internet Authentication
Employee
2FA (Certificate)
Authentication

Guest
Certificate Server
FortiToken (CRL, OCSP, SCEP)

Authentication Role-based Access Single Sign On


Establish identity through user Provide information from Improve security with improved
log-in, adaptive, certificate, authentication source for use user experience, i.e. reduce
and/or multifactor input in privileged access user login fatigue

*(Web) Authentication: SAML2, oAUTH2, OIDC, RestAPI

© Fortinet Inc. All Rights Reserved. 5


Products and Services – FortiAuthenticator (FAC)
Centralized Management System

• Perpetual License based on User Count Appliance


Virtual
• 4 Available Models User Count
300F 800F 2000E 3000E Machine
• Support from 100 to 40,000 Users
• Licenses fully stackable to most models 100 ü ü ü ü ü
Appliance 1,500 base
8,000
Stackable base

n/a
• Software option support 100-1M+ Users 3,500 MAX n/a
100 base

• License does not limit RAM or CPU


18,000 MAX
• Licenses fully stackable
20,000 MAX
Virtual Machine 40,000 MAX

1,000,000 Plus MAX

Upgrade

100 ü ü ü

1,000 ü ü ü
Hosted
(bring your own license) 10,000 ü ü

© Fortinet Inc. All Rights Reserved. 6


Products and Services – FortiToken (FTK)
Two-Factor Authentication – Multiple form factor, Easy to Use

FortiToken FortiToken FortiToken FortiToken Token Pack FTM FTK-300 FTK-220 FTK-200 FTK-200CD
Mobile 300 220 200/200CD
5 ü ü ü ü û
10 ü ü ü ü ü
20 û ü ü ü ü
25 ü û û û û
50 ü ü ü ü ü
100 ü û ü ü ü
200 ü ü û ü û
Multi-platform OATH Driverless USB mini credit card form factor Durable, large display, 500 ü û û ü û
OTP application with Device token. There is also a OATH OTP token with
PUSH notification of FIPS-140 compliant companion tool for Android FortiGuard activation or 1,000 ü û û ü û
login attempts and
one tap approval
Economical PKI devices on Google Play that optional encrypted 2,000 ü û û ü û
authentication allows users to reprogram activation file.
the token seed
5,000 ü û û û û
10,000 ü û û û û

© Fortinet Inc. All Rights Reserved. 7


TOKEN

© Fortinet Inc. All Rights Reserved. 11


TOKEN
FTC, FTM, FTK

• FortiToken Mobile
• Perpetual license, no renewal
• No batteries, no damage
• Supports push
• Android, iOS and Windows Phone
• Contract can be moved from a device to another
• Full contract only, not partial

• FortiToken Hardware
• Physical device
• No renewal, but battery have an estimated lifetime of 2 years
• No user’s hardware dependent

© Fortinet Inc. All Rights Reserved. 12


TOKEN
FTC, FTM, FTK

• FortiToken Cloud
• Same app than FTM
• Annual subscription
• Changed from points to users/year in Q3/2021
• SMS SKU will be added soon to price list
• Distinct way to activate (cloud vs local applied contract)
• Supports SMS or Email token, or FTK
• Can be shared between multiple FGTs without requiring a FAC
• Can be used with FAC
• Supports Realms
• Distinct admins per each realm
• FAC/FGT need TCP access to ftc.fortinet.com at port 8686

© Fortinet Inc. All Rights Reserved. 13


TOKEN
Email and SMS

• Email tokens also available


• No extra cost, no renewal, not dependent on user’s hardware
• Token may take too long to arrive to user…

• SMS tokens also available


• Requires an external gateway server OR
• Fortinet SKU SMS-ELIC-100 (only 100 SMS)
• Note: FAC includes 2 SMS per FTM registered to it

© Fortinet Inc. All Rights Reserved. 14


TOKEN
Windows and OWA Agents

• Free agents for Windows and OWA


• Windows Agent supports offline token
• Allows exempting users and groups

© Fortinet Inc. All Rights Reserved. 18


RADIUS

© Fortinet Inc. All Rights Reserved. 21


RADIUS
Authenticate in External Database

• Users could be local, in a remote RADIUS or a remote LDAP/LDAPS server


• REALMs can define where users will be authenticated

Active Directory or any LDAP or LDAPS server

FortiAuthenticator

Any RADIUS server


2FA

LDAPS, PAP only, does not work with EAP-PEAP


FortiToken Issues with LDAPS since their certificate changes, Mantis 723825

Azure AD Only LDAPS and requires Azure Domain Services

© Fortinet Inc. All Rights Reserved. 22


RADIUS
Fortinet devices admin access authentication

• Authenticate admin access to Fortinet devices including token


• Same admin and token used for all devices

Guide: https://docs.fortinet.com/document/fortiauthenticator/6.2.0/interoperability-guide-for-2fa

© Fortinet Inc. All Rights Reserved. 23


RADIUS
Network devices administrative access

• Centralized authentication for admin access to any network device


• Firewalls, routers, switches, servers

• Possibility to include a token


• Presents a token prompt if the device supports radius-challenge messages
• If not, user must concatenate password + token

Guide: https://kb.fortinet.com/kb/viewAttachment.do?attachID=FortiAuthenticator%20Interoperability%20Guide%20for%20%20v1.3.pdf&documentID=FD33718

© Fortinet Inc. All Rights Reserved. 24


RADIUS
IPSec and SSL VPNs

• IPSec + SSLVPN tunnel or web mode


• Authentication can be local or remote (RADIUS or LDAP)
• SAML available for SSLVPN only

• Can force MFA


• Token push only for SSLVPN

• Not only for Fortigate


• If device does not support RADIUS-Challenge, then user must concatenate password+token

Guide: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/207191/ssl-vpn-with-radius-and-fortitoken-mobile-push-on-fortiauthenticator

© Fortinet Inc. All Rights Reserved. 25


RADIUS
Authenticate ZTNA Users with MFA

Cloud
1 Applications
2 EMS

NGFW
(FortiGate)
5
Data Center
3
User ZTNA Access
Proxy
Client
(FortiGate)
(FortiClient) What’s happening? User Authentication
(FortiAuthenticator)
FOS proxy point:
- validates the user 4
- verifies the device identity
- verifies the device posture MFA Active
- confirms app rights (FortiToken) Directory

MFA Check
Guides: [pending]
© Fortinet Inc. All Rights Reserved. 26
RADIUS
802.1X

• Applied at switches or access points


• User or Certificate authentication
• Not only Fortinet products!

Guides: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/385697/mac-based-802-1x-authentication
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/38580/port-based-802-1x-authentication
https://docs.fortinet.com/document/fortiauthenticator/6.3.0/cookbook/587192/wifi-using-fortiauthenticator-radius-with-certificates

© Fortinet Inc. All Rights Reserved. 27


RADIUS
Dynamic attributes assignment

• Single SSID presented for users


• Once user authenticates, FAC returns information on the VLAN to be assigned
• Each user or group can have its own VLAN
• Not Fortinet proprietary!

Guide: https://docs.fortinet.com/document/fortiauthenticator/6.3.0/cookbook/324669/assigning-wifi-users-to-vlans-dynamically

© Fortinet Inc. All Rights Reserved. 28


RADIUS
Computer authentication

• Authenticates the computer


• Usually together with dynamic vlan assignment
• After authenticated the computer is moved to a new vlan
• Groups are sent by FAC after authentication
• Can request user authentication at the vlan later
• Wireless or Wired

Guide: https://docs.fortinet.com/document/fortiauthenticator/6.3.0/cookbook/773402/computer-authentication

© Fortinet Inc. All Rights Reserved. 29


RADIUS
RADIUS CoA

• RADIUS Change of Authorization


• Allows blocking a user after some time or consumed bytes
• FAC does not see the traffic, depending on device to send RADIUS accounting information
• Profile applied per user or group

• FGT supports CoA for Wifi, Captive Portal and SSLVPN


• FortiSwitch supports CoA
• Not exclusive to Fortinet devices

Guide: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46546
https://docs.fortinet.com/document/fortiswitch/7.0.0/administration-guide/110309/radius-change-of-authorization-coa

© Fortinet Inc. All Rights Reserved. 30


TACACS+

© Fortinet Inc. All Rights Reserved. 34


TACACS+
Authorization

• Permissions applied per user or group


• Configured per service plus attribute-value
• Allows defining commands and attributes allowed or denied

© Fortinet Inc. All Rights Reserved. 36


PORTALS

© Fortinet Inc. All Rights Reserved. 39


PORTALS
Guest Portal

• Guest users have an expire date


• Can be created by admin or sponsors
• Random password generation sent by email, sms or printed
• Possibility to pre-create random guest logins
• Sponsor can add or delete his/her guest users
• Guest users can edit their own profiles

© Fortinet Inc. All Rights Reserved. 40


PORTALS
Self Registration Portal

• Portal for self registration • More than a guest


• Full account registration • Password reset (including remote LDAP)
• Require approval from admin or a user group • Recovery questions
• Define expiration in hours/days/months/years • Report lost token, token self assignment
• Assign a group • Device tracking and management
• Password creation user-defined or random • Define Smart Connect profile
• Define custom fields for account
• Multiple portals at distinct URLs

© Fortinet Inc. All Rights Reserved. 42


PORTALS
Self Registration Portal

© Fortinet Inc. All Rights Reserved. 47


PORTALS
Captive Portals

• Multiple portals, defined by policies


• Per IP, AP, SSID, MAC, etc
• Local, Remote, Social Login
• Possibility to force a token
• Multiple realms per portal
• Group filtering

© Fortinet Inc. All Rights Reserved. 50


PORTALS
Social Login

• FB, Google, Twitter, Linkedin, WeChat, Phone or Email


• Through OAUTH2
• Assign accounts to a group
• Define account expiration
• Exempt at FGT using ISDB

• Licensing
• Same as local or remote user licensed
• Count active, disabled and expired users
• You can automatically purge disabled accounts
• Take care when setting small periods trying to save license!

Guides: [pending an updated version]

© Fortinet Inc. All Rights Reserved. 53


PORTALS
SAML SSO

• When users must authenticate in an external base through SAML


• Examples: Azure AD, Google Suite, Okta, etc

• Captive Portal login page presented is from the SAML IdP itself, not FAC
• Will apply MFA or any other request from the IdP

• FAC generates FSSO to FGT


• Caveat: user is not automatically redirected to the original requested URL
• Need to access the URL again
• Will be solved with Mantis 0694637 (planned for FAC 6.4.1)

Guides: https://fuse.fortinet.com/viewdocument/fortiauthenticator-saml-with-azure
https://docs.fortinet.com/document/fortiauthenticator/6.3.0/cookbook/535422/saml-fsso-with-fortiauthenticator-and-okta

© Fortinet Inc. All Rights Reserved. 54


SAML

© Fortinet Inc. All Rights Reserved. 58


SAML
Identity Provider

• For internal apps single-sign-on


• Central authentication for cloud portals
• AWS, Azure, Office 365, Google, etc
• Advantage: avoiding LDAPS

• Remember: SAML is for web authentication only

© Fortinet Inc. All Rights Reserved. 59


SAML
Working as IdP for external portals

• Working with Apache or IIS


• Authenticate AWS or Azure portal SaaS
• Fortigate GUI
• Office 365 em
pt
tt
sA
ces
• Google Suite Ac
2
1

• Etc… Primary
Authentication

FortiToken 3 Sec
ond
Auth
entic
at ion

FortiToken
Cloud G ranted
Access
4
FortiAuthenticator

© Fortinet Inc. All Rights Reserved. 60


SAML
Working as IdP Proxy

• Any SP (web app, sslvpn, etc) can point to FAC as IdP


• FAC proxies as a SP to an External IdP (Gsuite, AzureAD, etc)
• Only FAC communicating with External IdP
• FAC can treat IdP response to modify or include assertions
• May force MFA at FAC and/or work with External IdP’s MFA

FortiAuthenticator

2FA
SaaS Azure AD

FortiToken

Guides: https://fuse.fortinet.com/viewdocument/fortiauthenticator-saml-with-azure
https://docs.fortinet.com/document/fortiauthenticator/6.3.0/cookbook/374954/saml-idp-proxy-for-azure
https://docs.fortinet.com/document/fortiauthenticator/6.3.0/cookbook/333771/saml-idp-proxy-for-g-suite
© Fortinet Inc. All Rights Reserved. 62
SAML
Working together with FWB and FAD

• FortiWeb and FortiADC can provide authentication to published Web Applications


• To the entire application or just for some parts
• Can work as SAML SP

• Once authenticated at FWB or FAD, user can take advantage of SAML SSO
• No need to configure SAML in the web application
• Can force MFA to users
• FortiWeb can pass user information through HTTP Header to real server
• Important: need to adjust web app to use this information

• FortiADC can send information where real server can retrieve the assertion
• Important: need to adjust web app to use this information

© Fortinet Inc. All Rights Reserved. 63


SAML
SSLVPN and FortiClient

• FortiGate can authenticate SSLVPN users using SAML


• Tunnel-mode using FortiClient
• Web-mode through any web browser

• Any SAML IdP, including FAC


• FAC can provide some useful features
• Realms to define where to authenticate
• Centralized MFA
• IdP proxy to other IdPs
• Add SAML attributes
• Provide Single Logout
• SAML debugging

Guides: https://docs.fortinet.com/document/fortiauthenticator/6.3.0/cookbook/608970/fortigate-ssl-vpn-with-fortiauthenticator-as-the-idp-proxy-for-azure
https://docs.fortinet.com/document/forticlient/6.4.0/new-features/402514/saml-support-for-ssl-vpn
© Fortinet Inc. All Rights Reserved. 65
FSSO

© Fortinet Inc. All Rights Reserved. 68


Fortinet Single Sign-On
Learning User Identities

• Story Behind Each Method

RADIUS
Active Directory Kerberos with TS and AD FortiClient SSO Login Portal &
REST API SYSLOG Accounting SAML
Polling NTLM Fallback Collector Agents Mobility Agent Widgets
Records

AD & Windows Generic Sources

FortiAuthenticator

FortiGate

© Fortinet Inc. All Rights Reserved. 69


FSSO
Multiple sources

• Dc agent and polling


• Similar to FortiGates, but centralizing FSSO
• FSSO Peering is a key point

• Syslog
• Parsing syslog messages to get user/IP and optionally group
• Also available at DC Agent

• RSSO
• Get user and IP from RADIUS Accounting messages received
• Similar to FGT RSSO

• WSSO
• Get user and IP after a logon to a wireless SSID

© Fortinet Inc. All Rights Reserved. 70


FSSO
Multiple sources

• SSOMA
• FortiClient sends login information direct to FAC
• Requires activation key on FAC
• Free FortiClient SSOMA available (does not work together with Free FCL VPN version)

• Kerberos
• Similar to FGT

• SAML
• Through a web portal were users need to authenticate previously
• Can work like a captive portal

• FortiNAC
• FAC can obtains user and IPs from FortiNAC

© Fortinet Inc. All Rights Reserved. 71


FSSO
Peering
Datacenter 1 Datacenter 2
Syslog / SAML Syslog / SAML
SSOMA Agent / Polling SSOMA Agent / Polling

Radius Radius
WSSO WSSO

FSSO
Peering

© Fortinet Inc. All Rights Reserved. 72


CERTIFICATION AUTHORITY

© Fortinet Inc. All Rights Reserved. 74


Certification Authority
Where to use it

• SSL Inspection at the Firewall


• FAC as a CA, Firewalls as Intermediate CA
• Only requires FAC CA to be installed in devices to avoid warnings

• IPSec and SSLVPN


• Generate, sign, revoke and renew certificates at FAC

• Internal Web Services


• Device GUI, internal web applications

• mTLS requirement
• Web apps or reverse proxy (FortiWeb and FortiADC included) that require user certificate validation
• SSLVPN and IPSec using certificates

• EAP-TLS / EAP-TTLS

© Fortinet Inc. All Rights Reserved. 75


Certification Authority
SCEP

• The SCEP protocol supports the following general operations:


• CA public key distribution
• Certificate enrolment and issue
• Certificate renewal
• CRL query

Guides: https://fuse.fortinet.com/viewdocument/fortiauthenticator-fwb-fad-saml

© Fortinet Inc. All Rights Reserved. 76


Macro List of Features
TOKEN
• FTM, FTC, FTK
RADIUS Portals
• SMS and Email
• VPN Authentication • Captive Portal
• Admin Authentication • Self-Registration and Guest
TACACS+
• 802.1X • Social Login
• Dynamic VLAN • Admin Authentication

• CoA • Command Authorization


SAML
• IdP, IdP Proxy Certification Authority
FSSO
• SSLVPN
• Agent, Polling • Server certificates
• Google, AWS, Azure and
• Syslog, RSSO, WSSO, etc O365 integration • User certificates
• VPNs, SCEP, ZTNA, etc
© Fortinet Inc. All Rights Reserved. 77

You might also like