0% found this document useful (0 votes)

89 views386 pages

FortiAuthenticator 6.6.0 Examples

The document provides examples and guidelines for using FortiAuthenticator 6.6.0, covering various functionalities such as certificate management, guest portals, VPN configurations, and authentication methods. It includes detailed steps for setting up and managing different authentication scenarios, including SSL VPN, WiFi onboarding, and SAML authentication. Additionally, it offers links to Fortinet resources such as documentation, training, and support services.

Uploaded by

yarddy.quintero

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

89 views386 pages

FortiAuthenticator 6.6.0 Examples

Uploaded by

yarddy.quintero

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 386

Examples

FortiAuthenticator 6.6.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

February 18, 2025

FortiAuthenticator 6.6.0 Examples
23-660-935255-20250218
TABLE OF CONTENTS

Change Log 10
Certificate management 12
FortiAuthenticator as a Certificate Authority 12
Creating a new CA on the FortiAuthenticator 12
Installing the CA on the network 13
Internet Explorer and Chrome 13
Firefox 16
Creating a CSR on the FortiGate 18
Importing and signing the CSR on the FortiAuthenticator 19
Importing the local certificate to the FortiGate 20
Configuring the certificate for the GUI 20
Results 21
FortiAuthenticator certificate with SSL inspection 21
Creating a CSR on the FortiGate 22
Creating an Intermediate CA on the FortiAuthenticator 24
Importing the signed certificate on the FortiGate 24
Configuring full SSL inspection 25
Results 27
FortiAuthenticator certificate with SSL inspection using an HSM 28
Configuring the NetHSM profile on FortiAuthenticator 29
Creating a local CA certificate using an HSM server 30
Creating a CSR on the FortiGate 31
Creating an Intermediate CA on the FortiAuthenticator 32
Importing the signed certificate on the FortiGate 33
Configuring full SSL inspection 33
Results 36
FortiToken and FortiToken Mobile 38
FortiToken Mobile Push for SSL VPN 38
Adding a FortiToken to the FortiAuthenticator 39
Adding the user to the FortiAuthenticator 39
Creating the RADIUS client and policy on the FortiAuthenticator 42
Connecting the FortiGate to the RADIUS server 43
Configuring the SSL-VPN 45
Results 48
Guest Portals 52
FortiAuthenticator as Guest Portal for FortiWLC 52
Creating the FortiAuthenticator as RADIUS server on the FortiWLC 52
Creating the Captive Portal profile on the FortiWLC 53
Creating the security profile on the FortiWLC 54
Creating the QoS rule on the FortiWLC 55
Creating the ESS Profile on the FortiWLC 57
Creating FortiWLC as RADIUS client on the FortiAuthenticator 58
Creating the portal and access point on FortiAuthenticator 59
Creating the portal policy on FortiAuthenticator 60
Results 61

FortiAuthenticator 6.6.0 Examples 3

Fortinet Inc.
FortiAuthenticator as a Wireless Guest Portal for FortiGate 61
Configuring FortiGate as a RADIUS client 61
Creating a user group on FortiAuthenticator for guest users 62
Creating a guest portal on FortiAuthenticator 62
Configuring an access point on FortiAuthenticator 63
Configuring a captive portal policy on FortiAuthenticator 63
Configuring FortiAuthenticator as a RADIUS server on FortiGate 65
Creating a guest group on FortiGate 65
Creating a wireless guest SSID on FortiGate 66
Creating firewall policies for guest access to DNS, FortiAuthenticator, and internet 68
Configuring firewall authentication portal settings on FortiGate 68
FortiAuthenticator as a Wired Guest Portal for FortiGate 69
Configuring FortiGate as a RADIUS client 70
Creating a user group on FortiAuthenticator for guest users 70
Creating a guest portal on FortiAuthenticator 71
Configuring an access point on FortiAuthenticator 71
Configuring a captive portal policy on FortiAuthenticator 72
Configuring FortiAuthenticator as a RADIUS server on FortiGate 73
Creating a guest group on FortiGate 74
Creating a wired guest interface on FortiSwitch 74
Creating firewall policies for guest access to DNS, FortiAuthenticator, and internet 76
Configuring firewall authentication portal settings on FortiGate 77
MAC authentication bypass 78
MAC authentication bypass with dynamic VLAN assignment 78
Configuring MAC authentication bypass on the FortiAuthenticator 78
Configuring the user group 79
Configuring RADIUS settings on FortiAuthenticator 79
Configuring the 3rd-party switch 81
Results 82
Self-service Portal 84
FortiAuthenticator user self-registration 84
Creating a self-registration user group 84
Enabling self-registration 85
Creating a new SMTP server 88
Results - Self-registration 89
Results - Administrator approval 91
VPNs 94
LDAP authentication for SSL VPN with FortiAuthenticator 94
Creating the user and user group on the FortiAuthenticator 94
Creating the LDAP directory tree on the FortiAuthenticator 96
Connecting the FortiGate to the LDAP server 96
Creating the LDAP user group on the FortiGate 98
Configuring the SSL-VPN 99
Results 102
SMS two-factor authentication for SSL VPN 103
Creating an SMS user and user group on the FortiAuthenticator 103
Configuring the FortiAuthenticator RADIUS client 105
Configuring the FortiGate authentication settings 106

FortiAuthenticator 6.6.0 Examples 4

Fortinet Inc.
Configuring the SSL-VPN 108
Creating the security policy for VPN access to the Internet 110
Results 110
WiFi authentication 114
Assigning WiFi users to VLANs dynamically 114
Configuring the FortiAuthenticator 114
Adding the RADIUS server to the FortiGate 116
Creating an SSID with dynamic VLAN assignment 117
Creating the VLAN interfaces 118
Creating security policies 122
Creating the FortiAP profile 123
Connecting and authorizing the FortiAP 125
Results 125
WiFi using FortiAuthenticator RADIUS with certificates 127
Creating a local CA on FortiAuthenticator 127
Creating a local service certificate on FortiAuthenticator 128
Configuring RADIUS EAP on FortiAuthenticator 128
Configuring RADIUS client on FortiAuthenticator 129
Configuring local user on FortiAuthenticator 129
Configuring local user certificate on FortiAuthenticator 130
Creating RADIUS server on FortiGate 131
Creating WiFi SSID on FortiGate 132
Exporting user certificate from FortiAuthenticator 136
Importing user certificate into Windows 10 136
Configuring Windows 10 wireless profile to use certificate 140
Results 145
WiFi RADIUS authentication with FortiAuthenticator 148
Creating users and user groups on the FortiAuthenticator 148
Registering the FortiGate as a RADIUS client on the FortiAuthenticator 149
Configuring FortiGate to use the RADIUS server 150
Creating SSID and set up authentication 151
Connecting and authorizing the FortiAP 152
Creating the security policy 155
Results 156
WiFi with WSSO using FortiAuthenticator RADIUS and Attributes 156
Registering the FortiGate as a RADIUS client on the FortiAuthenticator 156
Creating users on the FortiAuthenticator 157
Creating user groups on the FortiAuthenticator 158
Configuring the FortiGate to use the FortiAuthenticator as the RADIUS server 159
Configuring user groups on the FortiGate 160
Creating security policies 161
Configuring the SSID to RADIUS authentication 163
Results 164
802.1X authentication using FortiAuthenticator with Google Workspace User Database 164
Configuring FortiGate as a RADIUS client 165
Creating a realm and RADIUS policy with EAP-TTLS authentication 166
Configuring FortiAuthenticator as a RADIUS server in FortiGate 167
Configuring a WPA2-Enterprise with FortiAuthenticator as the RADIUS server 167

FortiAuthenticator 6.6.0 Examples 5

Fortinet Inc.
Configuring Windows or macOS to use EAP-TTLS and PAP 168
LDAP Authentication 170
Google Workspace integration using LDAP 170
Generating the Google Workspace certificate 170
Importing the certificate to FortiAuthenticator 172
Configuring LDAP on the FortiAuthenticator 173
Troubleshooting 173
SAML Authentication 175
SAML IdP proxy for Azure 175
Configuring OAuth settings 175
Configuring the remote SAML server 176
Creating a remote SAML user synchronization rule 177
Configuring an Azure realm 178
Configuring SAML IdP settings 178
Configuring SP settings on FortiAuthenticator 178
Configuring the login page replacement message 179
Results 180
SAML IdP proxy for Google Workspace 180
Configuring OAuth settings 181
Configuring the remote SAML server 181
Creating a remote SAML user synchronization rule 182
Configuring a Google Workspace Realm 183
Configuring IdP settings 183
Configuring SP settings on FortiAuthenticator 184
Configuring the login page replacement message 185
Results 185
SAML FSSO with FortiAuthenticator and Okta 185
Configuring DNS and FortiAuthenticator's FQDN 186
Enabling FSSO and SAML on FortiAuthenticator 187
Configuring the Okta developer account IdP application 189
Importing the IdP certificate and metadata on FortiAuthenticator 193
Configuring FSSO on FortiGate 194
Office 365 SAML authentication using FortiAuthenticator with 2FA 201
Configure the remote LDAP server on FortiAuthenticator 202
Configure SAML settings on FortiAuthenticator 203
Configure two-factor authentication on FortiAuthenticator 204
Configure the domain and SAML SP in Microsoft Entra ID (formerly Microsoft Azure
AD) PowerShell 205
Configure Microsoft Entra ID Connect 208
Results 214
FortiGate SSL VPN with FortiAuthenticator as the IdP proxy for Azure 216
Configuring Azure 217
Configuring FortiAuthenticator 220
Configuring FortiGate 225
Results 227
SAML FSSO with FortiAuthenticator and Microsoft Entra ID (formerly Microsoft Azure
AD) 227
Creating a tenant in Azure Portal 228

FortiAuthenticator 6.6.0 Examples 6

Fortinet Inc.
Creating an enterprise application in Azure Portal 230
Setting up single sign-on for an enterprise application 231
Adding the enterprise application as an assignment 233
Registering the enterprise application with Microsoft identity platform and generating
authentication key 234
Creating a remote OAuth server with Azure application ID and authentication key 234
Creating a remote SAML server 234
Setting up SAML SSO in FortiAuthenticator 236
Adding an FSSO agent 236
Configuring an interface to use an external captive portal 237
Configuring a policy to allow a local network to access Microsoft Azure services 237
Creating an exempt policy to allow users to access the captive portal 238
Results 239
Office 365 SAML authentication using FortiAuthenticator with 2FA in
Azure/ADFS hybrid environment 239
Configure FortiAuthenticator as an SP in ADFS 239
Configure the remote SAML server on FortiAuthenticator 240
Configure SAML settings on FortiAuthenticator 241
Configure two-factor authentication on FortiAuthenticator 242
Configure FortiAuthenticator replacement messages 243
Results 243
SSL VPN SAML authentication using FortiAuthenticator with OneLogin as SAML IdP 244
Prerequisites and scope of the example 245
Creating an OneLogin application 246
Configuring an application on OneLogin 246
Granting user access to the application 250
Configuring a remote SAML server 251
Configuring an OneLogin realm 253
Creating remote SAML users 253
Configuring SAML IdP settings 254
Configuring FortiAuthenticator replacement message 255
Configuring FortiGate SP settings on FortiAuthenticator 255
Uploading SAML IdP certificate to the FortiGate SP 257
Creating SAML user and server 258
Mapping SSL VPN authentication portal 260
Increasing remote authentication timeout using FortiGate CLI 261
Configuring a policy to allow users access to allowed network resources 261
FortiGate SSL VPN with FortiAuthenticator as SAML IdP 262
Certificate management 263
FortiAuthenticator user management 267
SAML IdP and SP configurations 268
FortiGate user management 270
FortiGate SSL VPN configurations 272
FortiClient configurations 277
Testing and verification 279
Logging in to FortiGate as an administrator using FIDO2 authentication 283
Configuring SAML on FortiGate 283
Configuring SAML on FortiAuthenticator 285
Editing users to set up FIDO authentication 287

FortiAuthenticator 6.6.0 Examples 7

Fortinet Inc.
Results 288
Configuring FIDO2 authentication for SSLVPN 289
Configuring SAML SP on FortiGate 290
Configuring SAML IdP general settings on FortiAuthenticator 291
Configuring SP settings on FortiAuthenticator 291
Editing users to set up FIDO authentication 292
Creating a user group with the SAML SSO server 293
Configuring SSLVPN on FortiGate 293
Creating a firewall policy for SSLVPN traffic 295
Configuring SSLVPN on FortiClient 295
Results 296
Computer Authentication 298
Computer authentication using FortiAuthenticator with MS AD Root CA 298
Configure the certificates and Root CA 298
Configure LDAP users on FortiAuthenticator 300
Configure RADIUS authentication 303
Configure the SSID and interface objects 308
Creating the SSID 309
Creating interfaces 310
Results 310
WiFi onboarding using FortiAuthenticator Smart Connect 312
Initial settings on FortiAuthenticator 312
Install certificates 312
Configure the RADIUS client settings 314
Configure the local root CA 314
Configure the EAP server certificate and CA for EAP-TLS 315
Option A - WiFi onboarding with Smart Connect and Google Workspace 316
Configure Google Workspace LDAPS Integration 316
Configure Smart Connect and the captive portal 322
Configure RADIUS settings on FortiAuthenticator 325
Option B - WiFi onboarding with Smart Connect and Azure 326
Configure Microsoft Entra ID (formerly Microsoft Azure AD) DS LDAPS integration 326
Provision the remote LDAP server on FortiAuthenticator 328
Configure Smart Connect and the captive portal 331
Configure RADIUS settings on FortiAuthenticator 334
FortiGate configuration 334
Configure the RADIUS server on FortiGate 335
Create the user group for cloud-based directory user accounts 335
Provision the Onboarding and Secure WiFi networks 336
Results 345
Smart Connect Windows device onboarding process 345
Smart Connect iOS device onboarding process 347
Zero Trust Tunnel 349
Accessing an AD server with a zero trust tunnel on FortiAuthenticator 349
Configuring certificate authentication for FortiAuthenticator 350
Configuring a zero trust tunnel on FortiAuthenticator 352
Configuring an LDAP server with zero trust tunnel enabled on FortiAuthenticator 353

FortiAuthenticator 6.6.0 Examples 8

Fortinet Inc.
Configuring a ZTNA server 353
Configuring a ZTNA rule 355
Debugging: Zero trust tunnel related issues 356
SCIM 358
FortiAuthenticator SCIM integration with AWS 358
Enabling IAM Identity Center in AWS 358
Changing the identity source from IAM Identity Center to FortiAuthenticator 360
Manage provisioning 365
Creating a local user 366
Creating a user group 367
Creating a new SCIM SP 368
SSOMA 369
Log in to a Windows host using SSOMA 369
Configuring a remote LDAP server 369
Enabling FSSO service 370
Configuring SSO settings 371
Installing SSOMA 372
Result 373
FortiAuthenticator SSOMA for native Microsoft Entra ID joined workstation 373
Enabling SSOMA on FortiClient EMS 374
Configuring prefer_azure on the EMS 375
Installing SSOMA with FortiClient 375
Creating a user and associating with groups 377
Joining the Windows 10 endpoint to Microsoft Entra ID 377
Verifying that the endpoint is domain joined 379
Creating FortiAuthenticator enterprise application 380
Getting application ID and the authentication key 382
Adding the application to directory readers role 382
Provisioning OAuth API on FortiAuthenticator 383
Results 384
FSSO sessions and debug logs 385

FortiAuthenticator 6.6.0 Examples 9

Fortinet Inc.
Change Log

Date Change Description

2023-12-11 Initial release.

2024-01-10 Updated Creating a remote OAuth server with Azure application ID and authentication key on
page 234.

2024-01-25 Updated the topology diagram in SAML FSSO with FortiAuthenticator and Microsoft Entra ID
(formerly Microsoft Azure AD) on page 227.

2024-01-29 Updated SAML FSSO with FortiAuthenticator and Microsoft Entra ID (formerly Microsoft Azure
AD) on page 227.

2024-02-01 Updated the topology diagrams in FortiAuthenticator as a Certificate Authority on page 12,
FortiAuthenticator certificate with SSL inspection on page 21, and FortiAuthenticator certificate
with SSL inspection using an HSM on page 28.

2024-02-07 Updated:
l Accessing an AD server with a zero trust tunnel on FortiAuthenticator on page 349

l Configuring certificate authentication for FortiAuthenticator on page 350

l Configuring a zero trust tunnel on FortiAuthenticator on page 352
l Configuring an LDAP server with zero trust tunnel enabled on FortiAuthenticator on page
353
l Configuring a ZTNA server on page 353
l Configuring a ZTNA rule on page 355
l Debugging: Zero trust tunnel related issues on page 356

2024-02-09 Updated Accessing an AD server with a zero trust tunnel on FortiAuthenticator on page 349 and
Configuring a ZTNA server on page 353.

2024-02-14 Updated the topology diagrams in FortiAuthenticator as a Wireless Guest Portal for FortiGate on
page 61 and FortiAuthenticator as a Wired Guest Portal for FortiGate on page 69.

2024-02-15 Updated the topology diagram in FortiToken Mobile Push for SSL VPN on page 38.

2024-02-16 Updated the topology diagrams in FortiAuthenticator user self-registration on page 84, LDAP
authentication for SSL VPN with FortiAuthenticator on page 94, and SMS two-factor
authentication for SSL VPN on page 103.

2024-02-21 Updated the topology diagrams in:

l Assigning WiFi users to VLANs dynamically on page 114
l WiFi RADIUS authentication with FortiAuthenticator on page 148
l WiFi RADIUS authentication with FortiAuthenticator on page 148 WiFi with WSSO using
FortiAuthenticator RADIUS and Attributes on page 156
l 802.1X authentication using FortiAuthenticator with Google Workspace User Database on
page 164

FortiAuthenticator 6.6.0 Examples 10

Fortinet Inc.
Change Log

Date Change Description

2024-02-22 Updated the topology diagrams in FortiAuthenticator as Guest Portal for FortiWLC on page 52
and MAC authentication bypass with dynamic VLAN assignment on page 78.

2024-02-23 Updated the topology diagram in SAML FSSO with FortiAuthenticator and Okta on page 185.

2024-04-08 Updated the topology diagrams in Office 365 SAML authentication using FortiAuthenticator with
2FA on page 201 and FortiGate SSL VPN with FortiAuthenticator as SAML IdP on page 262.

2024-04-11 Updated the topology diagram in Computer authentication using FortiAuthenticator with MS AD
Root CA on page 298.

2024-04-17 Updated the topology diagram in Google Workspace integration using LDAP on page 170.

2024-04-24 Updated the topology diagram in FortiGate SSL VPN with FortiAuthenticator as the IdP proxy for
Azure on page 216.

2024-06-18 Added Log in to a Windows host using SSOMA on page 369.

Updated Zero Trust Tunnel on page 349.

2024-06-21 Added Configuring FIDO2 authentication for SSLVPN on page 289.

2024-08-09 Added Logging in to FortiGate as an administrator using FIDO2 authentication on page 283.

2024-08-12 Added FortiAuthenticator SCIM integration with AWS on page 358.

2024-08-28 Added FortiAuthenticator SSOMA for native Microsoft Entra ID joined workstation on page 373.

2024-09-05 Updated Installing SSOMA with FortiClient on page 375.

2025-01-21 Updated Creating a RADIUS policy on page 305.

2025-01-18 Added Configuring prefer_azure on the EMS on page 375.

FortiAuthenticator 6.6.0 Examples 11

Fortinet Inc.
Certificate management

This section describes managing certificates with the FortiAuthenticator device.

FortiAuthenticator can act as a certificate authority (CA) for the creation and signing of X.509 certificates, such as server
certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPsec VPN.

FortiAuthenticator as a Certificate Authority

For this example, you will configure the FortiAuthenticator as a Certificate Authority (CA). This will allow the
FortiAuthenticator to sign certificates that the FortiGate will use to secure administrator GUI access.

1. Create CA certificate on FortiAuthenticator.

2. Download the CA certificate to browser.
3. Create CSR on the FortiGate device.
4. Import and sign CSR on FortiAuthenticator.
5. Download the signed certificate.
6. Import the signed certificate and apply to admin GUI access.
7. The management connection is now trusted.
This scenario includes creating a certificate request on the FortiGate, downloading the certificate to the network’s
computers, and then importing it to the FortiAuthenticator. You will sign the certificate with the FortiAuthenticator’s own
certificate, then download and import the signed certificate back to the FortiGate.
The process of downloading the certificate to the network’s computers will depend on which web browser you use.
Internet Explorer and Chrome use one certificate store, while Firefox uses another. This configuration includes both
methods.

Creating a new CA on the FortiAuthenticator

To create a new CA:

1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new CA.
Enter a Certificate ID, select Root CA certificate, and configure the key options as shown in the example.

FortiAuthenticator 6.6.0 Examples 12

Fortinet Inc.
Certificate management

2. Once created, highlight the certificate and select Export Certificate.

This will save a .crt file to your local drive.

Installing the CA on the network

The certificate must now be installed on the computers in your network as a trusted root CA. The steps below show
different methods of installing the certificate, depending on your browser.

Internet Explorer and Chrome

1. In Windows Explorer, right-click on the certificate and select Install Certificate. Open the certificate and follow the
Certificate Import Wizard.

FortiAuthenticator 6.6.0 Examples 13

Fortinet Inc.
Certificate management

2. Make sure to place the certificate in the Trusted Root Certification Authorities store.

FortiAuthenticator 6.6.0 Examples 14

Fortinet Inc.
Certificate management

3. Finish the Wizard and select Yes to confirm and install the certificate.

FortiAuthenticator 6.6.0 Examples 15

Fortinet Inc.
Certificate management

Firefox

1. In the web browser, go to Options > Privacy & Security > Certificates, and select View Certificates.

2. In the Authorities tab, select Import.

FortiAuthenticator 6.6.0 Examples 16

Fortinet Inc.
Certificate management

3. Find and open the root certificate.

You will be asked what purposes the certificate will be trusted to identify. Select all options and select OK.

FortiAuthenticator 6.6.0 Examples 17

Fortinet Inc.
Certificate management

Creating a CSR on the FortiGate

To create a CSR:

1. On the FortiGate, go to System > Certificates and select Generate to create a new certificate signing request (CSR).
Enter a Certificate Name, the Internet facing IP address of the FortiGate, and a valid email address, then configure
the key options as shown in the example.
The Subject Alternative Name field must be configured with the internet facing IP address or FQDN in the following
format: IP:x.x.x.x or DNS:hostname.example.com.

2. Once created, the certificate will show a Status of Pending. Highlight the certificate and select Download.

FortiAuthenticator 6.6.0 Examples 18

Fortinet Inc.
Certificate management

This will save a .csr file to your local drive.

Importing and signing the CSR on the FortiAuthenticator

To import and sign the CSR:

1. Back on the FortiAuthenticator, go to Certificate Management > End Entities > Users and import the .csr certificate
created earlier.
Make sure to select the Certificate authority from the dropdown menu, and set the Hash algorithm to SHA-256, as
configured earlier.

2. Once imported, you should see that the certificate has been signed by the FortiAuthenticator, with a Status of
Active. Highlight the certificate and select Export Certificate.

FortiAuthenticator 6.6.0 Examples 19

Fortinet Inc.
Certificate management

This will save a .cer file to your local drive.

Importing the local certificate to the FortiGate

To import the local certificate:

1. Back on the FortiGate, go to System > Certificates, and select Local Certificate from the Import dropdown menu.
Browse to the .cer certificate, and select OK.

You should now see that the certificate's Status has changed from Pending to OK. You may have to refresh your
page to see the status change.

Configuring the certificate for the GUI

To configure the certificate:

1. On the FortiGate, go to System > Settings.

Under Administration Settings, set HTTPS server certificate to the certificate created/signed earlier, then select

FortiAuthenticator 6.6.0 Examples 20

Fortinet Inc.
Certificate management

Apply.

Results

Close and reopen your browser, and go to the FortiGate admin login page. If you click on the lock icon next to the
address bar, you should see that the certificate has been signed and verified by the FortiAuthenticator. As a result, no
certificate errors will appear.

FortiAuthenticator certificate with SSL inspection

For this example, you will create a certificate on the FortiGate, have it signed on the FortiAuthenticator, and configure the
FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.

FortiAuthenticator 6.6.0 Examples 21

Fortinet Inc.
Certificate management

1. Create CSR on the FortiGate device.

2. Import and sign CSR on FortiAuthenticator.
3. Download the signed intermediate CA.
4. Import signed certificate and apply deep inspection of cloud applications.
Note that, for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority
(CA), otherwise the certificate created in this example will not be trusted. For more information on how to do this, see
FortiAuthenticator as a Certificate Authority.
This scenario includes creating a certificate signing request (CSR), signing the certificate on the FortiAuthenticator, and
downloading the signed certificate back to the FortiGate. You will then create an SSL/SSH Inspection profile for full SSL
inspection, add the certificate created to the profile, and apply the profile to the policy allowing Internet access.
As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This will
apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.

Creating a CSR on the FortiGate

To create a CSR:

FortiAuthenticator 6.6.0 Examples 22

Fortinet Inc.
Certificate management

2. Once created, the certificate will show a Status of Pending. Highlight the certificate and select Download.

This will save a .csr file to your local drive.

FortiAuthenticator 6.6.0 Examples 23

Fortinet Inc.
Certificate management

Creating an Intermediate CA on the FortiAuthenticator

To create an Intermediate CA:

1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import.
Set Type to CSR to sign, enter a Certificate ID, and import the CSR file. Make sure to select the Certificate authority
from the dropdown menu, and set the Hash algorithm to SHA-256.

2. Once imported, you should see that the certificate has been signed by the FortiAuthenticator, showing a Status of
Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export
Certificate.

This will save a .crt file to your local drive.

Importing the signed certificate on the FortiGate

To import the signed certificate:

1. Back on the FortiGate, go to System > Certificates, and select Import > Local Certificate.
Browse to the CRT file and select OK.

FortiAuthenticator 6.6.0 Examples 24

Fortinet Inc.
Certificate management

2. You should now see that the certificate has a Status of OK.

Configuring full SSL inspection

To configure full SSL inspection:

1. Go to Security Profiles > SSL/SSH Inspection, and create a new profile.

Enter a Name, select the certificate from the CA Certificate dropdown menu, and make sure Inspection Method is
set to Full SSL Inspection.

2. Add the certificate to your web browser's list of trusted certificates. End users will likely see certificate warnings
unless the certificate is installed in their browser.

FortiAuthenticator 6.6.0 Examples 25

Fortinet Inc.
Certificate management

3. Next go to Policy & Objects > IPv4 Policy and edit the policy that allows Internet access.
Under Security Profiles, enable SSL/SSH Inspection and select the custom profile created earlier.
Enable Application Control and set it to default.

FortiAuthenticator 6.6.0 Examples 26

Fortinet Inc.
Certificate management

Results

1. To test the certificate, open your web browser and attempt to navigate to an HTTPS website (in the example,
https://www.dropbox.com).
Click on the lock icon next to the address bar and click Show connection details.

2. You should now see that the certificate from the FortiGate (172.25.176.127) has signed and verified access to
the site. As a result, no certificate errors will appear.

FortiAuthenticator 6.6.0 Examples 27

Fortinet Inc.
Certificate management

Optionally select More Information.

FortiAuthenticator certificate with SSL inspection using an HSM

For this example, you will create a certificate on the FortiGate, have it signed on a FortiAuthenticator with a configured
HSM server, and configure the FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.
This example uses the Safenet Luna V7 HSM.

1. Configure FortiAuthenticator with NetHSM.

2. Create CSR on the FortiGate device.
3. Import and sign the CSR using NetHSM.
4. Download the signed intermediate CA.
5. Import signed certificate and apply to deep inspection of cloud applications.

FortiAuthenticator 6.6.0 Examples 28

Fortinet Inc.
Certificate management

To set up the certificate with SSL inspection using an HSM:

1. Configuring the NetHSM profile on FortiAuthenticator on page 29

2. Creating a local CA certificate using an HSM server on page 30
3. Creating a CSR on the FortiGate on page 31
4. Creating an Intermediate CA on the FortiAuthenticator on page 32
5. Importing the signed certificate on the FortiGate on page 33
6. Configuring full SSL inspection on page 33
7. Results on page 36
In order for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority (CA),
otherwise the certificate created in this example will not be trusted. For more information on how to do this, see Creating
a local CA certificate using an HSM server on page 30 and FortiAuthenticator as a Certificate Authority.
As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This will
apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.

Configuring the NetHSM profile on FortiAuthenticator

To configure a new the Safenet Luna HSM server:

1. In FortiAuthenticator, go to System > Administration > NetHSMs, and click Create New.
2. In the Create New HSM Server window, configure the following:

Name Enter a name for the HSM server.

Server IP/FQDN Enter the IP address or FQDN of the HSM server to which the
FortiAuthenticator will connect.

Partition Password Enter the key partition password from the HSM server.

Client IP Enter the address of the FortiAuthenticator interface that the HSM will see.

Upload server certificate Click Upload server certificate to select the certificate from your HSM.

3. Click OK to complete the setup.

FortiAuthenticator 6.6.0 Examples 29

Fortinet Inc.
Certificate management

To authorize FortiAuthenticator as a Safenet Luna HSM client:

1. Make sure the FortiAuthenticator client certificate uses the <FAC IP>.pem naming convention. For example:
172.16.68.47.pem
2. Upload the FortiAuthenticator client certificate to Safenet Luna HSM using SCP transfer.
scp [certificate filename] admin@[HSM address]:
3. Use SSH to connect to the HSM, then register your FortiAuthenticator, and associate it with a partition.
ssh -1 admin [HSM address]
client register -c [client name] -ip [client address]
client assignpartition -c [client name] -p [partition name]
4. Confirm the status of the NetHSM client. For example:
client show -c my_fac
ClientID: my_fac
IPAddress: 172.16.68.47
Partitions: my_partition

Creating a local CA certificate using an HSM server

Once you have configured the HSM server on FortiAuthenticator, you can create a local CA certificate using the HSM
server to sign requests. For more information on setting up a certificate authority, see FortiAuthenticator as a Certificate
Authority on page 12.

To create a new local CA certificate using HSM:

1. On FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs, and click Create New.

2. Enter a name for the CA certificate, for example My_CA.

3. Select Root CA as the Certificate type.
4. Enable Use NetHSM, and choose an HSM server from the dropdown menu.
5. Configure the remaining settings as desired, and click OK to save your changes.
Once your CA certificate has been created, it can be exported and installed on your network. For more information
on setting up a certificate authority, see FortiAuthenticator as a Certificate Authority on page 12.

FortiAuthenticator 6.6.0 Examples 30

Fortinet Inc.
Certificate management

Creating a CSR on the FortiGate

To create a CSR:

2. Once created, the certificate will show a Status of Pending. Highlight the certificate and select Download.

FortiAuthenticator 6.6.0 Examples 31

Fortinet Inc.
Certificate management

This will save a .csr file to your local drive.

Creating an Intermediate CA on the FortiAuthenticator

To create an Intermediate CA:

1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import.
Set Type to CSR to sign, enter a Certificate ID, and import the CSR file.
2. Select the Certificate authority configured with the HSM from the dropdown menu, and set the Hash algorithm to
SHA-256. Click OK.

3. Once imported, you should see that the certificate has been signed by the FortiAuthenticator, showing a Status of
Active, and with the CA Type of Intermediate (non-signing) CA.
4. Highlight the certificate and select Export Certificate.

This will save a .crt file to your local drive.

FortiAuthenticator 6.6.0 Examples 32

Fortinet Inc.
Certificate management

Importing the signed certificate on the FortiGate

To import the signed certificate:

1. Back on the FortiGate, go to System > Certificates and select Import > Local Certificate.
Browse to the .crt file, and select OK.

2. You should now see that the certificate has a Status of OK.

Configuring full SSL inspection

To configure full SSL inspection:

1. On the FortiGate, go to Security Profiles > SSL/SSH Inspection, and create a new profile.
Enter a Name, select the certificate from the CA Certificate dropdown menu, and make sure Inspection Method is
set to Full SSL Inspection.

FortiAuthenticator 6.6.0 Examples 33

Fortinet Inc.
Certificate management

2. Add the certificate to your web browser's list of trusted certificates. End users will likely see certificate warnings
unless the certificate is installed in their browser.

FortiAuthenticator 6.6.0 Examples 34

Fortinet Inc.
Certificate management

3. Next go to Policy & Objects > IPv4 Policy and edit the policy that allows Internet access.

4. Under Security Profiles, enable SSL/SSH Inspection and select the custom profile created earlier.
5. Enable Application Control and set it to default.

FortiAuthenticator 6.6.0 Examples 35

Fortinet Inc.
Certificate management

Results

2. You should now see that the certificate from the FortiGate has signed and verified access to the site. As a result, no
certificate errors will appear.

FortiAuthenticator 6.6.0 Examples 36

Fortinet Inc.
Certificate management

Optionally select More Information.

FortiAuthenticator 6.6.0 Examples 37

Fortinet Inc.
FortiToken and FortiToken Mobile

This section describes various authentication scenarios involving FortiToken, a disconnected one-time password (OTP)
generator that's either a physical device or a mobile token. Time-based token passcodes require that the
FortiAuthenticator clock is accurate. If possible, configure the system time to be synchronized with a network time
protocol (NTP) server.
To perform token-based authentication, the user must enter the token passcode. If the user’s username and password
are also required, this is called two-factor authentication.

FortiToken Mobile Push for SSL VPN

In this example, you set up FortiAuthenticator to function as a RADIUS server to authenticate SSL VPN users using
FortiToken Mobile Push two-factor authentication. With Push notifications enabled, the user can easily accept or deny
the authentication request.
For this configuration, you:
l Create a user on the FortiAuthenticator.
l Assign a FortiToken Mobile license to the user.
l Create the RADIUS client (FortiGate) on the FortiAuthenticator, and enable FortiToken Mobile Push notifications.
l Connect the FortiGate to the RADIUS server (FortiAuthenticator).
l Create an SSL VPN on the FortiGate, allowing internal access for remote users.
The following names and IP addresses are used:
l Username: gthreepwood
l User group: RemoteFTMGroup
l RADIUS server: OfficeRADIUS
l RADIUS client: OfficeServer
l SSL VPN user group: SSLVPNGroup
l FortiAuthenticator: 172.25.176.141
l FortiGate: 172.25.176.92
For the purposes of this example, a FortiToken Mobile free trial token is used. This example also assumes that the user
has already installed the FortiToken Mobile application on their smartphone. You can install the application for Android
and iOS. For details, see:

FortiAuthenticator 6.6.0 Examples 38

Fortinet Inc.
FortiToken and FortiToken Mobile

l FortiToken Mobile for Android

l FortiToken Mobile for iOS

Adding a FortiToken to the FortiAuthenticator

Before push notifications can be enabled, a Public IP/FQDN for FortiToken Mobile must be configured in System >
Administration > System Access.
If the FortiAuthenticator is behind a firewall, the public IP/FQDN will be an IP/port forwarding rule directed to one of the
FortiAuthenticator interfaces.
The interface that receives the approve/deny FTM push responses must have the FortiToken Mobile API service
enabled.

If FortiAuthenticator is not accessible to the Internet, you must create a VIP and policy on
FortiGate in order for mobile push to work. The VIP must point from an external port to
FortiAuthenticator at port 443.

Once configured, you can add your FortiToken.

To add a FortiToken:

1. On the FortiAuthenticator, go to Authentication > User Management > FortiTokens, and select Create New.
2. Set Token type to FortiToken Mobile, and enter the FortiToken Activation codes in the field provided.

Adding the user to the FortiAuthenticator

To add a user to FortiAuthenticator:

1. On the FortiAuthenticator, go to Authentication > User Management > Local Users, and select Create New.
Enter a Username (gthreepwood) and enter and confirm the user password.
Enable Allow RADIUS authentication, and select OK to access additional settings.

FortiAuthenticator 6.6.0 Examples 39

Fortinet Inc.
FortiToken and FortiToken Mobile

2. Enable Token-based authentication and select to deliver the token code by FortiToken. Select the FortiToken
added earlier from the FortiToken Mobile drop-down menu.
Set Delivery method to Email. This will automatically open the User Information section where you can enter the
user email address in the field provided.

3. Next, go to Authentication > User Management > User Groups, and select Create New.
Enter a Name (RemoteFTMUsers) and add gthreepwood to the group by moving the user from Available users to
Selected users.

FortiAuthenticator 6.6.0 Examples 40

Fortinet Inc.
FortiToken and FortiToken Mobile

4. The FortiAuthenticator sends the FortiToken Mobile activation to the user’s email address. If the email does not
appear in the inbox, check the spam folder.
The user activates their FortiToken Mobile through the FortiToken Mobile application by either entering the
activation code provided or by scanning the QR code attached.

For more information, see the FortiToken Mobile user instructions.

FortiAuthenticator 6.6.0 Examples 41

Fortinet Inc.
FortiToken and FortiToken Mobile

Creating the RADIUS client and policy on the FortiAuthenticator

To create the RADIUS client:

1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New to add the
FortiGate as a RADIUS client.
2. Enter a Name (OfficeServer), the IP address of the FortiGate, and set a Secret.
The secret is a pre-shared secure password that the FortiGate will use to authenticate to the FortiAuthenticator.
3. Click OK.

To create the RADIUS policy:

1. Go to Authentication > RADIUS Service > Policies, and select Create New.
2. Enter the RADIUS policy name, description, and select the FortiGate RADIUS client.
3. Optionally, configure RADIUS attribute criteria.
4. Choose Password/OTP authentication as the authentication type.
5. Choose a username format (in this example: username@realm), and select the Local realm.
6. Set the authentication method to Mandatory two-factor authentication, and enable the Allow FortiToken Mobile push
notifications option.
7. Click Save and Exit.

FortiAuthenticator 6.6.0 Examples 42

Fortinet Inc.
FortiToken and FortiToken Mobile

Note the Username input format. This is the format that the user must use to enter their
username in the web portal, made up of their username and realm. In this example, the full
username for gthreepwood is gthreepwood@local.

Connecting the FortiGate to the RADIUS server

To connect the FortiGate to the RADIUS server:

1. On the FortiGate, go to User & Device > RADIUS Servers, and select Create New to connect to the RADIUS server
(FortiAuthenticator).
Enter a Name (OfficeRADIUS), the IP address of the FortiAuthenticator, and enter the Secret created before.
Select Test Connectivity to be sure you can connect to the RADIUS server. Then select Test User Credentials and
enter the credentials for gthreepwood.

FortiAuthenticator 6.6.0 Examples 43

Fortinet Inc.
FortiToken and FortiToken Mobile

Because the user has been assigned a FortiToken, the test should return stating that More validation is required.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client configured earlier.
2. Then go to User & Device > User Groups, and select Create New to map authenticated remote users to a user
group on the FortiGate.
Enter a Name (SSLVPNGroup) and select Add under Remote Groups.
Select OfficeRADIUS under the Remote Server drop-down menu, and leave the Groups field blank.

FortiAuthenticator 6.6.0 Examples 44

Fortinet Inc.
FortiToken and FortiToken Mobile

3. In the FortiGate CLI, increase the remote authentication timeout to 60 seconds.

#config system global
#set remoteauthtimeout 60
#end

Configuring the SSL-VPN

To configure the SSL-VPN:

1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.
Toggle Enable Split Tunneling so that it is disabled.

2. Go to VPN > SSL-VPN Settings.

Under Connection Settings set Listen on Interface(s) to wan1 and Listen on Port to 10443.
Under Tunnel Mode Client Settings, select Specify custom IP ranges. The IP Ranges should be set to SSLVPN_
TUNNEL_ADDR1 and the IPv6 version by default.
Under Authentication/Portal Mapping, select Create New.
Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access —
this will grant all other users access to the web portal only.

FortiAuthenticator 6.6.0 Examples 45

Fortinet Inc.
FortiToken and FortiToken Mobile

FortiAuthenticator 6.6.0 Examples 46

Fortinet Inc.
FortiToken and FortiToken Mobile

FortiAuthenticator 6.6.0 Examples 47

Fortinet Inc.
FortiToken and FortiToken Mobile

3. Then go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.
Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing interface
(in this case, wan1).
Set Source to the SSLVPNGroup user group and the all address.
Set Destination to all, Schedule to always, Service to ALL, and enable NAT.

Results

1. From a remote device, open a web browser and navigate to the SSL VPN web portal (https://<fortigate-ip>:10443).
2. Enter gthreepwood‘s credentials and select Login. Use the correct format (in this case, username@realm), as per
the client configuration on the FortiAuthenticator.

FortiAuthenticator 6.6.0 Examples 48

Fortinet Inc.
FortiToken and FortiToken Mobile

3. The FortiAuthenticator will then push a login request notification through the FortiToken Mobile application. Select
Approve.

FortiAuthenticator 6.6.0 Examples 49

Fortinet Inc.
FortiToken and FortiToken Mobile

FortiAuthenticator 6.6.0 Examples 50

Fortinet Inc.
FortiToken and FortiToken Mobile

Upon approving the authentication, gthreepwood is successfully logged into the SSL VPN portal.

4. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user’s connection.

FortiAuthenticator 6.6.0 Examples 51

Fortinet Inc.
Guest Portals

This section contains information about creating and using guest portals.

FortiAuthenticator as Guest Portal for FortiWLC

In this example we will use FortiAuthenticator as Guest Portal for users getting wireless connection provided by
FortiWLC.

Creating the FortiAuthenticator as RADIUS server on the FortiWLC

1. On the FortiWLC, go to Configuration > Security > RADIUS and select ADD and create two profiles. One to be used
for Authentication and one to be used for Accounting.
l RADIUS Profile name: Enter a name for the profile. Use a name that will indicate if the profile is used for

Authentication or Accounting.
l RADIUS IP: IP address of the FortiAuthenticator.

l RADIUS Secret: Shared secret between WLC and FortiAuthenticator.

FortiAuthenticator 6.6.0 Examples 52

Fortinet Inc.
Guest Portals

l RADIUS Port: Use 1812 for Authentication profile and 1813 when creating an Accounting profile.

Creating the Captive Portal profile on the FortiWLC

1. On the FortiWLC, go to Configuration > Security > Captive Portal, select the Captive Portal Profiles tab, and ADD a
new profile.
l CP Name: Enter a name for the profile.

l Authentication Type: RADIUS

l Primary Authentication:Your Authentication profile.

l Primary Accounting: Your Accounting profile.

l External Server: Fortinet-Connect

l External Portal: https://<fortiauthenticator-ip>/guests

FortiAuthenticator 6.6.0 Examples 53

Fortinet Inc.
Guest Portals

l Public IP of Controller: IP address that the FortiAuthenticator can use to communicate with the FortiWLC.

Creating the security profile on the FortiWLC

1. On the FortiWLC, go to Configuration > Security > Profile and ADD a new profile.
l Profile Name: Enter a name for the profile.

l Security Mode: Open

l Captive Portal: WebAuth

l Captive Portal Profile: Select the profile created earlier.

l Captive Portal Authentication Method: external

FortiAuthenticator 6.6.0 Examples 54

Fortinet Inc.
Guest Portals

l Passthrough Firewall Filter ID: An ID used to allow access to the portal before authentication using QoS rules.

Creating the QoS rule on the FortiWLC

1. On the FortiWLC, go to Configuration > Policies > QoS and select the QoS and Firewall Rules tab. Select ADD to
create two profiles.
For the first rule, allow the wireless client to access the FortiAuthenticator guest portal.
l ID: Rule number (in the example, 20).
l Destination IP: IP address of the FortiAuthenticator, and enable Match.
l Destination Netmask: 255.255.255.255
l Destination Port: 443, and enable Match.
l Network Protocol: 6, and enable Match.
l Firewall Filter ID: String from the security profile, and enable Match.

FortiAuthenticator 6.6.0 Examples 55

Fortinet Inc.
Guest Portals

l QoS Protocol: Other.

2. For the second rule, allow FortiAuthenticator to reach the clients.

l ID: Rule number (in the example, 21).

l Source IP: IP address of the FortiAuthenticator, and enable Match.

l Source Netmask: 255.255.255.255

l Source Port: 443, and enable Match.

l Network Protocol: 6, and enable Match.

l Firewall Filter ID: Use the Passthrough Firewall Filter ID string from the security profile, and enable Match.

FortiAuthenticator 6.6.0 Examples 56

Fortinet Inc.
Guest Portals

l QoS Protocol: Other.

Creating the ESS Profile on the FortiWLC

1. On the FortiWLC, go to Configuration > Wireless > ESS and ADD an ESS profile.
Configure the profile with an appropriate ESS Profile and SSID. Then select the Security Profile that contains the

FortiAuthenticator 6.6.0 Examples 57

Fortinet Inc.
Guest Portals

Captive Portal settings.

Creating FortiWLC as RADIUS client on the FortiAuthenticator

To create a RADIUS client:

1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new client.
Set Client address to IP/Hostname and enter the IP address the FortiWLC will send its RADIUS requests from.

FortiAuthenticator 6.6.0 Examples 58

Fortinet Inc.
Guest Portals

Set the same Secret that was entered during the RADIUS configuration on the FortiWLC.

To create the RADIUS policy:

1. Go to Authentication > RADIUS Service > Policies, and create a new policy.

2. In RADIUS clients, select the FWLC client previously created.

3. In RADIUS attribute criteria, click Next. No RADIUS attribute criteria need to be specified in this configuration.
4. In Authentication type, select Password/OTP authentication. If EAP is being used for wireless authentication,
enable Accept EAP, along with the desired EAP types.
5. In Identity source, select the realm for which user authentication is needed.
6. In Authentication factors, select Verify all configured authentication factors.
7. Review the RADIUS response, and save the policy.

Creating the portal and access point on FortiAuthenticator

To create a portal:

1. On the FortiAuthenticator, go to Authentication > Portals > Portals, and create a new portal.
2. Enter a name for the portal, and click OK.

FortiAuthenticator 6.6.0 Examples 59

Fortinet Inc.
Guest Portals

To create an access point:

1. On FortiAuthenticator, go to Authentication > Portals > Access Points, and create a new access point.
2. Enter a name for the access point, and provide the client IP/Hostname from the FortiAP, and click OK.

Creating the portal policy on FortiAuthenticator

1. On the FortiAuthenticator, go to Authentication > Portals > Policies, and create a new policy.
Enter a name for the policy, select Allow captive portal access, and choose the previously configured
FortiWLC Portal.

2. In Portal selection criteria, configure the following:

a. Access points: Select the previously configured FortiAP access point.
b. RADIUS clients: Select the previously configured FortiWLC RADIUS client.

3. In Authentication type, select Password/OTP authentication and Local/remote user.

4. In Identity sources, select the realm for which the user authentication is needed.
5. In Authentication factors, select Verify all configured authentication factors.
6. Review the RADIUS response and save your changes.

FortiAuthenticator 6.6.0 Examples 60

Fortinet Inc.
Guest Portals

Results

1. Connect a client to the SSID created on the FortiWLC, then log in to the portal with the correct username and
password.
On the FortiAuthenticator, you can go to Authentication > User Management > Local Users to create local user
accounts.
2. To confirm the successful log in, on FortiAuthenticator, go to Logging > Log Access > Logs.
3. To confirm the successful log in, on FortiWLC, go to Monitor > Devices > All Stations and find the device showing
the authenticated user.

FortiAuthenticator as a Wireless Guest Portal for FortiGate

This example walks you through setting up FortiAuthenticator as a guest portal for users receiving a wireless connection
from a FortiGate.

To set up FortiAuthenticator as a wireless guest portal:

1. Configuring FortiGate as a RADIUS client on page 61.

2. Creating a user group on FortiAuthenticator for guest users on page 62.
3. Creating a guest portal on FortiAuthenticator on page 62.
4. Configuring an access point on FortiAuthenticator on page 63.
5. Configuring a captive portal policy on FortiAuthenticator on page 63.
6. Configuring FortiAuthenticator as a RADIUS server on FortiGate on page 65.
7. Creating a guest group on FortiGate on page 65.
8. Creating a wireless guest SSID on FortiGate on page 66.
9. Creating firewall policies for guest access to DNS, FortiAuthenticator, and internet on page 68.
10. Configuring firewall authentication portal settings on FortiGate on page 68.

Configuring FortiGate as a RADIUS client

To configure FortiGate as a RADIUS client:

1. In Authentication > RADIUS Service > Clients, click Create New.

FortiAuthenticator 6.6.0 Examples 61

Fortinet Inc.
Guest Portals

3. Enter a password for Secret.

The secret is a pre-shared secure password that the device, here, FortiGate, uses to authenticate to
FortiAuthenticator.
4. Click OK to save changes to the RADIUS client.

Creating a user group on FortiAuthenticator for guest users

To create a user group:

1. Go to Authentication > User Management > User Groups and select Create New.
2. Enter a name for the group.
3. Select Local as the Type.
4. In RADIUS Attributes pane, select Add RADIUS Attribute:
a. In Vendor, select Fortinet.
b. In Attribute ID, select Fortinet-Group-Name.
c. In Value, enter the group name that you will match on the FortiGate.
FortiAuthenticator sends the RADIUS attribute to the FortiGate on successful authentication.
5. Click OK.

Creating a guest portal on FortiAuthenticator

To create a guest portal:

1. Go to Authentication > Portals > Portals and select Create New.

FortiAuthenticator 6.6.0 Examples 62

Fortinet Inc.
Guest Portals

You can configure additional settings as required. For instance, you may want to enable account expiry and
enforcing contact verification using Email or SMS.
5. Click OK.

Configuring an access point on FortiAuthenticator

To configure an access point:

1. Go to Authentication > Portals > Access Points and select Create New.
2. Enter a name for the access point.
3. In Client address, select Range, and enter 0.0.0.0-255.255.255.255.
4. Click OK.

Configuring a captive portal policy on FortiAuthenticator

To configure an allow access captive portal policy:

1. Go to Authentication > Portals > Policies, click Captive Portal and Create New.
2. In the Policy type tab:
a. Enter a name for the policy. Optionally, enter a description for the policy.
b. In Type, select Allow captive portal access. Copy the URL and keep it on Notepad. The URL needs to be
entered in the FortiGate configuration later.
c. Choose a portal created in Creating a guest portal on FortiAuthenticator on page 62.

FortiAuthenticator 6.6.0 Examples 63

Fortinet Inc.
Guest Portals

d. Click Next.

3. In the Portal selection criteria tab:

a. In the HTTP parameter dropdown, select ssid to match.
b. In the Operator dropdown, select [string]exact_match.
c. In Value, enter the name of the SSID configured on the FortiGate. Here, Guest.
d. Click Next.

4. In the Authorized clients tab:

a. From Access points, select the access point defined in Access points.
b. From RADIUS clients, select the FortiGate RADIUS client defined in RADIUS clients.
c. Click Next.

5. In the Authentication type tab, select Password/OTP authentication, then enable Local/remote user to verify
credentials against one of the local or remote user accounts, and click Next.

6. In the Identity sources tab:

a. For Username format, select username@realm.
b. For Realms, select local realm. Optionally, enable Filter, click the pen icon, and from Available User Groups,
move the group created in User Group to Chosen User Groups.

FortiAuthenticator 6.6.0 Examples 64

Fortinet Inc.
Guest Portals

c. Click Next.

7. In the Authentication Factors tab, click Next.

8. In the RADIUS response tab, review the policy, and click Save and exit.

Configuring FortiAuthenticator as a RADIUS server on FortiGate

To configure FortiGate authentication settings:

1. Go to User & Authentication > RADIUS Servers and click Create New.
2. Enter a name for the RADIUS server.
3. For Authentication method, select Default.
4. In IP/Name, enter the IP address or DNS name of the RADIUS server.
5. In Secret, enter the shared secret key.
The secret is the same as the one used when setting up the RADIUS client, here, FortiGate.
6. Click Test Connectivity to test the connection to the server, and ensure that the connection status is Successful.
7. Click OK to save changes.

Creating a guest group on FortiGate

To create a guest group:

1. Go to User & Authentication > User Groups and click Create New.
2. Enter a name for the group.
3. In Type, select Firewall.

FortiAuthenticator 6.6.0 Examples 65

Fortinet Inc.
Guest Portals

4. In Remote Groups, select Add, and then select the remote server created in Remote Server. Click OK.
Optionally, you may specify the group to be matched on the remote server. The group name must be configured as
a RADIUS attribute on the group configured on FortiAuthenticator. See Groups.
The RADIUS attribute will be sent to the FortiGate by the FortiAuthenticator on successful authentication.
5. Click OK.

Creating a wireless guest SSID on FortiGate

To create a wireless guest SSID:

1. Go to WiFi & Switch Controller > SSIDs.

2. From the Create New dropdown, select SSID.
3. Enter a Name for the interface. Optionally, you can enter an alias.
4. In Traffic mode, select Tunnel. Alternatively, you can select Bridge.
5. In the Address pane, enter an IP address/netmask for IP/Netmask.
6. Enable DHCP Server, and keep the default settings in the DHCP Server pane.
7. In the WiFi Settings pane:
a. Enter SSID name that is broadcasted to the WiFi clients.
b. In the Security mode dropdown, select Captive Portal.
c. In the Portal type dropdown, ensure Authentication is selected.
d. In Authentication portal, select External, and enter the portal URL for the captive portal policy configured on
FortiAuthenticator. See Captive portal policy.
e. In User groups, select Guest. See Guest group on FortiGate.
f. In Exempt destinations/services, select the address objects for the FortiAuthenticator and DNS servers. For the
selected addresses and services, FortiGate does not present the captive portal page when the policy for the
selected traffic is matched.
In the Select Entries window, go to Create > Create New to create new addresses and services.
g. Optionally, in Redirect after Captive Portal, select Specific URL, and enter a URL to redirect users to a specific
URL once authenticated.

FortiAuthenticator 6.6.0 Examples 66

Fortinet Inc.
Guest Portals

8. Click OK.

FortiAuthenticator 6.6.0 Examples 67

Fortinet Inc.
Guest Portals

Creating firewall policies for guest access to DNS, FortiAuthenticator, and internet

To create a firewall policy for guest access to DNS and FortiAuthenticator:

1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Enter a name for the policy.
3. In Incoming Interface, select the guest SSID created in Wireless Guest SSID.
4. In Outgoing Interface, select interfaces for FortiAuthenticator and DNS access.
5. In Source, select an Address object.
6. In Destination, select address objects for the FortiAuthenticator and DNS servers.
7. Enable or disable NAT as required.
8. Optionally, enable other options including Security Profiles for performing inspection using the security features of
FortiGate.
9. Click OK.

To create firewall policy for guest user internet access:

1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Enter a name for the policy.
3. In Incoming Interface, select the guest SSID created in Wireless Guest SSID.
4. In Outgoing Interface, select the interface for internet access.
5. In Source, select the All address object and the guest group configured in Guest group on FortiGate.
6. In Destination, select the All address object.
7. Enable NAT.
8. Optionally, enable other options including Security Profiles for performing inspection using the security features of
FortiGate.
9. Click OK.

Configuring firewall authentication portal settings on FortiGate

The following settings are required to avoid certificate and security errors on the client. After the user is authenticated
using the external captive portal, the browser redirects briefly to the firewall authentication portal over HTTPS. The
browser then redirects the user to the original URL or a specific URL.
The specific URL needs to be configured in the Redirect after Captive Portal option in Create New SSID dialog.

To configure firewall authentication portal address from the CLI:

1. Enter the following commands to set to the firewall authentication portal address:
config firewall auth-portal
set portal-addr <addr> #portal-addr setting must be an FQDN that resolves to the
interface IP address of the guest SSID. The client must be able to resolve
this using the DNS server configured in the DHCP scope.
end

To configure the firewall user settings from the CLI:

1. Enter the following commands to set to the firewall user settings:

config user setting

FortiAuthenticator 6.6.0 Examples 68

Fortinet Inc.
Guest Portals

set auth-type https

set auth-cert "STAR-Aug21" #auth-cert must be a valid certificate that has been
imported to the FortiGate and matches the FQDN used for the interface IP of
the SSID. A wildcard certificate may be used.
set auth-secure-http enable
end

FortiAuthenticator as a Wired Guest Portal for FortiGate

In the topology above:

l FortiSwitch is connected to FortiGate via FortiLink.
l VLAN 61 is the FortiSwitch VLAN.
rd
l A FortiAP or a 3 party AP is connected to FortiSwitch on VLAN 61, thereby assigning IPs in that range to clients in
bridge mode.
l Other wired users are directly connected to the FortiSwitch ports on VLAN 61, receiving IPs in that range and hitting
the captive portal.
This example walks you through setting up FortiAuthenticator as a wired guest portal.

rd
The example may be used where 3 party access point is using a bridged SSID to place client
traffic into a specific VLAN (here, VLAN 61).

rd rd
A 3 party switch can also be used instead of FortiSwitch. When a 3 party switch is used,
FortiGate will connect to the switch's trunk port.

To set up FortiAuthenticator as a wired guest portal:

1. Configuring FortiGate as a RADIUS client on page 70.

2. Creating a user group on FortiAuthenticator for guest users on page 70.
3. Creating a guest portal on FortiAuthenticator on page 71.
4. Configuring an access point on FortiAuthenticator on page 71.
5. Configuring a captive portal policy on FortiAuthenticator on page 72.
6. Configuring FortiAuthenticator as a RADIUS server on FortiGate on page 73.
7. Creating a guest group on FortiGate on page 74.

FortiAuthenticator 6.6.0 Examples 69

Fortinet Inc.
Guest Portals

8. Creating a wired guest interface on FortiSwitch on page 74.

9. Creating firewall policies for guest access to DNS, FortiAuthenticator, and internet on page 76.
10. Configuring firewall authentication portal settings on FortiGate on page 77.

Configuring FortiGate as a RADIUS client

To configure FortiGate as a RADIUS client:

1. In Authentication > RADIUS Service > Clients, click Create New.

2. Enter a unique name for the RADIUS client and the IP address from which it will be connecting.
This is the IP address of the RADIUS client itself, here, FortiGate, not the IP address of the end-user's device.
You may enter a subnet or a range if this configuration applies to multiple FortiGates.
3. Enter a password for Secret.
The secret is a pre-shared secure password that the device, here, FortiGate, uses to authenticate to
FortiAuthenticator.
4. Click OK to save changes to the RADIUS client.

If FortiGate provides RADIUS services to other users and for other tasks, you should
configure a loopback interface. You can specify the RADIUS source IP address in the
FortiGate CLI for the loopback interface.
To configure a loopback interface using the FortiGate CLI:
config user radius
edit FAC
set source-ip <ip address> #use the IP address configured in the
RADIUS client on FortiAuthenticator.
end

Creating a user group on FortiAuthenticator for guest users

To create a user group:

FortiAuthenticator 6.6.0 Examples 70

Fortinet Inc.
Guest Portals

5. Click OK.

Creating a guest portal on FortiAuthenticator

To create a guest portal:

1. Go to Authentication > Portals > Portals and select Create New.

2. Enter a name for the portal.
3. Enable Account Registration to allow guest users to create an account.
4. In the Account Registration toggle, enable Place registered users into a group, and select the user group created in
Creating a user group.
Users are made members of the group when they create an account.
You can configure additional settings as required. For instance, you may want to enable account expiry and
enforcing contact verification using Email or SMS.
5. Click OK.

Configuring an access point on FortiAuthenticator

To configure an access points:

1. Go to Authentication > Portals > Access Points and select Create New.
2. Enter a name for the access point.

FortiAuthenticator 6.6.0 Examples 71

Fortinet Inc.
Guest Portals

3. In Client address, select Range, and enter 0.0.0.0-255.255.255.255.

4. Click OK.

Configuring a captive portal policy on FortiAuthenticator

To configure an allow access captive portal policy:

1. Go to Authentication > Portals > Policies, click Captive Portal and Create New.
2. In the Policy type tab:
a. Enter a name for the policy. Optionally, enter a description for the policy.
b. In Type, select Allow captive portal access. Copy the URL and store it on Notepad. The URL needs to be
entered in the FortiGate configuration later.
c. Choose a portal created in Creating a guest portal on FortiAuthenticator on page 71.
d. Click Next.

3. In the Portal selection criteria tab:

a. In the HTTP parameter dropdown, select ssid to match.
b. In the Operator dropdown, select [string]exact_match.
c. In Value, enter the name of the interface configured on the FortiGate with captive portal authentication
required. Here, Guest-Wired.
d. Click Next.

4. In the Authorized clients tab:

a. From Access points, select the access point defined in Access points.
b. From RADIUS clients, select the FortiGate RADIUS client defined in RADIUS clients.

FortiAuthenticator 6.6.0 Examples 72

Fortinet Inc.
Guest Portals

c. Click Next.

5. In the Authentication type tab, select Password/OTP authentication, then enable Local/remote user to verify
credentials against one of the local or remote user accounts, and click Next.

6. In the Identity sources tab:

7. In the Authentication Factors tab, click Next.

8. In the RADIUS response tab, review the policy, and click Save and exit.

Configuring FortiAuthenticator as a RADIUS server on FortiGate

To configure FortiGate authentication settings:

FortiAuthenticator 6.6.0 Examples 73

Fortinet Inc.
Guest Portals

7. Click OK to save changes.

Creating a guest group on FortiGate

To create a guest group:

1. Go to User & Authentication > User Groups and click Create New.
2. Enter a name for the group.
3. In Type, select Firewall.
4. In Remote Groups, select Add, and then select the remote server created in Remote Server. Click OK.
Optionally, you may specify the group to be matched on the remote server. The group name must be configured as
a RADIUS attribute on the group configured on FortiAuthenticator. See Groups.
The RADIUS attribute will be sent to the FortiGate by the FortiAuthenticator on successful authentication.
5. Click OK.

Creating a wired guest interface on FortiSwitch

This solution demonstrates the configuration when a FortiSwitch is used.

rd
When a 3 party switch is used instead, create a VLAN sub-interface instead of a FortiSwitch
VLAN. Connect the FortiGate interface to the trunk port of the switch.

FortiAuthenticator 6.6.0 Examples 74

Fortinet Inc.
Guest Portals

To create a wired guest interface:

1.Go to WiFi & Switch Controller > FortiSwitch VLANs.

2.Select Create New.
3.In the New Interface window, enter a name for the interface. Optionally, enter an alias.
4.Select 802.1Q as the VLAN protocol.
5.Ensure that a FortiLink interface member is selected in Interface.
6.In VLAN ID, enter a VLAN ID, here 61.
7.Ensure that the Role is set as LAN.
8.In the Address pane:
a. In Addressing mode, select Manual.
b. In IP/Netmask, enter an IP address/netmask.
c. In IPv6 addressing mode, select Manual.
d. Ensure that the Create address object matching subnet is enabled.
9. Enable DHCP Server, and in the DHCP server pane:
a. Enter an address range.
b. For DNS server, select Specify, click the Add icon, and enter the IP address of the FortiSwitch.
10. In the Network pane:
a. Ensure that Device detection is enabled.
b. Enable Security mode, and from the dropdown, ensure that Captive Portal is selected.
c. In Authentication portal, select External, and enter the portal URL for the captive portal policy configured on
FortiAuthenticator.
See Captive portal policy.
d. In User access, select Restricted to Groups.
e. In User groups, select Guest.
See Guest group on FortiGate.
f. In Exempt destinations/services, select the address objects for the FortiAuthenticator and DNS servers.

For the selected addresses and services, FortiGate does not present the captive portal
page when the policy for the selected traffic is matched.

In the Select Entries window, go to Create > Create New to create new addresses and services.
g. Optionally, in Redirect after Captive Portal, select Specific Request, and enter a URL to redirect users to a
specific URL once authenticated.

FortiAuthenticator 6.6.0 Examples 75

Fortinet Inc.
Guest Portals

11. Click OK.

Creating firewall policies for guest access to DNS, FortiAuthenticator, and internet

To create a firewall policy for guest access to DNS and FortiAuthenticator:

FortiAuthenticator 6.6.0 Examples 76

Fortinet Inc.
Guest Portals

5. In Source, select an Address object.

6. In Destination, select address objects for the FortiAuthenticator and DNS servers.
7. Enable or disable NAT as required.
8. Optionally, enable other options including Security Profiles for performing inspection using the security features of
FortiGate.
9. Click OK.

To create firewall policy for guest user internet access:

1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Enter a name for the policy.
3. In Incoming Interface, select the wired guest interface created in Wired Guest Interface.
4. In Outgoing Interface, select the interface for internet access.
5. In Source, select an address object and the guest group configured in Guest group on FortiGate.
6. In Destination, select the All address object.
7. Enable NAT.
8. Optionally, enable other options including Security Profiles for performing inspection using the security features of
FortiGate.
9. Click OK.

Configuring firewall authentication portal settings on FortiGate

To configure firewall authentication portal address from the CLI:

To configure firewall user settings from the CLI:

1. Enter the following commands to set to the firewall user settings:

config user setting
set auth-type https
set auth-cert "STAR-Aug21" #auth-cert must be a valid certificate that has been
imported to the FortiGate and matches the FQDN used for the interface IP of
the SSID. A wildcard certificate may be used.
set auth-secure-http enable
end

FortiAuthenticator 6.6.0 Examples 77

Fortinet Inc.
MAC authentication bypass

This section describes configuring MAC address bypass with FortiAuthenticator.

MAC authentication bypass with dynamic VLAN assignment

In this example, you will configure MAC authentication bypass (MAB) in a wired network with dynamic VLAN
assignment.
The purpose of this example is to configure and demonstrate MAB with FortiAuthenticator, using a 3rd-party switch
(EX2200) to confirm cross-vendor interoperability. The example also demonstrates dynamic VLAN allocation without a
supplicant.

Configuring MAC authentication bypass on the FortiAuthenticator

1. Go to Authentication > User Management > MAC Devices and create a new MAC-based device.
Enter a name for the device along with the device's MAC address.
Alternatively, you can use the Import option to import this information from a CSV file.

FortiAuthenticator 6.6.0 Examples 78

Fortinet Inc.
MAC authentication bypass

Configuring the user group

1. Go to Authentication > User Management > User Groups and create a new user group.
Select MAC as the type, and add the newly created MAC device. Click OK.
2. Enter the RADIUS Attributes as shown in the image below.

RADIUS attributes can only be added after the group has been created.

Configuring RADIUS settings on FortiAuthenticator

To create the RADIUS client:

1. Go to Authentication > RADIUS Service > Clients and create a new RADIUS client.
Configure the IP and shared secret from your switch, and click OK.

FortiAuthenticator 6.6.0 Examples 79

Fortinet Inc.
MAC authentication bypass

To create the RADIUS policy:

1. Go to Authentication > RADIUS Service > Policies and create a new RADIUS policy.
In RADIUS clients, enter a policy name, and add the previously configured RADIUS client.

RADIUS attribute criteria can be left blank.

2. In Authentication type, select MAC authentication bypass (MAB).

3. In Identity source, add the previously configured MAC group to Authorized groups.

FortiAuthenticator 6.6.0 Examples 80

Fortinet Inc.
MAC authentication bypass

4. Configure the RADIUS response to reject unauthorized requests, and click Save and exit.

Configuring the 3rd-party switch

The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ
significantly.
set system services dhcp pool 10.1.2.0/24 address-range low 10.1.2.220
set system services dhcp pool 10.1.2.0/24 address-range high 10.1.2.230
set system services dhcp pool 10.1.2.0/24 domain-name fortiad.net
set system services dhcp pool 10.1.2.0/24 name-server 10.1.2.122
set system services dhcp pool 10.1.2.0/24 router 10.1.2.1
set system services dhcp pool 10.1.2.0/24 server-identifier 10.1.2.27
set interfaces ge-0/0/0 unit 0 family ethernet-switching #no vlan assigned to printer
port, this will be allocated based on Group attributes
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering
#interface used to communicate with FortiAuthenticator
set interfaces vlan unit 10 family inet address 10.1.2.27/24
set protocols dot1x authenticator authentication-profile-name profile1
set protocols dot1x authenticator interface ge-0/0/0.0 mac-radius restrict #forces mac
address as username over RADIUS
set access radius-server 10.1.2.29 secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39"
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server 10.1.2.29
set vlans engineering vlan-id 10
set vlans engineering l3-interface vlan.10

No configuration is required on the endpoint.

FortiAuthenticator 6.6.0 Examples 81

Fortinet Inc.
MAC authentication bypass

Results

1. Connect the wired device (in this case, the printer).

2. Using tcpdump, FortiAuthenticator shows receipt of an incoming authentication request (execute tcpdump
host 10.1.2.27 -nnvvXS):
tcpdump: listening on port1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:36:19.110399 IP (tos 0x0, ttl 64, id 18417, offset 0, flags [none], proto UDP (17),
length 185)
10.1.2.27.60114 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 157
Access-Request (1), id: 0x08, Authenticator: b77fe0657747891fc8d53ae0ad2b0e7a
User-Name Attribute (1), length: 14, Value: 0022681af1a0 #Switch forces username
to be endpoint MAC address, no configuration needed on endpoint
0x0000: 3030 3232 3638 3161 6631 6130
NAS-Port Attribute (5), length: 6, Value: 70
0x0000: 0000 0046
EAP-Message Attribute (79), length: 19, Value: .
0x0000: 0200 0011 0130 3032 3236 3831 6166 3161
0x0010: 30
Message-Authenticator Attribute (80), length: 18, Value: .y{.j.%..9|es.'x
0x0000: a679 7b82 6344 2593 f639 7c65 73eb 2778
Acct-Session-Id Attribute (44), length: 24, value: 802.1x81fa002500078442
0x0000: 384f 322e 3178 3831 6661 3030 3235 3030
0x0010: 3037 3834 3432
NAS-Port-rd Attribute (87), length: 12, Value: ge-0/0/0.0
0x0000: 6765 2430 2f30 2f30 2e30
Calling-Station-Id Attribute (31), length: 19, value: 00-22-68-1a-fl-a0
0x0000: 3030 2032 3220 3638 2031 6120 6631 2461
0x0010: 30
Called-Station-Id Attribute (30), length: 19, Value: a8-40-e5-b0-21-80
0x0000: 6138 2464 3024 6535 2d62 302d 3231 2d38
0x0010: 30
NAS-Port-Type Attribute (61), length: 6, value: Ethernet
0x0000: 0000 000f
3. On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication.
The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.
4. Continuing with the tcpdump, authentication is accepted from FortiAuthenticator and authorization attributes
returned to the switch:
17:36:19.115264 IP (tos Ox0, ttl 64, id 49111, offset 0, flags [none], proto UDP (17),
length 73)
10.1.2.29.1812 > 10.1.2.27.60114: (bad udp cksum 0x1880 -> 0x5ccel] RADIUS, length: 45
Access-Accept (2), id: 0x08, Authenticator: b5c7b1bb5a316fb483a622eaae58ccc2
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13
0x0000: 0000 000d
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
0x0000: 0000 0006
Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering

FortiAuthenticator 6.6.0 Examples 82

Fortinet Inc.
MAC authentication bypass

0x0000: 656e 6769 6e65 6572 696e 67

0x0000: 4500 0049 bfd7 0000 4011 a293 0a01 021d E..I....@ .......
0x0010: 0a01 021b 0714 ead2 0035 1880 0208 002d 5
0x0020: b5c7 blbb 5a31 6fb4 83a6 22ea ae58 ccc2 ....21o..."..X..
0x0030: 4006 0000 0000 4106 0000 0006 510d 656e @ A Q en
0x0040: 6769 6e65 6572 696e 67 gineering
5. Post-authentication DHCP transaction is picked up by FortiAuthenticator
The Switch CLI shows a successful dot1x session:
root# run show dotlx interface ge-0/0/0.0
802.1X Information:
Interface Role State MAC address User
ge-0/0/0.0 Authenticator Authenticated 00:22:68:1A:F1:A0 0022681af1a0
The MAC address interface has been dynamically placed into correct VLAN:
root# run show vlans engineering
Name Tag Interfaces
engineering 10
ge-0/0/0.0*, ge-0/0/11.0*
Additionally, the printer shows as available on the network:
root# run show arp interface vlan.10
MAC Address Address Name Interface Flags
00:0c:29:5b:90:68 10.1.2.29 10.1.2.29 vlan.10 none
6c:70:9f:d6:ae:al 10.1.2.220 10.1.2.220 vlan.10 none
b8:53:ac:4a:d5:f5 10.1.2.221 10.1.2.221 vlan.10 none
00:22:68:1a:fl:a0 10.1.2.224 10.1.2.224 vlan.10 none
a4:c3:61:24:b9:07 10.1.2.228 10.1.2.228 vlan.10 none
Total entries: 5

{master:0}[edit]
root* run ping 10.1.2.224
PING 10.1.2.224 (10.1.2.224): 56 data bytes
64 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=2.068 ms
64 bytes from 10.1.2.224: icmp_seq=1 tt1=128 time=2.236 ms
64 bytes from 10.1.2.224: icmp_seq=2 tt1=128 time=2.699 ms

--- 10.1.2.224 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.068/2.334/2.699/0.267 ms

FortiAuthenticator 6.6.0 Examples 83

Fortinet Inc.
Self-service Portal

Configure general self-service portal options, including access control settings, self-registration options, replacement
messages, and device self-enrollment settings.

FortiAuthenticator user self-registration

For this example, you will configure the FortiAuthenticator self-service portal to allow users to add their own account and
create their own passwords.

1. User requests a new account.

2. Administrator approves the request by email.
Note that enabling and using administrator approval requires the use of an email server, or SMTP server. Since
administrators will approve requests by email, this example describes how to add an email server to your
FortiAuthenticator. You will create and use a new server instead of the unit’s default server.

Creating a self-registration user group

To create a self-registration user group:

1. Go to Authentication > User Management > User Groups and create a new user group for self-registering users.
Enter a Name and select OK. Users will be added to this group once they register through the self-registration

FortiAuthenticator 6.6.0 Examples 84

Fortinet Inc.
Self-service Portal

portal.

Enabling self-registration

To enable self-registration:

1. Go to Authentication > Self service Portal > General.

Enter a Site name, add an Email signature that you would like appended to the end of outgoing emails, and select
OK.

2. Then go to Authentication > Self-service Portal > Self-registration and select Enable.
Enable Require administrator approval and Enable email to freeform addresses, and enter the administrator’s email
address in the field provided.

FortiAuthenticator 6.6.0 Examples 85

Fortinet Inc.
Self-service Portal

Enable Place registered users into a group, select the user group created earlier, and configure basic account
information to be sent to the user by Email.
Open the Required Field Configuration dropdown and enable First name, Last name, and Email address.

FortiAuthenticator 6.6.0 Examples 86

Fortinet Inc.
Self-service Portal

FortiAuthenticator 6.6.0 Examples 87

Fortinet Inc.
Self-service Portal

Creating a new SMTP server

To create a new SMTP server:

1. Go to System > Messaging > SMTP Servers and create a new email server for your users.
Enter a Name, the IP address of the FortiAuthenticator, and leave the default port value (25).
Enter the administrator’s email address, Account username, and Password.
Note that, for the purpose of this example, Secure connection will not be set to STARTTLS as a signed CA
certificate would be required.

2. Once created, highlight the new server and select Set as Default.
The new SMTP server will now be used for future user registration.

FortiAuthenticator 6.6.0 Examples 88

Fortinet Inc.
Self-service Portal

Results - Self-registration

1. When the user visits the login page, https://<FortiAuthenticator-IP>/auth/register/, they can click the Register
button, where they will be prompted to enter their information.
They will need to enter and confirm a Username, Password, First name, Last name, and Email address. These are
the only required fields, as configured in the FortiAuthenticator earlier.
Select Submit.

2. The user's registration is successful, and their information has been sent to the administrator for approval.

3. When the administrator has enabled the user’s account, the user will receive an activation welcome email.
The user's login information will be listed.

FortiAuthenticator 6.6.0 Examples 89

Fortinet Inc.
Self-service Portal

4. Select the link and log in to the user's portal.

5. The user is now logged into their account where they can review their information.
As recommended in the user’s welcome email, the user may change their password. However, this is optional.

FortiAuthenticator 6.6.0 Examples 90

Fortinet Inc.
Self-service Portal

Results - Administrator approval

1. After receiving the user’s registration request, in the FortiAuthenticator as the administrator, go to Authentication
> User Management > Local Users. The user has been added, but their Status is listed as Not Activated.

2. In the administrator’s email account, open the user’s Approval Required email. The user’s full name will appear in
the email’s subject, along with their username in the email’s body.
Select the link to approve or deny the user.

FortiAuthenticator 6.6.0 Examples 91

Fortinet Inc.
Self-service Portal

3. The link will take you to the New User Approval page, where you can review the user’s information and either
approve or deny the user’s full registration.
Select Approve.

4. The user has now been approved and activated by the administrator.

This can be confirmed by going back to Authentication > User Management > Local Users. The user’s Status has
changed to Enabled.

FortiAuthenticator 6.6.0 Examples 92

Fortinet Inc.
Self-service Portal

5. You can also go to Logging > Log Access > Logs to view the successful login of the user and more information.

FortiAuthenticator 6.6.0 Examples 93

Fortinet Inc.
VPNs

This section contains information about creating and using a virtual private network (VPN).

LDAP authentication for SSL VPN with FortiAuthenticator

This example describes how to set up FortiAuthenticator to function as an LDAP server for FortiGate SSL VPN
authentication. It involves adding users to FortiAuthenticator, setting up the LDAP server on the FortiAuthenticator, and
then configuring the FortiGate to use the FortiAuthenticator as an LDAP server.

Creating the user and user group on the FortiAuthenticator

To create the user and user group:

1. On the FortiAuthenticator, go to Authentication > User Management > Local Users and select Create New.
Enter a name for the user, enter and confirm a password, and be sure to disable Allow RADIUS authentication —
RADIUS authentication is not required for this example.
Set Role as User, and select OK. New options will appear.
Make sure to enable Allow LDAP browsing — the user will not be able to connect to the FortiGate otherwise.

FortiAuthenticator 6.6.0 Examples 94

Fortinet Inc.
VPNs

2. Create another user with the same settings. Later, you will use jgarrick on the FortiGate to query the LDAP
directory tree on FortiAuthenticator, and you will use bwayne credentials to connect to the VPN tunnel.
3. Next go to Authentication > User Management > User Groups, and create a user group for the FortiGate users. Add
the desired users to the group.

FortiAuthenticator 6.6.0 Examples 95

Fortinet Inc.
VPNs

Creating the LDAP directory tree on the FortiAuthenticator

To create the LDAP directory tree:

1. Go to Authentication > LDAP Service > Directory Tree, and create a Distinguished Name (DN). A DN is made up of
Domain Components (DC).
Both the users and user group created earlier are the User ID (UID) and the Common Name (CN) in the LDAP
Directory Tree.
Create an Organizational Unit (OU), and a Common Name (CN). Under the cn=HeadOffice entry, add UIDs for the
users.
If you mouse over a user, you will see the full DN of the LDAP server.

Later, you will use jgarrick on the FortiGate to query the LDAP directory tree on FortiAuthenticator, and you will
use bwayne credentials to connect to the VPN tunnel.

Connecting the FortiGate to the LDAP server

To connect the FortiGate to the LDAP server:

1. On the FortiGate, go to User & Device > LDAP Servers, and select Create New.
Enter a name for the LDAP server connection.
Set Server IP/Name to the IP of the FortiAuthenticator, and set the Common Name Identifier to uid.
Set Distinguished Name to dc=fortinet,dc=com, and set the Bind Type to Regular.
Enter the user DN for jgarrick of the LDAP server, and enter the user's Password.
The DN is an account that the FortiGate uses to query the LDAP server.

FortiAuthenticator 6.6.0 Examples 96

Fortinet Inc.
VPNs

2. Select Test Connectivity to determine a successful connection.

Then select Test User Credentials to query the LDAP directory using jgarrick's credentials. The query is successful.

FortiAuthenticator 6.6.0 Examples 97

Fortinet Inc.
VPNs

Creating the LDAP user group on the FortiGate

To create the LDAP user group:

1. Go to User & Device > User Groups, and select Create New.
Enter a name for the user group. Under Remote Groups select Add.

2. Select LDAPserver under the Remote Server dropdown.

In the new Add Group Match window, right-click HeadOffice under the Groups tab, and select Add Selected. The
group will be added to the Selected tab. Select OK.

FortiAuthenticator 6.6.0 Examples 98

Fortinet Inc.
VPNs

3. LDAPserver has been added to the LDAP group. Select OK.

Configuring the SSL-VPN

To configure the SSL-VPN:

1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.
Disable Split Tunneling.

2. Go to VPN > SSL-VPN Settings.

FortiAuthenticator 6.6.0 Examples 99

Fortinet Inc.
VPNs

Under Connection Settings set Listen on Port to 10443.

Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1.
Under Authentication/Portal Mapping, select Create New.

FortiAuthenticator 6.6.0 Examples 100

Fortinet Inc.
VPNs

3. Assign the LDAPgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal.
Select Apply.

4. Select the prompt at the top of the screen to create a new SSL-VPN policy, including the LDAPgroup, as shown.

FortiAuthenticator 6.6.0 Examples 101

Fortinet Inc.
VPNs

Results

1. From a remote device, access the SSL VPN Web Portal.

Enter valid LDAP credentials (in the example, bwayne).

2. The user is now successfully logged into the SSL VPN Portal.

3. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the connection.

FortiAuthenticator 6.6.0 Examples 102

Fortinet Inc.
VPNs

4. On the FortiAuthenticator, go to Logging > Log Access > Logs and confirm the connection.

SMS two-factor authentication for SSL VPN

In this example, you will create an SSL VPN with two-factor authentication consisting of a username, password, and an
SMS token.
When a user attempts to connect to this SSL VPN, they are prompted to enter their username and password. After
successfully entering their credentials, they receive an SMS message on their mobile phone containing a 6-digit number
(called the FortiToken code). They must also enter this number to get access to the internal network and the Internet.
Although this example uses the FortiGuard Messaging Service, it will also work with any compatible SMS service you
configure as an SMS Gateway.

Creating an SMS user and user group on the FortiAuthenticator

To create an SMS user and user group:

1. On the FortiAuthenticator, go to Authentication > User Management > Local Users and add/modify a user to include
SMS Token-based authentication and a Mobile number using the preferred SMS gateway as shown.
The Mobile number must be in the following format:
+[international-number]
Enable Allow RADIUS authentication.

FortiAuthenticator 6.6.0 Examples 103

Fortinet Inc.
VPNs

2. Go to Authentication > User Management > User Groups and add the above user to a new SMS user group (in the
example, SMSgroup).

FortiAuthenticator 6.6.0 Examples 104

Fortinet Inc.
VPNs

Configuring the FortiAuthenticator RADIUS client

To create the RADIUS client:

1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New.
2. Enter a Name, the IP address of the FortiGate, and set a Secret.
The secret is a pre-shared secure password that the FortiGate will use to authenticate to the FortiAuthenticator.
3. Click OK.

To create the RADIUS policy:

FortiAuthenticator 6.6.0 Examples 105

Fortinet Inc.
VPNs

5. Choose a username format (in this example: username@realm), select the Local realm, and add the SMSgroup as
a filter.

6. Set the authentication method to Mandatory two-factor authentication.

7. Click Save and Exit.

Configuring the FortiGate authentication settings

To configure the FortiGate authentication settings:

1. On the FortiGate, go to User & Device > RADIUS Servers and create the connection to the FortiAuthenticator
RADIUS server, using its IP address and pre-shared secret.
Use Test Connectivity to make sure that the FortiGate can communicate with the FortiAuthenticator.

FortiAuthenticator 6.6.0 Examples 106

Fortinet Inc.
VPNs

2. Next, go to User & Device > User Groups and create a RADIUS user group called RADIUSgroup.
Set the Type to Firewall and add the RADIUS server to the Remote groups table.

FortiAuthenticator 6.6.0 Examples 107

Fortinet Inc.
VPNs

Configuring the SSL-VPN

Configure the SSL-VPN settings:

1. Go to VPN > SSL-VPN Settings.

Under Connection Settings, set Listen on Port to 10443. Under Tunnel Mode Client Settings, select Specify custom
IP ranges and set IP Ranges to the SSL VPN tunnel address range.
Under Authentication/Portal Mapping, select Create New.
Assign the RADIUSgroup user group to the full-access portal, and assign All Other Users/Groups to the desired
portal.

FortiAuthenticator 6.6.0 Examples 108

Fortinet Inc.
VPNs

FortiAuthenticator 6.6.0 Examples 109

Fortinet Inc.
VPNs

Creating the security policy for VPN access to the Internet

To create the security profile:

1. Go to Policy & Objects > IPv4 Policy and create a new SSL-VPN policy, including the RADIUSgroup, as shown.

Results

In this example, we will use the web portal to access the SSL VPN and test the two-factor authentication.

To test two-factor authentication:

1. Open a browser and navigate to the SSL VPN web portal, in this case https://172.25.176.127:10443.
Enter a valid username and password and select Login. You should be prompted to enter a FortiToken Code.

FortiAuthenticator 6.6.0 Examples 110

Fortinet Inc.
VPNs

2. The FortiToken Code should have been sent to your mobile phone as a text message containing a 6-digit number.
Enter the number into the SSL VPN login portal and select Login.

FortiAuthenticator 6.6.0 Examples 111

Fortinet Inc.
VPNs

FortiAuthenticator 6.6.0 Examples 112

Fortinet Inc.
VPNs

3. You should now have access to the SSL VPN tunnel.

4. To verify that the user has connected to the tunnel, on the FortiGate, go to Monitor > SSL-VPN Monitor.

5. On the FortiAuthenticator, go to Logging > Log Access > Logs to confirm the user's connection.

FortiAuthenticator 6.6.0 Examples 113

Fortinet Inc.
WiFi authentication

This section describes configuring WiFi authentication with FortiAuthenticator.

Assigning WiFi users to VLANs dynamically

Virtual LANs (VLANs) are used to assign wireless users to different networks without requiring the use of multiple SSIDs.
Each user’s VLAN assignment is stored in the user database of the RADIUS server that authenticates the users.
This example creates dynamic VLANs for the Techdoc and Marketing departments. The RADIUS server is a
FortiAuthenticator. It is assumed a user group on the FortiAuthenticator has already been created (in this example,
employees).

config certificate ca
edit {name}
# CA certificate.
set name {string} Name. size[79]
set ca {string} CA certificate as a PEM file.
set range {global | vdom} Either global or VDOM IP address range for the CA
certificate.
global Global range.
vdom VDOM IP address range.
set source {factory | user | bundle} CA certificate source type.
factory Factory installed certificate.
user User generated certificate.
bundle Bundle file certificate.
set trusted {enable | disable} Enable/disable as a trusted CA.
set scep-url {string} URL of the SCEP server. size[255]
set auto-update-days {integer} Number of days to wait before requesting an updated
CA certificate (0 - 4294967295, 0 = disabled). range[0-4294967295]

Configuring the FortiAuthenticator

To create the RADIUS client:

1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New.
2. Enter a Name, the IP address of the FortiGate, and set a Secret.

FortiAuthenticator 6.6.0 Examples 114

Fortinet Inc.
WiFi authentication

The secret is a pre-shared secure password that the FortiGate will use to authenticate to the FortiAuthenticator.

To create the RADIUS policy:

5. Choose a username format (in this example: username@realm), select the Local realm.
Add the employees user group as a filter.
6. Set the authentication method to Password only authentication.
7. Review the RADIUS response, and click Save and Exit.

To create the local user accounts:

1. Next go to Authentication > User Management > Local Users and create local user accounts as needed.

2. For each user, add the following RADIUS attributes which specify the VLAN information to be sent to the FortiGate.
The Tunnel-Private-Group-Id attribute specifies the VLAN ID.

FortiAuthenticator 6.6.0 Examples 115

Fortinet Inc.
WiFi authentication

In this example, jsmith is assigned VLAN 100 and twhite is assigned VLAN 200.

Adding the RADIUS server to the FortiGate

To add the RADIUS server to the FortiGate:

1. On the FortiGate, go to User & Device > RADIUS Servers and select Create New.
Enter the FortiAuthenticator IP address and the server Secret entered on the FortiAuthenticator earlier.
Select Test Connectivity to confirm the successful connection.

FortiAuthenticator 6.6.0 Examples 116

Fortinet Inc.
WiFi authentication

Creating an SSID with dynamic VLAN assignment

To create an SSID with dynamic VLAN assignment:

1. On the FortiGate, go to WiFi & Switch Controller > SSID and create a new SSID.
Set up DHCP service.

2. Select WPA2 Enterprise security and select your RADIUS server for authentication.
Enable Dynamic VLAN Assignment.

FortiAuthenticator 6.6.0 Examples 117

Fortinet Inc.
WiFi authentication

3. Then open the CLI Console and enter the following command to assignment and set the VLAN ID to 10. This VLAN
is used when RADIUS does not assign a VLAN:
config wireless-controller vap
edit example-wifi
set vlanid 10
next
end

Creating the VLAN interfaces

To create the VLAN interfaces:

1. Go to Network > Interfaces.

Create the VLAN interface for default VLAN-10 and set up DHCP service.

FortiAuthenticator 6.6.0 Examples 118

Fortinet Inc.
WiFi authentication

2. Then create two more VLAN interfaces: one for marketing-100 and another for techdoc-200, both with
DHCP service.

FortiAuthenticator 6.6.0 Examples 119

Fortinet Inc.
WiFi authentication

FortiAuthenticator 6.6.0 Examples 120

Fortinet Inc.
WiFi authentication

FortiAuthenticator 6.6.0 Examples 121

Fortinet Inc.
WiFi authentication

Creating security policies

To create the security policies:

1. Go to Policy & Objects > IPv4 Policy.

Create a policy that allows outbound traffic from marketing-100 to the Internet.

2. Under Logging Options, enable logging for All Sessions.

3. Create another policy that allows outbound traffic from techdoc-200 to the Internet.

FortiAuthenticator 6.6.0 Examples 122

Fortinet Inc.
WiFi authentication

For this policy too, under Logging Options, enable logging for All Sessions.

Creating the FortiAP profile

To create the FortiAP profile:

1. Go to WiFi & Switch Controller > FortiAP Profiles.

Create a new profile for your FortiAP model and select the new SSID for both Radio 1 and Radio 2.

FortiAuthenticator 6.6.0 Examples 123

Fortinet Inc.
WiFi authentication

FortiAuthenticator 6.6.0 Examples 124

Fortinet Inc.
WiFi authentication

Connecting and authorizing the FortiAP

To connect and authorize the FortiAP:

1. Go to Network > Interfaces and edit an unused interface.

Set an IP/Network Mask and enable CAPWAP under Administrative Access > IPv4.
Enable DHCP Server.
Now connect the FortiAP unit to the this interface and apply power.
2. Go to WiFi & Switch Controller > Managed FortiAPs.
Right-click on the FortiAP unit and select Authorize.
Once authorized, right-click on the FortiAP unit again and select Assign Profile and select the FortiAP profile
created earlier.

Results

The SSID will appear in the list of available wireless networks on the users’ devices.
Both twhite and jsmith can connect to the SSID with their credentials and access the Internet.
If a certificate warning message appears, accept the certificate.
1. Go to FortiView > Policies.
Note that traffic for jsmith and twhite will pass through different policies. In this example, the marketing-100-internet
policy is displayed, indicating that jsmith has connected to the WiFi.

FortiAuthenticator 6.6.0 Examples 125

Fortinet Inc.
WiFi authentication

2. Double-click to drill-down, where the user's identity (including username, source IP, and device address) is
confirmed.

3. When twhite has connected to the WiFi network, go to FortiView > Policies and drill-down. The user, and techdoc-
200-internet policy, is confirmed.

FortiAuthenticator 6.6.0 Examples 126

Fortinet Inc.
WiFi authentication

WiFi using FortiAuthenticator RADIUS with certificates

This example will walk you through the configuration of FortiAuthenticator as the RADIUS server for a FortiGate wireless
controller. WPA2-Enterprise with 802.1X authentication can be used to authenticate wireless users with
FortiAuthenticator. 802.1X utilizes the Extensible Authentication Protocol (EAP) to establish a secure tunnel between
participants involved in an authentication exchange.
EAP-TLS is the most secure form of wireless authentication because it replaces the client username/password with a
client certificate. Every end user, including the authentication server, that participates in EAP-TLS must possess at least
two certificates:
1. A client certificate signed by the certificate authority (CA)
2. A copy of the CA root certificate.
This example specifically focuses on the configuration of the FortiAuthenticator, FortiGate, and Windows 10 computer.

Creating a local CA on FortiAuthenticator

The FortiAuthenticator will act as the certificate authority for all certificates authenticated for client access. To enable this
functionality, a self-signed root CA certificate must be generated.

To create the local CA:

1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Create
New.
Configure the fields as required.

FortiAuthenticator 6.6.0 Examples 127

Fortinet Inc.
WiFi authentication

Creating a local service certificate on FortiAuthenticator

In order for the FortiAuthenticator to use a certificate in mutual authentication (supported by EAP‐TLS), a local services
certificate has to be created on behalf of the FortiAuthenticator.

To create the local service certificate:

1. Go to Certificate Management > End Entities > Local Services and select Create New. Complete the information in
the fields pertaining to your organization.

Configuring RADIUS EAP on FortiAuthenticator

In order for the FortiAuthenticator to present the newly created Local Services certificate as its authentication to the WiFi
client, the RADIUS-‐EAP must be configured to use this certificate.

FortiAuthenticator 6.6.0 Examples 128

Fortinet Inc.
WiFi authentication

To configure RADIUS EAP on FortiAuthenticator:

1. Go to Authentication > RADIUS Service > Certificates.

2. Select the corresponding Local Services certificate in EAP Server Certificate.
3. Choose the Local CA certificate previously configured in Local CAs.
4. Click OK.

Configuring RADIUS client on FortiAuthenticator

The FortiAuthenticator has to be configured to allow RADIUS clients to make authorization requests to it.

To create the RADIUS client:

To create the RADIUS policy:

5. Choose a username format (in this example: username@realm), select the Local realm.
6. Set the authentication method to Password only authentication.
7. Review the RADIUS response, and click Save and Exit.

Configuring local user on FortiAuthenticator

The authentication of the WiFi client will be tied to a user account on the FortiAuthenticator. In this scenario, a local user
will be configured but remote users associated with LDAP can be configured as well.

FortiAuthenticator 6.6.0 Examples 129

Fortinet Inc.
WiFi authentication

To configure a local user:

1. Go to Authentication > User Management > Local Users and select Create New.
Fill out applicable user information.

Configuring local user certificate on FortiAuthenticator

The certificate created locally on the FortiAuthenticator will be associated with the local user. It is important to note that
the Name (CN) must match the username exactly of the user that is registered in the FortiAuthenticator (in the example,
eap-user).

To configure the local user certificate:

1. Go to Certificate Management > End Entities > Users and select Create New.
Fill out applicable user information to map the certificate to the correct user.

FortiAuthenticator 6.6.0 Examples 130

Fortinet Inc.
WiFi authentication

Creating RADIUS server on FortiGate

In order to proxy the authentication request from the wireless client, the FortiGate will need to have a RADIUS server to
submit the authentication request to.

To create the RADIUS server on FortiGate:

1. On the FortiGate, go to User & Device > RADIUS Servers and select Create New. Enter a Name, the
FortiAuthenticator’s IP address, and the same Secret set on the FortiAuthenticator.

FortiAuthenticator 6.6.0 Examples 131

Fortinet Inc.
WiFi authentication

Select Test Connectivity to confirm the successful connection.

Creating WiFi SSID on FortiGate

In order for the WiFi client to connect using its certificate a SSID has to be configured on the FortiGate to accept this type
of authentication.

FortiAuthenticator 6.6.0 Examples 132

Fortinet Inc.
WiFi authentication

To create the WiFi SSID:

1. Go to WiFi & Switch Controller > SSID and create an SSID with DHCP for clients.

2. Set the following WiFi Settings, assigning the RADIUS Server configured earlier.

FortiAuthenticator 6.6.0 Examples 133

Fortinet Inc.
WiFi authentication

3. Then go to WiFi & Switch Controller > FortiAP Profiles and edit your FortiAP default profile.
Select the new SSID for both Radio 1 and Radio 2.

FortiAuthenticator 6.6.0 Examples 134

Fortinet Inc.
WiFi authentication

4. Then go to Policy & Objects > IPv4 Policy and create a policy that allows outbound traffic from the EAP-TLS
wireless interface to the Internet.

FortiAuthenticator 6.6.0 Examples 135

Fortinet Inc.
WiFi authentication

Exporting user certificate from FortiAuthenticator

In order for the WiFi client to authenticate with the RADIUS server, the user certificate created in the FortiAuthenticator
must first be exported.

To export the FortiAuthenticator user certificate:

1. On the FortiAuthenticator, go to Certificate Management > End Entities > Users. Select the certificate and select
Export Key and Cert.

2. In the Export User Certificate and Key File dialog, enter and confirm a Passphrase. This password will be used
when importing the certificate into a Windows 10 computer. Select OK.

3. Select Download PKCS#12 file to pull this certificate to the Widows 10 computer. Select Finish.

Importing user certificate into Windows 10

To import the user certificate:

1. On the Windows 10 computer, double-click the downloaded certificate file from the FortiAuthenticator.
This will launch the Certificate Import Wizard. Select Next.

FortiAuthenticator 6.6.0 Examples 136

Fortinet Inc.
WiFi authentication

2. Make sure the correct certificate is shown in the File name section in the File to Import window. Select Next.

FortiAuthenticator 6.6.0 Examples 137

Fortinet Inc.
WiFi authentication

3. Enter the Password created on the FortiAuthenticator during the export of the certificate.
Select Mark this key as exportable and leave the remaining options to default. Select Next.

FortiAuthenticator 6.6.0 Examples 138

Fortinet Inc.
WiFi authentication

4. In the Certificate Store, choose the Place all certificates in the following store.
Select Browse and choose Personal. Select Next, and then Finish.
A dialog box will show up confirming the certificate was imported successfully.

FortiAuthenticator 6.6.0 Examples 139

Fortinet Inc.
WiFi authentication

Configuring Windows 10 wireless profile to use certificate

Create a new wireless SSID for this secure connection, in this case EAP-TLS.

To create a wireless SSID:

1. On Windows 10, got to Control Panel > Network and Sharing Center > Set up a new connection or network >
Manually connect to a wireless network. Enter a Network name and set Security type to WPA2-Enterprise. The
Encryption type is set to AES.

FortiAuthenticator 6.6.0 Examples 140

Fortinet Inc.
WiFi authentication

2. Once created, you have the option to modify the wireless connection. Select Change connection settings.

FortiAuthenticator 6.6.0 Examples 141

Fortinet Inc.
WiFi authentication

3. In the Security tab, set Choose a network authentication method to Microsoft: Smart card or other certificates, and
select Settings.

FortiAuthenticator 6.6.0 Examples 142

Fortinet Inc.
WiFi authentication

4. Enable both Use a certificate on this computer and Use simple certificate selection.
Note that, for simplification purposes, Verify the server's identity by validating the certificate has been disabled.
However EAP-‐TLS allows the client to validate the server as well as the server validate the client. To enable this,
you will need to import the CA from the FortiAuthenticator to the Windows 10 computer and make sure that it is
enabled as a Trusted Root Certification Authority.
Select OK for all dialog windows to confirm all settings. The configuration for the Windows 10 computer has been
completed and the user should be able to authenticate to WiFi via the certificate without using their username and
password.

FortiAuthenticator 6.6.0 Examples 143

Fortinet Inc.
WiFi authentication

FortiAuthenticator 6.6.0 Examples 144

Fortinet Inc.
WiFi authentication

Results

1. On the user's device, attempt to connect to the WiFi. Select the user's certificate and select OK.

2. On the FortiAuthenticator, go to Logging > Log Access > Logs to confirm the successful authentication.

FortiAuthenticator 6.6.0 Examples 145

Fortinet Inc.
WiFi authentication

3. On the FortiGate, go to Monitor > WiFi Client Monitor to view various information about the client.

You can also go to Log & Report > Forward Traffic to view more log details.

FortiAuthenticator 6.6.0 Examples 146

Fortinet Inc.
WiFi authentication

FortiAuthenticator 6.6.0 Examples 147

Fortinet Inc.
WiFi authentication

WiFi RADIUS authentication with FortiAuthenticator

In this example, you use a RADIUS server to authenticate your WiFi clients.
The RADIUS server is a FortiAuthenticator that is used authenticate users who belong to the employees user group.

Creating users and user groups on the FortiAuthenticator

To create users and user groups:

1. Go to Authentication > User Management > Local Users and create a user account.

2. Then go to Authentication > User Management > User Groups and create a local user group (employees), adding

FortiAuthenticator 6.6.0 Examples 148

Fortinet Inc.
WiFi authentication

the newly created user.

Registering the FortiGate as a RADIUS client on the FortiAuthenticator

To create the RADIUS client:

To create the RADIUS policy:

1. Go to Authentication > RADIUS Service > Policies, and select Create New.
2. Enter the RADIUS policy name, description, and select the FortiGate RADIUS client.
3. Do not configure RADIUS attribute criteria.
4. Set the authentication type as Password/OTP authentication, and enable all EAP types.
5. Choose a username format (in this example: username@realm), select the Local realm.
Add the user group employees as a filter.
6. Review the remaining configurations, and click Save and Exit.

FortiAuthenticator 6.6.0 Examples 149

Fortinet Inc.
WiFi authentication

Configuring FortiGate to use the RADIUS server

To configure FortiGate to use the RADIUS server:

1. Go to User & Device > RADIUS Servers and add the FortiAuthenticator as a RADIUS server.
Select Test Connectivity to confirm the successful connection.

FortiAuthenticator 6.6.0 Examples 150

Fortinet Inc.
WiFi authentication

Creating SSID and set up authentication

To create an SSID and set up authentication:

1. Go to WiFi & Switch Controller > SSID and define your wireless network.

2. Set up DHCP for your clients.

FortiAuthenticator 6.6.0 Examples 151

Fortinet Inc.
WiFi authentication

3. Configure WPA2 Enterprise security that uses the RADIUS server.

Connecting and authorizing the FortiAP

To connect and authorize the FortiAP:

1. Go to Network > Interfaces and configure a dedicated interface for the FortiAP.
Under Administrative Access, enable PING and CAPWAP, and enable DHCP Server.
Under Networked Devices, enable Device Detection.

FortiAuthenticator 6.6.0 Examples 152

Fortinet Inc.
WiFi authentication

2. Connect the FortiAP unit to the interface. Then go to WiFi & Switch Controller > Managed FortiAPs. Notice the
Status is showing Waiting for Authorization.
When the FortiAP is listed, select and Authorize it.

3. The FortiAP is now Online. The Status may take a few minutes to update.

4. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile.
This example uses a FortiAP-S 221E, so the FAPS221E-default profile applies.
For each radio, make sure to select your SSID.

FortiAuthenticator 6.6.0 Examples 153

Fortinet Inc.
WiFi authentication

FortiAuthenticator 6.6.0 Examples 154

Fortinet Inc.
WiFi authentication

Creating the security policy

To create the security policy:

1. Go to Policy & Objects > IPv4 Policy and add a policy that allows WiFi users to access the Internet.

2. Under Logging Options, enable Log Allowed Traffic and All Sessions.

FortiAuthenticator 6.6.0 Examples 155

Fortinet Inc.
WiFi authentication

Results

1. Connect to the example-staff network and browse Internet sites.

On the FortiGate, go to Monitor > WiFi Client Monitor to see that clients connect and authenticate.

WiFi with WSSO using FortiAuthenticator RADIUS and Attributes

This is an example of wireless single sign-on (WSSO) with a FortiGate and FortiAuthenticator. The WiFi users are
teachers and students at a school. These users each belong to a user group, either teachers (smaguire) or students
(whunting). The FortiAuthenticator performs user authentication and passes the user group name to the FortiGate so
that the appropriate security policy is applied.
This example assumes that an SSID and a FortiAP are configured on the FortiGate unit. In this configuration, you will be
changing the existing SSID’s WiFi settings so authentication is provided by the RADIUS server.
For this example, the student security policy applies a more restrictive web filter.

Registering the FortiGate as a RADIUS client on the FortiAuthenticator

To create the RADIUS client:

To create the RADIUS policy:

1. Go to Authentication > RADIUS Service > Policies, and select Create New.
2. Enter the RADIUS policy name, description, and select the FortiGate RADIUS client.

FortiAuthenticator 6.6.0 Examples 156

Fortinet Inc.
WiFi authentication

3. Do not configure RADIUS attribute criteria.

4. Set the authentication type as Password/OTP authentication, and enable all EAP types.

5. Choose a username format (in this example: username@realm), select the Local realm.
6. Review the remaining configurations, and click Save and Exit.

Creating users on the FortiAuthenticator

To create users:

1. Go to Authentication > User Management > Local Users and select Create New.
Create one teacher user (smaguire) and another student user (whunting).

2. Note that, after you create the users, RADIUS Attributes appears as an option.
If your configuration involves multiple users, it is more efficient to add RADIUS attributes in their respective user

FortiAuthenticator 6.6.0 Examples 157

Fortinet Inc.
WiFi authentication

groups, in the next step.

Creating user groups on the FortiAuthenticator

To create user groups:

1. Go to Authentication > User Management > User Groups and create two user groups: teachers and students.
Add the users to their respective groups.

FortiAuthenticator 6.6.0 Examples 158

Fortinet Inc.
WiFi authentication

2. Once created, edit both user groups and select Add Attribute.
3. Add the Fortinet-Group-Name RADIUS attribute to each group, which specifies the user group name to be sent to
the FortiGate.

Configuring the FortiGate to use the FortiAuthenticator as the RADIUS server

To configure the FortiGate to use the FortiAuthenticator RADIUS server:

1. On the FortiGate, go to User & Device > RADIUS Servers and select Create New.
Enter a Name, the Internet-facing IP address of the FortiAuthenticator, and enter the same Primary Server Secret
entered on the FortiAuthenticator.

FortiAuthenticator 6.6.0 Examples 159

Fortinet Inc.
WiFi authentication

Select Test Connectivity to confirm the successful connection.

Configuring user groups on the FortiGate

To configure user groups on the FortiGate:

1. Go to User & Device > User Groups and create two groups named the same as the ones created on the
FortiAuthenticator.

FortiAuthenticator 6.6.0 Examples 160

Fortinet Inc.
WiFi authentication

Do not add any members to either group.

Creating security policies

To create a security policy:

1. Go to Policy & Objects > IPv4 Policy and select Create New.
Create two policies (student-wifi and teacher-wifi) with WiFi-to-Internet access: one policy with Source set to the
students user group, and the other set to teachers. Make sure to add the SSID address (example-wifi) to both
policies also.

FortiAuthenticator 6.6.0 Examples 161

Fortinet Inc.
WiFi authentication

The student policy has a more restrictive Web Filter profile enabled.

FortiAuthenticator 6.6.0 Examples 162

Fortinet Inc.
WiFi authentication

Configuring the SSID to RADIUS authentication

To configure the SSID to RADIUS authentication:

1. Go to WiFi & Switch Controller > SSID and edit your pre-existing SSID interface.
Under WiFi Settings, set Security Mode to WPA2 Enterprise, set Authentication to RADIUS Server, and add the
RADIUS server configured on the FortiGate earlier from the dropdown menu.

FortiAuthenticator 6.6.0 Examples 163

Fortinet Inc.
WiFi authentication

Results

1. Connect to the WiFi network as a student.

2. Then on the FortiGate go to Monitor > Firewall User Monitor. From here you can verify the user, the user group, and
that the WSSO authentication method was used.

802.1X authentication using FortiAuthenticator with Google

Workspace User Database

This example walks you through integrating FortiAP using a WPA2-Enterprise WLAN encryption with 802.1X
authentication using FortiAuthenticator against Google Workspace as the user database with Secure LDAP.
The customer uses Google Workspace user database to validate that a corporate user has a valid username and
password and that they can authenticate to join the corporate network. FortiAuthenticator also provides dynamic VLAN
here.

FortiAuthenticator 6.6.0 Examples 164

Fortinet Inc.
WiFi authentication

Topology

In this example, the user attempts to join the corporate WLAN; a WPA2-Enterprise WLAN, using FortiAuthenticator as a
RADIUS server. FortiGate acts as an authenticator forwarding the request to FortiAuthenticator.
FortiAuthenticator is the authentication server and forwards the user request to a remote LDAP server. Here, Google
Workspace using Secure LDAP.
If authentication succeeds, the user joins the corporate WLAN and receives attributes from FortiAuthenticator, such as a
dynamic VLAN.

To configure 802.1X authentication using FortiAuthenticator with Google Workspace User Database:

1. Configuring FortiGate as a RADIUS client on page 165.

2. Configuring Google Workspace as an LDAP server. See Google Workspace integration using LDAP on page 170.
3. Creating a realm and RADIUS policy with EAP-TTLS authentication on page 166.
4. Configuring FortiAuthenticator as a RADIUS server in FortiGate on page 167.
5. Configuring a WPA2-Enterprise with FortiAuthenticator as the RADIUS server on page 167.
6. Configuring Windows or macOS to use EAP-TTLS and PAP on page 168.

Configuring FortiGate as a RADIUS client

To configure FortiGate as a RADIUS client:

1. In Authentication > RADIUS Service > Clients, click Create New.

2. Enter a unique name for the RADIUS client and the IP address from which it will be connecting.
This is the IP address of the RADIUS client itself, here, FortiGate, not the IP address of the end-user's device.
3. Enter a password for Secret.
The secret is a pre-shared secure password that the device, here, FortiGate, uses to authenticate to
FortiAuthenticator.
4. Click OK to save changes to the RADIUS client.

FortiAuthenticator 6.6.0 Examples 165

Fortinet Inc.
WiFi authentication

Creating a realm and RADIUS policy with EAP-TTLS authentication

To create a realm for the Google Workspace LDAP server:

1. Go to Authentication > User Management > Realms, click Create New.

2. Enter a Name for the realm.

The realm name may only contain letters, numbers, periods, hyphens, and underscores. It
cannot start or end with a special character.

3. Select the previously set Google Workspace LDAP server for the realm from the User source dropdown.
4. Click OK to create the new realm.

To create a RADIUS policy:

1. In Authentication > RADIUS Service > Policies, click Create New.

2. For RADIUS clients, enter an identifiable policy name and description, and add the newly created RADIUS client to
the policy. Click Next.

3. For RADIUS attribute criteria, no settings are required. Click Next.

a. For Authentication type, select Password/OTP authentication, enable Accept EAP, then enable EAP-TTLS.
Click Next.

This allows using EAP-TTLS and PAP in the user's device Wireless settings.
4. For Identity source, choose a username format, and select the realm related to Google Workspace Secure LDAP.
Click Next.

5. For Authentication factors, select Every configured password and OTP factors, and click Next.
In this menu you can also enable the option to Allow FortiToken Mobile push notifications.
6. For RADIUS response, review the policy, and click Save and exit.

FortiAuthenticator 6.6.0 Examples 166

Fortinet Inc.
WiFi authentication

Configuring FortiAuthenticator as a RADIUS server in FortiGate

To configure the FortiGate authentication settings:

1. Go to User & Authentication > RADIUS Servers, and click Create New.
2. Enter a Name for the RADIUS server.
3. For Authentication method, select Specify, then select PAP from the dropdown.
4. Enter the IP address of the RADIUS server.
5. Enter the shared Secret key, and click OK.
The secret is the same as the one used when setting up the RADIUS client, here, FortiGate.
6. Click Test Connectivity to test the connection to the server, and ensure that the connection status is Successful.
7. Click OK to save changes.

Configuring a WPA2-Enterprise with FortiAuthenticator as the RADIUS server

To configure a WPA2-Enterprise WLAN:

1. Go to WiFi & Switch Controller > SSIDs.

2. From the Create New dropdown, select SSID.
3. Enter a Name for the interface. Optionally, you can enter an alias.
4. In Traffic mode, select Bridge.
5. In the WiFi settings pane:
a. Enter a name in the SSID field.
b. Enable Broadcast SSID.
c. In Security mode dropdown, select WPA2 Enterprise.
d. In Authentication, select RADIUS Server, and from the dropdown select the FortiAuthenticator RADIUS server
you created.
e. Optionally, enable Dynamic VLAN assignment.

FortiAuthenticator 6.6.0 Examples 167

Fortinet Inc.
WiFi authentication

f. For Schedule, select always.

g. Optionally, enable Block intra-SSID traffic.
h. Optionally, enable Broadcast suppression, and select ARPs for known clients, DHCP unicast, DHCP uplink,
IPv6, ALL other broadcast, and All other multicast.
6. Click OK to save changes.

Configuring Windows or macOS to use EAP-TTLS and PAP

To configure Windows to use EAP-TTLS and PAP:

1. Go to Settings > Network & Internet.

2. Select the Wi-Fi tab, and click Manage known networks.
3. Select Add a new network.

FortiAuthenticator 6.6.0 Examples 168

Fortinet Inc.
WiFi authentication

4. In the Add a new network dialog:

a. Enter a Network Name.
b. In the Security type dropdown, select WPA2-Enterprise AES.
c. In the EAP method dropdown, select EAP-TTLS.
d. In the Authentication method dropdown, select Unencrypted password (PAP).
5. Click Save.

To configure macOS to use EAP-TTLS and PAP:

1. In the menu bar, click the Wi-Fi icon.

2. Click Create Network.
3. In the dialog that appears:
a. Enter a name for Service Set Identifier (SSID).
b. In the Security Type dropdown, select WPA2-Enterprise (ios 8 or later except Apple TV).
c. Under Enterprise Settings, select Protocols, then select the TTLS checkbox.
d. In the Inner Authentication dropdown, select PAP.
4. Click Create.

FortiAuthenticator 6.6.0 Examples 169

Fortinet Inc.
LDAP Authentication

This section describes configuring LDAP authentication.

Google Workspace integration using LDAP

This example explains how to integrate the FortiAuthenticator with Google Workspace Secure LDAP using client
authentication through a certificate. You will use the LDAP in Google DB to authenticate end users for 802.1X and VPN.

1. Generating the Google Workspace certificate on page 170

2. Importing the certificate to FortiAuthenticator on page 172
3. Configuring LDAP on the FortiAuthenticator on page 173
4. Troubleshooting on page 173

Generating the Google Workspace certificate

You must first generate certificates to authenticate the LDAP client with Secure LDAP service.

To generate certificate authentication:

1. From the Google Admin console, go to Apps > LDAP.

2. Select one of the clients in the list.

FortiAuthenticator 6.6.0 Examples 170

Fortinet Inc.
LDAP Authentication

3. Click the Authentication card.

4. Click GENERATE NEW CERTIFICATE, then click the download icon to download the certificate.
5. Upload the certificate to your client, and configure the application.
Depending on the type of LDAP client, configuration may require LDAP access credentials. See Generate access
credentials.

Once you have uploaded the certificate to your client, Google Workspace will generate a client certificate and key.
Example:
l Cert: Google_2022_09_09_72372.crt
l Key: Google_2022_09_09_72372.key

Store the certificate and key in a safe place.

By default, FortiAuthenticator will not trust the certificate issued by Google. You must install Google Trusted CAs to
match the chain group, which can be downloaded at https://pki.goog/.

FortiAuthenticator 6.6.0 Examples 171

Fortinet Inc.
LDAP Authentication

l GTS Root R1
l GTS Root R2

Importing the certificate to FortiAuthenticator

This series of steps can be performed on the primary FortiAuthenticator.

To import the trusted CA certificate:

1. Go to Certificate Management > Certificate Authorities > Trusted CAs > Import.
2. Enter a Certificate ID, upload a file, and click OK.

Results:

You can now import the LDAP certificate generated by Google Workspace.

To import the client authentication certificate:

1. Go to Certificate Management > End Entities > Local Services > Import.
2. Select Certificate and Private Key as the Type.
3. Enter the Certificate ID, choose the files for the previously saved certificate and private key files, and select OK.

FortiAuthenticator 6.6.0 Examples 172

Fortinet Inc.
LDAP Authentication

Results:

Configuring LDAP on the FortiAuthenticator

Now you can finish the LDAPS configuration using client authentication through certificate.
1. Go to Authentication > Remote Auth. Servers > LDAP > Create New, and enter the following information:
a. Enter a name.
b. For Primary server name/IP enter ldap.google.com, and set the port to 636.
c. Enter the base distinguished name.
d. For the Username attribute, enter uid.
e. Select the option to obtain group memberships from Group attribute.
f. Enable Secure Connection and select either LDAPS or STARTTLS as the Protocol, and select All Trusted in
the Trusted CA option.
g. Enable Use Client Certificate for TLS Authentication, and select the LDAP certificate.

2. Select OK.
If required, you can now import users by selecting Import users when editing the LDAP server, selecting the LDAP
server from the Remote LDAP server dropdown, and clicking the Go button next to the Import users dropdown. This
is not a required step, but can be done in cases where you want to include additional information to their accounts or
assign FortiTokens.

Troubleshooting

Missing option to use client certificate for TLS authentication

Use Client Certificate for TLS Authentication is only supported in FortiAuthenticator 6.0.1 and higher.

FortiAuthenticator 6.6.0 Examples 173

Fortinet Inc.
LDAP Authentication

Certificate error messages

The following is an example of an incorrect Trusted CA certificate entry. Please verify that you have followed the steps
included in Generating the Google Workspace certificate on page 170.

FortiAuthenticator 6.6.0 Examples 174

Fortinet Inc.
SAML Authentication

This section describes configuring SAML authentication.

SAML IdP proxy for Azure

This example describes how to set up FortiAuthenticator as a SAML IdP proxy for Microsoft Azure to add OTP to the
Azure IdP authentication.

To configure FortiAuthenticator as a SAML IdP proxy for Azure:

1. Configuring OAuth settings on page 175

2. Configuring the remote SAML server on page 176
3. Creating a remote SAML user synchronization rule on page 177
4. Configuring an Azure realm on page 178
5. Configuring SAML IdP settings on page 178
6. Configuring SP settings on FortiAuthenticator on page 178
7. Configuring the login page replacement message on page 179
8. Results on page 180

Configuring OAuth settings

A remote OAuth server is configured to import SAML users and assign an OTP method through a sync rule import. See
Configuring the remote SAML server on page 176 and Creating a remote SAML user synchronization rule on page 177.

To configure remote OAuth settings:

1. On FortiAuthenticator, go to Remote Auth. Servers > OAUTH, and click Create New.
2. Provide a name for the server and select Azure Directory as the OAuth source.

FortiAuthenticator 6.6.0 Examples 175

Fortinet Inc.
SAML Authentication

3. Enter the client ID and client key from the SAML application on your Azure account.

4. Click OK to save changes.

Configuring the remote SAML server

To configure the remote SAML server:

1. Go to Remote Auth. Servers > SAML, and click Create New.

The server name must match the one created in https://portal.azure.com/. For example, if the name in Azure is set
as AZIdP, the SAML server should also use AZIdP (case sensitive).
2. For the Entity ID, click the dropdown menu and select the Azure IdP option.
3. Import the IdP metadata from Azure. To download and import the Azure federation metadata:
a. In Azure, go to Azure Active Directory > App Registrations and select the application being used for
SAML authentications for your FortiAuthenticator.
b. In Endpoints, select the federation metadata document, enter the URL into the browser, and save it as an
XML file.
c. Click Import IDP metadata/certificate, and upload the federation metadata file.
4. In Group Membership, select Cloud and choose the previously created Azure OAuth server. See Configuring OAuth
settings on page 175.
5. At the top of the page, select Proxy as the Type, and copy the Portal URL to be used later when customizing the
replacement message.

FortiAuthenticator 6.6.0 Examples 176

Fortinet Inc.
SAML Authentication

6. Click OK to save changes.

Creating a remote SAML user synchronization rule

To create a SAML synchronization rule:

1. Go to Authentication > User Management > Remote User Sync Rules.

2. In the Remote User Sync Rules tab, select SAML, and then select Create New.
The Create New Remote SAML User Synchronization Rule window opens.
3. Enter a name for the synchronization rule.
4. In Remote SAML server, select the remote SAML server created in Configuring the remote SAML server on page
176.
5. In SAML group, select All users.
6. In Token-based authentication sync priorities, set the priority by enabling and dragging FortiToken Mobile (assign
an available token) to the top and enabling None (users are synced explicitly with no token-based authentication).

7. Click OK to create the new SAML synchronization rule.

FortiAuthenticator 6.6.0 Examples 177

Fortinet Inc.
SAML Authentication

Configuring an Azure realm

To create an Azure realm and add it to the IdP:

1. Go to Authentication > User Management > Realms

2. Click Create New.
3. Add the details of the Azure realm, and click OK.

Configuring SAML IdP settings

To configure general settings:

1. Go to Authentication > SAML IdP > General.

2. Enable SAML identity provider portal, and enter the following:
a. Server address: Enter the FortiAuthenticator FQDN.
b. Realms: Add the realm associated with the remote server for Azure IdP.
c. Default IdP certificate: Select a default certificate to use.

3. Click OK to save changes.

Configuring SP settings on FortiAuthenticator

To configure service provider settings:

FortiAuthenticator 6.6.0 Examples 178

Fortinet Inc.
SAML Authentication

8. In Assertion Attribute Configuration:

a. Select Username from the Subject NameID dropdown.
b. Select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified in Format.
9. In Assertion Attributes, select Add Assertion Attribute:
a. Enter a SAML Attribute name that your SAML SP is expecting to identify the user.
b. Select a User Attribute for this selection. If you are unsure of which attribute to pick, select SAML username.

10. Click OK to save changes.

Configuring the login page replacement message

To configure the login page replacement message:

1. Go to Authentication > SAML IdP > Replacement Messages.

2. On the Login Page replacement message, click the Restore Defaults dropdown and choose idp-server-and-proxy.
3. In the text/html editor, scroll down until you see the [proxy_portal_url] placeholder and replace it with the
previously saved proxy portal URL.

FortiAuthenticator 6.6.0 Examples 179

Fortinet Inc.
SAML Authentication

4. Click Save.

Results

To test Azure login through the SP:

1. Enter in the portal login URL from the service provider in a new browser.
You are redirect you to the FAC's IdP-server and proxy page.
2. Click on the link below the login options to be redirected to Microsoft's login page.

SAML IdP proxy for Google Workspace

This example describes how to set up FortiAuthenticator as a SAML IdP proxy for Google Workspace to add OTP to the
Google Workspace IdP authentication.

To configure FortiAuthenticator as a SAML IdP proxy for Google Workspace:

1. Configuring OAuth settings on page 181

2. Configuring the remote SAML server on page 181
3. Creating a remote SAML user synchronization rule on page 182
4. Configuring a Google Workspace Realm on page 183
5. Configuring IdP settings on page 183
6. Configuring SP settings on FortiAuthenticator on page 184
7. Configuring the login page replacement message on page 185
8. Results on page 185

FortiAuthenticator 6.6.0 Examples 180

Fortinet Inc.
SAML Authentication

Configuring OAuth settings

A remote OAuth server is configured to import SAML users and assign an OTP method through a sync rule import. See
Configuring the remote SAML server on page 181 and Creating a remote SAML user synchronization rule on page 182.

To configure remote OAuth settings:

1. On FortiAuthenticator, go to Remote Auth. Servers > OAUTH, and click Create New.
2. Provide a name for the server and select Google Workspace Directory as the OAuth source.
3. Enter the Google workspace admin, and upload the Service account key file from the SAML application on your
Google Workspace account.
4. Click OK to save your changes.

Configuring the remote SAML server

To configure the remote SAML server:

1. Go to Remote Auth. Servers > SAML, and click Create New.

The server name must match the one created in Google Workspace. For example, if the name in Google
Workspace is set as GSIdP, the SAML server should also use GSIdP (case sensitive).
2. Import the IdP metadata obtained from the SAML app on Google Workspace.
3. In Username, select Subject NameID SAML assertion.
4. In Group Membership, select Cloud and choose the previously created Google Workspace OAuth server. See
Configuring OAuth settings on page 181.
5. At the top of the page, select Proxy as the Type, and copy the Portal URL to be used later when customizing the
replacement message.

FortiAuthenticator 6.6.0 Examples 181

Fortinet Inc.
SAML Authentication

6. Click OK to save your changes.

Creating a remote SAML user synchronization rule

To create a SAML synchronization rule:

1. Go to Authentication > User Management > Remote User Sync Rules.

2. In the Remote User Sync Rules tab, select SAML, and then select Create New.
The Create New Remote SAML User Synchronization Rule window opens.
3. Enter a name for the synchronization rule.
4. In Remote SAML server, select the remote SAML server created in Configuring the remote SAML server on page
181.
5. In SAML group, select All users.
6. In Token-based authentication sync priorities, set the priority by enabling and dragging FortiToken Mobile (assign
an available token) to the top and enabling None (users are synced explicitly with no token-based authentication).

FortiAuthenticator 6.6.0 Examples 182

Fortinet Inc.
SAML Authentication

7. Click OK to create the new SAML synchronization rule.

Configuring a Google Workspace Realm

To create a Google Workspace Realm and add it to the IdP:

1. Go to Authentication > User Management > Realms.

2. Click Create New.
3. Add the details of the Google Workspace realm, and click OK.

Configuring IdP settings

To configure general settings:

1. Go to Authentication > SAML IdP > General.

2. Enable the SAML identity provider portal and enter the following:
a. Server address: Enter the FortiAuthenticator FQDN.
b. Realms: Add the realm associated with the remote server for Google Workspace.
c. Default IdP certificate: Select a default certificate to use.

3. Click OK to save your changes.

FortiAuthenticator 6.6.0 Examples 183

Fortinet Inc.
SAML Authentication

Configuring SP settings on FortiAuthenticator

To configure service provider settings:

1. Go to Authentication > SAML IdP > Service Providers and create a new reference for the service provider that you
will be using as your SAML client.
2. Enter the following information:
a. SP name: Enter a name for the SP device.
b. IdP prefix: Select +, enter an IdP prefix in the Create Alternate IdP Prefix dialog or select Generate prefix, and
click OK.
c. Server certificate: Select the same certificate as the default IdP certificate used in Authentication > SAML IdP
> General. See Configuring IdP settings on page 183.
3. Click Save.
4. In the SP Metadata pane, enter the SP information from the client you will be using as the SAML service provider.
5. Download the IdP metadata.
This can be used to set up the SAML IdP configuration in your SAML SP client (if allowed by your client).
6. Click OK.
7. Select and click Edit to edit the recently created SP.
8. In Assertion Attribute Configuration:
a. Select Username from the Subject NameID dropdown.
b. Select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified in Format.
9. In Assertion Attributes, select Add Assertion Attribute:
a. Enter a SAML Attribute name that your SAML SP is expecting to identify the user.
b. Select a User Attribute for this selection. If you are unsure of which attribute to pick, select SAML username.

10. Click OK to save changes.

FortiAuthenticator 6.6.0 Examples 184

Fortinet Inc.
SAML Authentication

Configuring the login page replacement message

To configure the login page replacement message:

1. Go to Authentication > SAML IdP > Replacement Messages.

4. Click Save.

Results

To test Google Workspace login through the SP:

SAML FSSO with FortiAuthenticator and Okta

In this example, you will provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution
using FortiAuthenticator as the service provider (SP) and Okta, a cloud-based user directory, as the identity provider
(IdP).
Okta is a secure authentication and identity-access management service that offer secure SSO solutions. Okta can be
implemented with a variety of technologies and services including Office 365, Google Workspace, Dropbox, AWS, and
more.

FortiAuthenticator 6.6.0 Examples 185

Fortinet Inc.
SAML Authentication

A user will start by attempting to make an unauthenticated web request. The FortiGate’s captive portal will offload the
authentication request to the FortiAuthenticator’s SAML SP portal, which in turn redirects that client/browser to the
SAML IdP login page. Assuming the user successfully logs into the portal, a positive SAML assertion will be sent back to
the FortiAuthenticator, converting the user’s credentials into those of an FSSO user.
In this example configuration, the FortiGate has a DMZ IP address of 192.168.50.1, and the FortiAuthenticator has
the Port1 IP address of 192.168.50.100. Note that, for testing purposes, the FortiAuthenticator’s IP and FQDN have
been added to the host’s file of trusted host names; this is not necessary for a typical network.
This configuration assumes that you have already created an Okta developer account.

1. The user attempts to access internet using FortiGate.

2. The FortiGate captive portal offloads the request.
3. The user is redirected by the FortiGate to the FortiAuthenticator SAML SP portal URL configured for Okta.
4. The FortiAuthenticator SAML SP portal URL is redirected to the FortiAuthenticator IdP Single Sign-On URL which is
the Okta SSO URL.
This is the SAML request for authentication.
5. The user authenticates with the username and password.
Okta Verify Push or manual Okta MFA code can be entered if configured.
6. Okta sends the SAML assertion containing the user and group authentication to the FortiAuthenticator SAML SP
ACS (login) URL.
7. FortiAuthenticator consumes the assertion and sends user and group information via the SSO connector to the
FortiGate.
8. The user browses the internet based on FortiGate identity based policies.

Configuring DNS and FortiAuthenticator's FQDN

1. On FortiAuthenticator, go to System > Dashboard > Status. In the System Information widget, select the edit icon
next to Device FQDN.
Enter a domain name (in this example, fac.school.net). This will help identify where the FortiAuthenticator is
located in the DNS hierarchy.

FortiAuthenticator 6.6.0 Examples 186

Fortinet Inc.
SAML Authentication

2. Enter the same name for the Host Name. This is so you can add the unit to the FortiGate's DNS list so that the local
DNS lookup of this FQDN can be resolved.

3. On FortiGate, open the CLI Console and enter the following command using the FortiAuthenticator host name and
internet-facing IP address.
config system dns-database
edit school.net
config dns-entry
edit 1
set hostname fac.school.net
set ip 192.168.50.100
next
end
set domain school.net
next

Enabling FSSO and SAML on FortiAuthenticator

1. On FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to
Enable authentication.
Enter a Secret key and select OK to apply your changes. This key will be used on FortiGate to add the
FortiAuthenticator as the FSSO server.

FortiAuthenticator 6.6.0 Examples 187

Fortinet Inc.
SAML Authentication

2. Go to Fortinet SSO Methods > SSO > Portal Services and select Enable SAML portal.

3. Next, go to Authentication > Remote Auth. Servers > SAML, and click Create New. Enter Okta as the name.

You will not yet be able to save these settings, as the IdP information - IdP entity ID, IdP
single sign-on URL, and IdP certificate fingerprint - must be entered. These fields will be
filled out later once the IdP application configuration is complete Okta.

FortiAuthenticator 6.6.0 Examples 188

Fortinet Inc.
SAML Authentication

Configuring the Okta developer account IdP application

1. Open a browser, go to the Applications tab and select Add Application.

2. Select Create New App and create a new application using the SAML 2.0 sign on method.

FortiAuthenticator 6.6.0 Examples 189

Fortinet Inc.
SAML Authentication

3. Enter a custom app name, and select Next. You may upload an app logo if you wish.
The name entered here is the name of the portal that users will log into.

4. Under A - SAML Settings, set Single sign on URL and Audience URL (SP Entity ID) to the ACS and Entity URLs
(respectively) from FortiAuthenticator.
Users will be required to provide their email address as their username, and their first and last names (as seen in the
example).
Before continuing, select Download Okta Certificate. This will be imported to the FortiAuthenticator later.

In the section below, configure a Group attribute to match on FortiAuthenticator. The word Group (case-sensitive)
must be entered in Text-based list under Obtain Group Membership from: SAML assertions inside the remote
SAML setup configuration on FortiAuthenticator. Regex matching is the most flexible option for group matching. The
below example matches all groups of a single user.

FortiAuthenticator 6.6.0 Examples 190

Fortinet Inc.
SAML Authentication

5. In the last step, confirm that you are an Okta customer, and set the App type to an internal app. Select Finish.

6. Once created, open the Sign On tab and download the Identity Provider metadata.

7. Finally, open the Assignments tab and select Assign > Assign to people.
Assign the users you wish to add to the application. This will permit the user to log in to the application's portal. Save

FortiAuthenticator 6.6.0 Examples 191

Fortinet Inc.
SAML Authentication

your changes, and select Done.

FortiAuthenticator 6.6.0 Examples 192

Fortinet Inc.
SAML Authentication

Importing the IdP certificate and metadata on FortiAuthenticator

1. On FortiAuthenticator, go to Authentication > Remote Auth. Servers > SAML, and import the IdP metadata and
certificate downloaded from Okta.
This will automatically fill in the IdP fields. Select OK to save your changes.

2. Enable SAML single logout and add the IdP single logout URL under the Single Logout section of the Okta Remote
SAML Server.
For example, if your Okta organization is "facschool" then the IdP single logout URL: entry would be
https://facschool.okta.com/login/default.

3. Go to Fortinet SSO Methods > SSO > FortiGate Filtering, and create a new FortiGate filter.
Enter a name and the FortiGate's DMZ-interface IP address, and click OK.
Once created, enable Forward FSSO information for users from the following subset of users/groups/containers
only. Select Create New to create SSO group filtering objects that match each group inside Okta, and select OK to

FortiAuthenticator 6.6.0 Examples 193

Fortinet Inc.
SAML Authentication

apply all changes.

The names entered for the filter must be the same as the group names created in Okta.
Failing to enter the exact same names will result in the SSO information not being pushed
to FortiGate.

Configuring FSSO on FortiGate

To configure FSSO on FortiGate:

1. On FortiGate, go to Security Fabric > Fabric Connectors.

Create a new FSSO agent connector to the FortiAuthenticator.
2. Select Apply & Refresh. The SAML user groups name has been successfully pushed to FortiGate from
FortiAuthenticator, appearing when you select View.

FortiAuthenticator 6.6.0 Examples 194

Fortinet Inc.
SAML Authentication

Select View and make sure that the FSSO group has been pushed to FortiGate.
3. Go to User & Device > User Groups and create a new user group.
Enter a name, set Type to Fortinet Single Sign-On (FSSO), and add the FSSO group as a Member.

FortiAuthenticator 6.6.0 Examples 195

Fortinet Inc.
SAML Authentication

Configure automatic redirect

To configure automatic redirect on FortiGate:

In order to automatically redirect the user to the initial website after authentication, erase the existing HTML code and
replace it with the following HTML code on the FortiGate in System > Replacement Messages > Authentication > Login
Page.
Replace <FortiAuthenticator-FQDN> with the DNS name of the FortiAuthenticator.
<html>

<head>

<meta http-equiv="refresh" content="1;url=https://<FortiAuthenticator-FQDN>/saml-

sp/Okta/login/?user_continue_url=%%PROTURI%%&userip=%%USER_IP%%"/>

<title>
Page Redirection
</title>

</head>

<body>
If you are not redirected automatically,
<a href="https://<FortiAuthenticator-FQDN>/saml-sp/Okta/login/?user_continue_
url=%%PROTURI%%&userip=%%USER_IP%%">
login
</a>

</body>

</html>

FortiAuthenticator 6.6.0 Examples 196

Fortinet Inc.
SAML Authentication

Configure address objects and policies

To configure addresses objects and policies on FortiGate:

1. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.

2. Create the FQDN objects below.

l *.okta.com
l *.mtls.okta.com
l *.oktapreview.com
l *.mtls.oktapreview.com
l *.oktacdn.com
l *.okta-emea.com
l *.mtls.okta-emea.com
l *.kerberos.okta.com
l *.kerberos.okta-emea.com
l *.kerberos.oktapreview.com
As these are FQDNs, make sure to set Type to FQDN.
3. Create an Address group and name it Okta Bypass and add the FQDNs you created above into the Okta Bypass
address group.
4. Go to Policy & Objects > IPv4 Policy and create all policies shown in the examples below: a policy for DNS, for
access to the FortiAuthenticator, for Okta bypass, and for FSSO including the SAML user group.
Allow access to the FortiAuthenticator on the DMZ from the LAN:

FortiAuthenticator 6.6.0 Examples 197

Fortinet Inc.
SAML Authentication

Add the following three policies in order:

FortiAuthenticator 6.6.0 Examples 198

Fortinet Inc.
SAML Authentication

FortiAuthenticator 6.6.0 Examples 199

Fortinet Inc.
SAML Authentication

In the SSO_Internet_Access policy, add the Firewall Guest-group and the Okta FSSO group that is received from
FortiAuthenticator. The Guest-group redirects the initial Internet access request from the browser to Okta. Once the
user is authenticated the browser will automatically redirect to the website from the initial HTTP/HTTPS request
matching the Okta SSO group.

FortiAuthenticator 6.6.0 Examples 200

Fortinet Inc.
SAML Authentication

Office 365 SAML authentication using FortiAuthenticator with 2FA

FortiAuthenticator can act as the SAML IdP for an Office 365 SP using FortiToken served directly by FortiAuthenticator
or from FortiToken Cloud for two-factor authentication.
The configuration outlined in this guide assumes that you have already configured your FortiAuthenticator with
FortiToken Cloud. For more information on how to do this, please see the FortiAuthenticator Administration Guide.

FortiAuthenticator 6.6.0 Examples 201

Fortinet Inc.
SAML Authentication

1. The user browses to O365 login page.

2. The user enter the UPN to begin login.
O365 determines the domain is federated.
3. O365 redirects the browser to the PassvieLogonUri configured for the domain.
4. The PassvieLogonUri is the IdP single sign-on URL configured for the O365 SP on the FortiAuthenticator.
5. The user enters the UPN and password in the FortiAuthenticator IdP logon.
6. FortiAuthenticator validates the username and password.
7. The user is prompted for 2FA.
The 2FA push approval is sent by the user.
8. Authentication is completed by FortiAuthenticator and the browser is redirected to the O365 home page.

To configure Office 365 SAML authentication using FortiAuthenticator with two-factor authentication:

1. Configure the remote LDAP server on FortiAuthenticator on page 202

2. Configure SAML settings on FortiAuthenticator on page 203
3. Configure two-factor authentication on FortiAuthenticator on page 204
4. Configure the domain and SAML SP in Microsoft Entra ID (formerly Microsoft Azure AD) PowerShell on page 205
5. Configure Microsoft Entra ID Connect on page 208

Configure the remote LDAP server on FortiAuthenticator

To configure the LDAP server:

1. Go to Authentication > Remote Auth. Servers > LDAP and click Create New.
2. Configure the following settings:
a. Name: Provide a name for the remote LDAP server.
b. Primary server name/IP: Enter the IP address for the AD (Active Directory) source.
c. Base distinguished name: Configure the based distinguished name for your AD source.
d. Bind type: Select Regular.
e. Username/Password: Enter the username and password for your AD source.
The remaining settings can be left in their default state.
3. Click OK to save your changes.

To configure the Active Directory realm:

1. Go to Authentication > User Management > Realms and click Create New.
2. Configure a name for the realm and select your LDAP server as the User source.

FortiAuthenticator 6.6.0 Examples 202

Fortinet Inc.
SAML Authentication

3. Click OK to save your changes.

Configure SAML settings on FortiAuthenticator

To configure FortiAuthenticator IdP settings:

1. Go to Authentication > SAML IdP > General and click Enable SAML Identity Provider portal.
2. Configure the following settings:
a. Server address: The IP address or FQDN of the FortiAuthenticator.
b. Realms: Select the previously created LDAP realm.
c. Default IdP certificate: Choose a certificate. The default can be used if desired.
The remaining settings can be left in their default state.

3. Click OK to save your changes.

To configure the service provider settings on FortiAuthenticator:

1. Go to Authentication > SAML IdP > Service Providers and click Create New.
2. Configure the following settings:
a. SP Name: enter a name for your service provider.
b. IdP Prefix: Click Generate prefix to create a new IdP prefix.
c. Server certificate: Select the certificate to be used in your configuration or choose Use default setting in
SAML IdP General page.
d. SP entity ID: Enter urn:federation:MicrosoftOnline.
e. SP ACS (login) URL: Enter https://login.microsoftonline.com/login.srf.
f. SP SLS (logout) URL: Enter https://login.microsoftonline.com/login.srf.
g. Participate in single logout: Can be enabled if you wish this SP to participate in SAML single logout.
3. In the Assertion Attributes section, configure the following settings:
a. Subject NameID: Select user mS-DS-Consistency Guid.
b. Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
Press Enter and then SAML attributes can be created.

FortiAuthenticator 6.6.0 Examples 203

Fortinet Inc.
SAML Authentication

4. In the Debugging Options section click Create New to create a SAML attribute with the following settings:
a. SAML attribute: Enter IDPEmail.
b. User attribute: In the dropdown, select userPrincipalName under Remote LDAP server.

5. Click OK to save your changes.

Configure two-factor authentication on FortiAuthenticator

To configure a remote user sync rule:

1. Go to Authentication > User Management > Remote User Sync Rules, and click Create New.
2. Configure the following settings:
a. Name: Enter a name for the sync rule (e.g. AD).
b. Remote LDAP: Select your remote LDAP server.
3. Configure the token-based sync priority settings under Synchronization Attributes by enabling and ordering the
authentication sync priorities.
This example scenario uses FortiToken Cloud for two-factor authentication, so the priority is FortiToken Cloud
followed by None (users are synced explicitly with no token-based authentication).

FortiAuthenticator 6.6.0 Examples 204

Fortinet Inc.
SAML Authentication

4. Select or create a user group to associate users with from the dropdown menu.
5. The remaining settings can be configured to your preference or left in their default state.
6. Click OK to save your changes when completed.

To configure remote users with two-factor authentication:

1. Go to Authentication > User Management > Remote Users and Import users from your Active Directory account.
2. Edit a user and enable Token-based authentication, and select FortiToken > Cloud as the delivery method.
3. Click OK to save your changes.

Configure the domain and SAML SP in Microsoft Entra ID (formerly Microsoft Azure
AD) PowerShell

FortiAuthenticator currently supports use with Microsoft Entra ID Module for Windows PowerShell.

To configure the domain and SAML SP using Microsoft Entra ID PowerShell:

1. Launch the Microsoft Entra ID Module for Windows PowerShell.

2. Enter the following command in PowerShell:
Install-Module -Name MSonline.
Accept the next two default ("Y") prompts for installing the NuGet Provider and installing from PSGallery.

FortiAuthenticator 6.6.0 Examples 205

Fortinet Inc.
SAML Authentication

1. If you are using Windows 2016 or earlier, you must first enable TLS 1.2 enforcement
for Microsoft Entra ID Connect. For instructions on enabling TLS 1.2 eforcement, see
Azure AD Connect: TLS 1.2 enforcement for Azure Active Directory Connect.

3. Enter the following command:

Connect-MsolService .

The Microsoft Sign in window opens. Login with your Azure ID.
4. Add a federated domain by entering the following command.
New-MsolDomain -Name <your domain> -Authentication Federated

5. Obtain the DNS record and create a new text record in your domain provider to allow the domain to be verified. To
obtain the DNS record, use the following command:
Get-MsolDomainVerificationDns -DomainName ftnt.xyz -Mode DnsTxtRecord

FortiAuthenticator 6.6.0 Examples 206

Fortinet Inc.
SAML Authentication

From the output, copy the Text field results and create a new text record in your domain with a 60 minute interval.

6. Configure the domain as a SAML service provider.

You can create these variables inside a text editor and then copy and paste them into a PowerShell window.
$domain = "<your domain>"
$cert = "<your certificate. This can be obtained by downloading your certificate
from FortiAuthenticator and opening it with a text editor.>"
$protocol = "SAMLP"
$IssuerUrl = "<The IdP entity ID from FortiAuthenticator>"
$LogonUrl = "<The IdP single sign-on URL from FortiAuthenticator>"
$LogoffUrl = "<The IdP single logout URL from FortiAuthenticator>"

7. To change the authentication type for the domain, enter the following command into PowerShell:
Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $domain -
Authentication Federated -IssuerUri $IssuerUrl -LogOffUri $LogoffUrl -
PassiveLogOnUri $LogonUrl -SigningCertificate $cert -
PreferredAuthenticationProtocol $protocol
8. Once completed, enter the following command into PowerShell to verify the domain:
Confirm-MsolDomain -DomainName $domain -SigningCertificate $cert -
PreferredAuthenticationProtocol $protocol -IssuerUri $IssuerUrl -PassiveLogOnUri
$LogonURL -LogOffUri $LogOffUrl
The return text from the above command should read "AvailableImmediately The domain has been successfully
verified for your account."

FortiAuthenticator 6.6.0 Examples 207

Fortinet Inc.
SAML Authentication

Configure Microsoft Entra ID Connect

You will first need to download Microsoft Entra ID Connect from Microsoft on your Active Directory Domain Controller.

To configure Microsoft Entra ID Connect:

1. Launch Microsoft Entra ID Connect to create a synchronization service to sync attributes from Active Directory to
Office365.
2. Select Customize to begin a customized installation, and click Install.

FortiAuthenticator 6.6.0 Examples 208

Fortinet Inc.
SAML Authentication

3. On the User sign-in page, select Do not configure, and click Next.

FortiAuthenticator 6.6.0 Examples 209

Fortinet Inc.
SAML Authentication

4. On the Connect to Azure AD page, enter your Microsoft Entra ID global administrator credentials, and click Next.

FortiAuthenticator 6.6.0 Examples 210

Fortinet Inc.
SAML Authentication

5. Select your Active Directory Forest, and click Add Directory. Create your on-premise AD admin user account.

When finished, click Next. If completed successfully, you will see your domain has been verified.
Click Next again.

FortiAuthenticator 6.6.0 Examples 211

Fortinet Inc.
SAML Authentication

FortiAuthenticator 6.6.0 Examples 212

Fortinet Inc.
SAML Authentication

6. Click Next on the remaining pages in the configuration wizard, and click Install on the Ready to configure page.

7. Once the installation is complete, you are presented with the Configuration complete page which provides a
summary of the configuration changes.

FortiAuthenticator 6.6.0 Examples 213

Fortinet Inc.
SAML Authentication

Results

Once configured, Active Directory synchronized users can sign in to Office 365 using two-factor authentication from
FortiAuthenticator.

FortiAuthenticator 6.6.0 Examples 214

Fortinet Inc.
SAML Authentication

To sign in to Office 365 using FortiAuthenticator with two-factor authentication:

1. Navigate to Office 365 and click Sign in or Switch to a different account.

2. Enter a user account with domain and click Sign in.

3. Authentication is redirected to FortiAuthenticator. Enter your user credentials, and click Login.

Enter your 2FA token or approve the access request from your FortiToken push request.

FortiAuthenticator 6.6.0 Examples 215

Fortinet Inc.
SAML Authentication

Once approved you are logged in to your Office 365 account.

FortiGate SSL VPN with FortiAuthenticator as the IdP proxy for

Azure

This example configuration allows FortiAuthenticator to act as the IdP proxy for Azure authentication to a FortiGate
SSL VPN connection. This allows authentication of SSL VPN users against an Azure IdP using two factor authentication
with FortiToken by inserting FortiAuthenticator into the authentication flow.
This configuration uses the following topology:

To configure FortiAuthenticator as the IdP proxy for Azure:

1. Configuring Azure on page 217

2. Configuring FortiAuthenticator on page 220
3. Configuring FortiGate on page 225
4. Results on page 227

You need Microsoft Entra ID Premium P1 or P2 to perform group-based assignments to an

Enterprise App. Microsoft Entra ID Free tier only supports user-based assignments.

FortiAuthenticator 6.6.0 Examples 216

Fortinet Inc.
SAML Authentication

Configuring Azure

1. Login to the Azure portal. If you do not yet have a directory or need to create a new one, go to Azure AD and click
Create a tenant.
Configure the directory with the following settings:
a. Select a directory type: Azure Active Directory.
b. Organization name: Enter a name for the organization.
c. Initial domain name: Enter the domain name.
d. Country/Region: Select the relevant country or region.
e. Click Create. The directory will be created after a few minutes. When finished, select the directory in the top-
right corner of Azure.

2. Go to Enterprise Applications, and select Create your own application. Enter a name for your application, for
example: Azure_fac_as_idpproxy.

3. Go to the Single Sign-on section, select SAML, and edit the basic SAML configuration.
Here you will include information obtained from FortiAuthenticator. In this example, the FortiAuthenticator FQDN is
fac.fortilab.local, and the name of the server is defined as Azure_fac_as_idpproxy. You should adjust these settings

FortiAuthenticator 6.6.0 Examples 217

Fortinet Inc.
SAML Authentication

to match your FortiAuthenticator's configuration.

4. Edit the User Attributes & Claims section to insert any attributes required for the SAML assertion. In this example,
only user groups have been included.
Click the edit icon, and then click Add a group claim. Select All groups.

5. Download the certificate file. It will be used later when configuring FortiAuthenticator.

6. Go to Users and Groups, and click Add user. Include all users that will be able to authenticate using this application.

FortiAuthenticator 6.6.0 Examples 218

Fortinet Inc.
SAML Authentication

7. Go to Properties and get the Application ID. This will be required later.

8. From the directory home, select Roles and Administrators > Directory Readers, and click Add assignments. Search
for your application name, then select and add it.

9. Finally, create your authentication key. Go to App Registrations, click Certificates & Secrets, and create a new key.

FortiAuthenticator 6.6.0 Examples 219

Fortinet Inc.
SAML Authentication

Before proceeding, make sure to copy the key value. The key is presented only after its
creation, and you cannot get this information again later.

Configuring FortiAuthenticator

Configure the remote servers

A remote OAuth server is used to obtain group membership from Microsoft Entra ID. Later, a FortiToken can be
associated with those users.

To configure the remote OAuth server:

1. Go to Authentication > Remote Auth. Servers > OAUTH, and click Create New.
2. Configure the following information:
l Name: Enter a name for your OAuth server, for example: AzureCSE.

l OAuth source: Azure Directory.

l Client ID: Enter your Azure Application ID.

l Client Key: Enter your Azure key.

3. Click OK.

To configure the remote SAML server:

1. Go to Authentication > Remote Auth. Servers > SAML, and click Create New.
2. Under Remote SAML Server, configure the following:
l Name: Enter a name for the server. This name must match the server name configured in Azure. In this

example, the server name is Azure_fac_as_idpproxy.

l Type: Proxy.

l Entity ID: Select the Azure IdP option.

l Import IdP metadata/certificate: Import the certificate that you previously exported from Azure.

l IdP entity ID: Enter the Azure AD Identifier from your Azure configuration.

l IdP single sign-on URL: Enter the Login URL from your Azure configuration.

3. Under Single Logout, configure the following:

l Enable SAML single logout: Optionally, you can enable this setting to enable SAML single logout.

l IdP single logout URL: Enter the Logout URL from your Azure configuration.

4. Under Username, configure the following:

l Obtain username from: Select Text SAML assertion and use the configured username claim URL from your

Azure configuration.

FortiAuthenticator 6.6.0 Examples 220

Fortinet Inc.
SAML Authentication

5. In Group Membership, configure the following:

l Obtain group membership from: Select Cloud and choose your remote OAuth server. Group membership of

a particular user will be retrieved dynamically through OAuth upon authentication.

6. Click OK.

Configure the SAML IdP settings on FortiAuthenticator

To create the Azure realm:

1. Go to Authentication > User Management > Realms, and click Create New.
2. Configure the following information:
a. Name: Enter a name for your user realm, for example: azurecse
b. User source: Select your remote SAML server as the user source.

3. Click OK.

FortiAuthenticator 6.6.0 Examples 221

Fortinet Inc.
SAML Authentication

To enable SAML IdP on FortiAuthenticator:

1. Go to Authentication > SAML IdP > General, click Enable SAML Identity Provider portal, and configure the following:
a. Server address: Enter the IP or FQDN of your FortiAuthenticator.
b. Realms: Select the SAML realm as the default.
c. Default IdP certificate: Select a default IdP certificate.

2. Click OK.
You will also need to download your IdP certificate for use later. It can be downloaded from Certificate Management
> End Entities.

To add FortiGate as a SAML service provider:

1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
2. Under Edit SAML Service Provider, configure the following:
l SP name: Enter a name for this service provider, for example: fgt1sslvpn.

l IdP prefix: Enter a custom IdP prefix or click Generate prefix to automatically populate this field.

3. Under Assertion Attributes, configure the following:

l Subject NameID: Remote SAML Server > Subject NameID.

l Format: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified.

4. Under SAML Attributes, add the following attributes. The user and group information will be propagated by the
FortiAuthenticator IdP in SAML assertions to FortiGate. These must match with the user-name and group-name
keywords defined for the SAML user. See Configure the SAML user on page 225.
l Attribute 1: SAML attribute: groups, User attribute: SAML Group membership.

l Attribute 2: SAML attribute: username, User attribute: SAML Username.

FortiAuthenticator 6.6.0 Examples 222

Fortinet Inc.
SAML Authentication

5. Click Save.

Once the settings have been saved, you will see that additional options are available.
You can return to complete the configuration of the SAML service provider settings on
FortiAuthenticator once you have configured your FortiGate SAML user. You will need to
enter the SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL from the FortiGate
configuration.

To update the SAML replacement message:

1. Go to Authentication > SAML IdP > Replacement Messages.

2. Select SAML IdP > Login Page, and then select idp-proxy in the Restore Default dropdown menu.
You can now edit the content in the right pane to include the Portal URL obtained from your remote SAML server.

FortiAuthenticator 6.6.0 Examples 223

Fortinet Inc.
SAML Authentication

The URL must be replaced in three places as indicated by [proxy_portal_url] in the text.

3. Click Save.

Configure FortiToken

To include tokens in a user's authentication:

1. Go to Authentication > User Management > Remote Users, select SAML, and click Import.
2. Under Import Remote SAML Users, configure the following settings:
a. Remote SAML server: Select your remote SAML server, for example: Azure_fac_as_idpproxy.
b. Group: Select All users or choose a user group.
3. Click OK.
4. Edit an imported user to define the token. Enable Token-based authentication, and select your token type.
5. Click OK.

FortiAuthenticator 6.6.0 Examples 224

Fortinet Inc.
SAML Authentication

Configuring FortiGate

Import the certificate

To import the FortiAuthenticator IdP certificate:

1. Go to System > Certificates, and click Import > Remote Certificate.

2. Click Upload and select your FortiAuthenticator IdP certificate.
3. Click OK.
FortiGate will choose a name by default. You can rename the certificate for easier management with the following
CLI commands:
config vpn certificate remote
rename <DEFAULT_CERT_NAME> to <NEW_CERT_NAME>
end

Configure the SAML user

You can now configure a FortiGate SAML user to point to FortiAuthenticator as the IdP.
In this example configuration, the FortiGate SSL VPN link is https://203.0.113.18:10443. This can be replaced
with the SSL VPN link from your own configuration.
You will also need to adjust the FortiAuthenticator IdP entity ID, login URL, and logout URL to match those configured in
your FortiAuthenticator. This information is available on FortiAuthenticator in Authentication > SAML IdP > Service
Providers.
Configuring the SAML user must be done through the FortiGate CLI.

To configure a SAML user:

1. In the FortiGate CLI, enter the following commands:

config user saml
edit "fac-samlproxy-sslvpn"
set cert "Fortinet_Factory"
set entity-id "https://203.0.113.18:10443/remote/saml/metadata"
set single-sign-on-url "https://203.0.113.18:10443/remote/saml/login"
set single-logout-url "https://203.0.113.18:10443/remote/saml/logout"
set idp-entity-id "http://fac.fortilab.local/saml-idp/fgt1sslvpn/metadata/"
set idp-single-sign-on-url "https://fac.fortilab.local/saml-
idp/fgt1sslvpn/login/"
set idp-single-logout-url "https://fac.fortilab.local/saml-
idp/fgt1sslvpn/logout/"
set idp-cert "FAC_IdP"
set user-name "username"
set group-name "groups"
next
end

The entity ID, single sign on URL, and single logout URL configured in the FortiGate CLI must
now be entered in the FortiAuthenticator service provider configuration.
See To add FortiGate as a SAML service provider: on page 222

FortiAuthenticator 6.6.0 Examples 225

Fortinet Inc.
SAML Authentication

The user-name and group-name configured must match what is being returned from
FortiAuthenticator in the SAML assertions. See Configure the SAML IdP settings on
FortiAuthenticator on page 221.

You can now create a SAML group which includes that user. You can also define the SAML groups that will be allowed to
login as this group. In this example, only user that belong to "FGTGroup1" will be allowed to login to the SSL VPN. This
can only be done through FortiGate CLI.

To configure a SAML group:

1. In the FortiGate CLI, enter the following commands:

config user group
edit "samlproxy-sslvpn"
set member "fac-samlproxy-sslvpn"
config match
edit 1
set server-name fac-samlproxy-sslvpn
set group-name “FGTGroup1”
next
end
next
end

Next, increase the remote authentication timeout. This must be set to allow for enough time for the user to authenticate
into Microsoft Entra ID. This can only be done through the FortiGate CLI.

To increase the remote authentication timeout:

1. In the FortiGate CLI, enter the following commands:

config system global
set remoteauthtimeout 60
end

Configure the SSL VPN

You can define a portal for the SAML group in your SSL VPN settings.

To add a portal to your SSL VPN:

1. Go to VPN > SSL-VPN Settings, and edit your SSL VPN configuration.
2. Under Authentication/Portal Mapping, click Create New.
3. Configure the following information:
a. Users/Groups: Select the configured user group.
b. Portal: full-access.
4. Click OK and save your changes to the SSL VPN settings.
5. Configure your SSL VPN rules as required.

For more information on configuring SSL VPN on FortiGate, see the FortiGate Administration Guide.

FortiAuthenticator 6.6.0 Examples 226

Fortinet Inc.
SAML Authentication

Results

To sign in to your SSL VPN:

1. Once the user tries to connect to the SSL VPN web portal, FortiGate will redirect the user to FortiAuthenticator.

2. The FortiAuthenticator will act as a SAML proxy and forward the request to Azure for authentication.

3. After entering their credentials, if the user has a token assigned they will be requested to enter it for two factor
authentication.

4. The user is now connected to the SSL VPN.

SAML FSSO with FortiAuthenticator and Microsoft Entra ID

(formerly Microsoft Azure AD)

In this example, you will provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution
using FortiAuthenticator as the service provider (SP) and Microsoft Entra ID, as the identity provider (IdP).

FortiAuthenticator 6.6.0 Examples 227

Fortinet Inc.
SAML Authentication

1. The client connects to FortiGate, which redirects the user to the FortiAuthenticator captive portal.
2. The client connects to FortiAuthenticator (SAML SP), which redirects the user to Microsoft Entra ID (SAML IdP).
3. The client connects to the Microsoft Entra ID to perform authentication. It receives SAML token on successful
authentication.
4. The client updates the SP with its SAML token.
5. The authenticated user is synced with the FortiGate device.
6. The user can now pass from LAN to WAN.

To configure SAML FSSO with FortiAuthenticator and Microsoft Entra ID:

1. Microsoft Azure related configurations:

a. Creating a tenant in Azure Portal on page 228.
b. Creating an enterprise application in Azure Portal on page 230.
c. Setting up single sign-on for an enterprise application on page 231
i. Adding a user group SAML attribute to the enterprise application on page 232.
ii. Adding users to an enterprise application on page 233.
d. Adding the enterprise application as an assignment on page 233.
e. Registering the enterprise application with Microsoft identity platform and generating authentication key on
page 234.
2. FortiAuthenticator related configurations:
a. Creating a remote OAuth server with Azure application ID and authentication key on page 234.
b. Creating a remote SAML server on page 234.
c. Setting up SAML SSO in FortiAuthenticator on page 236.
3. FortiGate related configurations:
a. Adding an FSSO agent on page 236.
b. Configuring an interface to use an external captive portal on page 237.
c. Configuring a policy to allow a local network to access Microsoft Azure services on page 237.
d. Creating an exempt policy to allow users to access the captive portal on page 238.
4. Results on page 239.

Creating a tenant in Azure Portal

To create a tenant:

1. Sign in to Microsoft Azure Portal.

2. In Azure portal, go to Azure Active Directory.
The Overview page opens.

FortiAuthenticator 6.6.0 Examples 228

Fortinet Inc.
SAML Authentication

3. In Overview, Select Manage tenants, and then select Create.

Create a tenant window opens.
4. In the Basics tab, select Azure Active Directory as the tenant type, and select Next: Configuration.

5. In Configuration, enter the Organization name, Initial domain name, and Country/Region.

6. Select Next: Review + create to review the entries, and select Create to create the tenant.

To switch to the correct directory:

1. Click the user icon on the top right.
2. Select Switch directory.
3. From the list, select Switch for the directory you intend to use.

FortiAuthenticator 6.6.0 Examples 229

Fortinet Inc.
SAML Authentication

Creating an enterprise application in Azure Portal

To create an enterprise application:

1. Go to Azure Active Directory > Enterprise applications.

2. In Enterprise applications, select New application.

The Browse Azure AD Gallery page opens.

3. In the Browse Azure AD Gallery, select Create your own application.

The Create your own application window opens.
4. In the Create your own application window, enter a name for the application, and select Create.

FortiAuthenticator 6.6.0 Examples 230

Fortinet Inc.
SAML Authentication

Setting up single sign-on for an enterprise application

Once the application is created, you can set up single sign-on for your application.

To set up single sign-on:

1. Go to Azure Active Directory > Enterprise applications.

2. In Enterprise applications, enter the name of your enterprise application in the search bar, and click the application
to open it.
See Creating an enterprise application in Azure Portal on page 230.

3. Select Get Started in Set up single sign on.

4. In Single sign-on, select SAML.

The SAML-based Sign-on window opens.

FortiAuthenticator 6.6.0 Examples 231

Fortinet Inc.
SAML Authentication

5. In the SAML-based Sign-on window, select Edit in the Basic SAML Configuration pane.
6. In the Basic SAML Configuration window, enter the following information from the FortiAuthenticator SP:
a. In Identifier (Entity ID), enter the SP entity ID.
b. In Reply URL (Assertion Consumer Service URL), enter the URL where the application receives the
authentication token.
c. In Sign on URL, enter the URL for the sign-in page for the application.
d. In Relay State, enter the URL to which the user is redirected to by the SP after a successful assertion response.
e. In Logout Url, enter the URL used to send the SAML logout response back to the application.
f. Click Save.

See Adding a user group SAML attribute to the enterprise application on page 232 and Adding users to an
enterprise application on page 233.

Adding a user group SAML attribute to the enterprise application

To add a user group SAML attribute:

1. In the SAML-based Sign-on window that opens after step 4 in Setting up single sign-on for an enterprise application
on page 231, go to the Attributes & Claims pane, and select Edit.
2. In the Attributes & Claims window, select Add a group claim.
The Group Claims window opens.
3. In the Group Claims window, select All groups in Which groups associated with the user should be returned in the
claim? and then click Save.

FortiAuthenticator 6.6.0 Examples 232

Fortinet Inc.
SAML Authentication

The Attributes and Claims window is updated to include a group claim.

In the SAML Signing Certificate pane, download the certificate file (base64) needed to
configure the remote SAML server.

Adding users to an enterprise application

To add users:

1. In the SAML-based Sign-on window that opens after step 4 in Setting up single sign-on for an enterprise application
on page 231, go to Users and Groups.

2. Select Add user/group and then select None Selected to open the Users and groups window.
3. In the Users and groups window, search the name of the user(s) and select Select to include all users able to
authenticate using the enterprise application.
4. Select Assign to add the user(s).

Go to Manage > Properties and make note of the Application ID required when setting up an
OAuth server.

Adding the enterprise application as an assignment

To add the enterprise application as an assignment:

1. Go to the directory home, and select Roles and administrators.

2. From the Administrative roles list, select Directory readers.

FortiAuthenticator 6.6.0 Examples 233

Fortinet Inc.
SAML Authentication

3. Select ellipsis for Directory readers and then select Description.

4. Go to Assignments and select Add assignment.
5. In the Add assignments window, search your application by name, and select Add.

Registering the enterprise application with Microsoft identity platform and

generating authentication key

To register the enterprise application:

1. Go to the directory home, and select App registrations.

2. In the App registrations window, select All applications, and search your application by name.
3. In the list, select your application.
4. Go to Manage > Certificates & secrets, and select + New client secret.
5. In the Add a client secret window:
a. In Description, enter a description for the client secret.
b. From the Expires dropdown, select a time period after which the client secret expires.
c. Select Add.

In Client secrets, make note of the Value.

Since this key is visible only once (immediately after creation), you will have to recreate the
key if you do not copy and store it.
The key is required when setting up an OAuth server.

Creating a remote OAuth server with Azure application ID and authentication key

To create a remote OAuth server:

1. Go to Authentication > Remote Auth. Servers > OAUTH and select Create New.
The Create New Remote OAuth Server window appears.
2. Enter a name for the remote OAuth server.
3. In the OAuth source dropdown, select Azure Directory.
4. In Client ID, enter the application id that you saved when Adding users to an enterprise application on page 233.
5. In Client Key, enter the authentication key created in Registering the enterprise application with Microsoft identity
platform and generating authentication key on page 234.
6. Enable Include for SSO, and in Azure AD tenant ID, enter your Microsoft Entra ID tenant ID.
7. Select OK to add the remote OAuth server.

Creating a remote SAML server

To create a remote SAML server:

1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.
The Create New Remote SAML Server window opens.

FortiAuthenticator 6.6.0 Examples 234

Fortinet Inc.
SAML Authentication

2. Enter a name for the remote SAML server.

The name of the remote SAML server is then used when configuring SAML single sign-on in Azure.
3. Select Type as FSSO.

The Portal URL is the Sign on URL in the SAML-based Sign-on window in Azure Active
Directory > Enterprise applications on the Azure portal.

4. In Entity ID, enter the SAML SP entity ID.

The Entity ID is the Identifier (Entity ID) in the Azure portal.
5. In IdP entity ID, enter the unique name of the SAML IdP.
The IdP entity ID is Azure AD Identifier in the Azure portal.
6. In IdP single sign-on URL, enter the identity provider portal URL you want to use for SSO.
The IdP single sign-on URL is Login URL in the Azure portal.
7. In IdP certificate fingerprint:
a. Select Import Certificate.
b. In the Import Certificate dialog, select Upload a file, browse to the certificate file (base64) you saved earlier,
click Open, and then click OK.
8. Select Enable SAML single logout and enter the URL used to send the SAML logout response back to the
application in IdP single logout URL.
The IdP single logout URL is the Logout URL in the Azure portal.
9. In the Username pane, select Text SAML assertion, enter the text-based SAML assertion that usernames are
obtained from.
10. In the Group Membership pane:
a. In Obtain group membership from, select Cloud.
b. In the OAuth server dropdown, select the remote OAuth server created in Creating a remote OAuth server with
Azure application ID and authentication key on page 234
11. Click OK.
The following shows the relation between the Microsoft Entra ID IdP and the remote SAML server.

FortiAuthenticator 6.6.0 Examples 235

Fortinet Inc.
SAML Authentication

Setting up SAML SSO in FortiAuthenticator

To enable SAML portal:

1. Go to Fortinet SSO Methods > SSO > Portal Services.

2. In the Edit Portal Services Settings window, select Enable SAML portal to enable SAML portal log in for SSO.
3. Click OK.

To configure SAML SSO authentication to use Azure SAML IdP:

1. Go to Fortinet SSO Methods > SSO > SAML Authentication and select Create New.
The Create New SAML Identity Provider window opens.
2. In Remote SAML server dropdown, select the remote SAML server created in Creating a remote SAML server on
page 234.
3. In the Domain Membership pane, enable Get SSO domain name from, and select Username prefix/suffix to obtain
the domain name specified in the username.
4. Click OK to create the new SAML SP portal.

To enable FSSO for FortiGate and define a password:

1. Go to Fortinet SSO Methods > SSO > General to open the Edit SSO Configuration window.
2. In the FortiGate pane, select Enable authentication, then enter a secret key, or password, in the Secret key field.
3. Click OK.

To create a FortiGate filter and include the groups from Microsoft Entra ID:

1. Go to Fortinet SSO Methods > SSO > FortiGate Filtering and select Create New.
The Create New FortiGate Filter window opens.
2. Enter a name to identify the filter.
3. In FortiGate name/IP, enter FortiGate unit’s FQDN or IP address.
4. In Fortinet Single Sign-On (FSSO) pane, enable Forward FSSO information for users from the following subset of
users/groups/containers only, and include the groups from Microsoft Entra ID you intend to send information to the
FortiGate.
5. Click OK.

Adding an FSSO agent

To add an FSSO agent:

1. Go to Security Fabric > External Connectors and select Create New.

The New External Connector window opens.
2. In the Endpoint/Identity pane, select FSSO Agent on Windows AD.

FortiAuthenticator 6.6.0 Examples 236

Fortinet Inc.
SAML Authentication

3. In the Connector Settings pane:

a. Enter a name for the FSSO agent.
b. In Primary FSSO agent, enter the FortiAuthenticator SP IP address, and enter a password.

Select View next to Users/Groups to view the groups you previously added in
FortiAuthenticator.

4. Click Apply and Refresh and then click OK.

Configuring an interface to use an external captive portal

To configure an interface:

1. Go to Network > Interfaces.

2. Select Create New > Interface.
The New Interface window opens.
3. Enter a name for the interface. Optionally, enter an alias.
4. In Type, select 802.3ad Aggregate.
5. In the Role dropdown, select LAN.
6. In the Address pane:
a. In Addressing mode, select Manual.
b. In IP/Netmask, enter an IP address/netmask for the interface.
c. In IPv6 addressing mode, select Manual.
d. Disable Create address object matching subnet.
7. In the Network pane:
a. Enable Device detection.
b. Enable Security mode, and from the dropdown, select Captive Portal.
c. In Authentication portal, select External, and enter the captive portal URL.

The captive portal URL points to samlsp/[saml-sp-name]/login/ where [saml-

sp-name] is the remote SAML server name in creating a remote SAML server.

d. Optionally, in User access, select Restricted to Groups, and then select groups for User Groups.
8. Click OK.

Configuring a policy to allow a local network to access Microsoft Azure services

To configure a policy:

1. Go to Policy & Objects > Firewall Policy and select Create New.
2. Enter a name for the policy.
3. In Incoming Interface, select the interface created to use an external captive portal.
4. In Outgoing Interface, select the interface for virtual WAN.

FortiAuthenticator 6.6.0 Examples 237

Fortinet Inc.
SAML Authentication

5. In Source:
a. Select + to open the Select Entries window.
b. In Address, search and select all.
c. Select Close.
6. In Destination:
a. Select + to open the Select Entries window.
b. In Internet Service, search and select Microsoft-Azure.
c. Select Close.
7. In Advanced pane, enable Exempt Captive Portal to exempt this policy from the captive portal.

To make the Advanced pane visible:

l Go to System > Feature Visibility.

l Enable Policy Advanced Options.

l Click Apply.

8. Click OK.

Creating an exempt policy to allow users to access the captive portal

If the FortiAuthenticator is not in the local user’s network, you need to create an exempt policy allowing users to access
the FortiAuthenticator and reach the captive portal.

To create an exempt policy:

1. Go to Policy & Objects > Firewall Policy and select Create New.
2. Enter a policy name.
3. In Incoming Interface, select the interface created to use an external captive portal.
4. In Outgoing Interface, select the interface for DMZ.
5. In Source:
a. Select + to open the Select Entries window.
b. In Address, search and select all.
c. Select Close.
6. In Destination:
a. Select + to open the Select Entries window.
b. In Address, select Create > Address, and in the New Address window, enter details related to the
FortiAuthenticator SP. Click OK.
c. Select Close.
7. In Service:
a. Select + to open the Select Entries window.
b. Search and select HTTPS.
c. Select Close.
8. In the Firewall/Network Options pane, disable NAT.

FortiAuthenticator 6.6.0 Examples 238

Fortinet Inc.
SAML Authentication

9. In Advanced pane, enable Exempt Captive Portal to exempt this policy from the captive portal.

To make the Advanced pane visible:

l Go to System > Feature Visibility.

l Enable Policy Advanced Options.

l Click Apply.

10. Click OK.

Results

1. Once the user attempts to access the SP, they are redirected to Azure for authentication.
2. After entering the credentials, user receives the information that the login was successful.
The SSO session is visible in both FortiAuthenticator and FortiGate:
l In FortiAuthenticator: Monitor > SSO > SSO Sessions.
l In FortiGate: Dashboard > User & Devices.

Office 365 SAML authentication using FortiAuthenticator with 2FA

in Azure/ADFS hybrid environment

To configure Office 365 SAML authentication using FortiAuthenticator with two-factor authentication:

1. Configure FortiAuthenticator as an SP in ADFS on page 239

2. Configure the remote SAML server on FortiAuthenticator on page 240
3. Configure SAML settings on FortiAuthenticator on page 241
4. Configure two-factor authentication on FortiAuthenticator on page 242
5. Configure FortiAuthenticator replacement messages on page 243
6. Results on page 243

Configure FortiAuthenticator as an SP in ADFS

On your ADFS IdP, configure FortiAuthenticator as a SAML SP and return the following SAML assertions:
l Type: Proxy
l Subject NameID: MS-DS-consistencyGUID
l IDPEmail: userPrincipalName
l username: sAMAccountName

FortiAuthenticator 6.6.0 Examples 239

Fortinet Inc.
SAML Authentication

Configure the remote SAML server on FortiAuthenticator

Configure a remote SAML server connected to the ADFS IdP.

To configure the remote SAML server on FortiAuthenticator:

1. Go to Authentication > Remote Auth. Servers > SAML and click Create New.
2. Configure the remote SAML server:
a. Name: Provide a name for the remote SAML server.
b. Type: Proxy
c. IdP Settings: Enter the IdP entity ID, IdP Single sign-on URL, and IdP certificate fingerprint obtained from your
ADFS IdP.
d. Obtain username from: Select Text SAML Assertion and enter username.
3. Click OK to save your changes.

To configure the ADFS realm:

1. Go to Authentication > User Management > Realms and click Create New.
2. Configure a name for the realm and select your remote SAML server as the User source.

FortiAuthenticator 6.6.0 Examples 240

Fortinet Inc.
SAML Authentication

3. Click OK to save your changes.

Configure SAML settings on FortiAuthenticator

To configure FortiAuthenticator IdP settings:

1. Go to Authentication > SAML IdP > General and click Enable SAML Identity Provider portal.
2. Configure the following settings:
a. Server address: The IP address or FQDN of the FortiAuthenticator.
b. Realms: Select the previously created SAML realm.
c. Default IdP certificate: Choose a certificate. The default can be used if desired.
The remaining settings can be left in their default state.
3. Click OK to save your changes.

To configure the O365 service provider settings on FortiAuthenticator:

1. Go to Authentication > SAML IdP > Service Providers and click Create New.
2. Configure the following settings:
a. SP name: enter a name for your O365 service provider.
b. IdP Prefix: Click Generate prefix to create a new IdP prefix.
c. Server certificate: Select the certificate to be used in your configuration or choose Use default setting in
SAML IdP General page.
d. IdP signing algorithm: Select Use default signing algorithm in SAML IdP General page.
e. Participate in single logout: Can be enabled if you wish this SP to participate in SAML single logout.
3. In the Assertion Attribute Configuration section, configure the following settings:
a. Subject NameID: Select Subject NameID.
b. Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

FortiAuthenticator 6.6.0 Examples 241

Fortinet Inc.
SAML Authentication

4. Click Save and the SP Metadata and Assertion Attribute fields are displayed. Configure the following settings for the
SP Metadata.
a. SP entity ID: Enter urn:federation:MicrosoftOnline.
b. SP ACS (login) URL: Enter https://login.microsoftonline.com/login.srf.
c. SP SLS (logout) URL: Enter https://login.microsoftonline.com/login.srf.
5. In Assertion Attributes click Create New and configure the following assertion attribute:
a. SAML attribute: IDPEmail
b. User attribute: SAML assertion
c. Custom field: IDPEmail
6. Save your changes to the SAML SP.

Configure two-factor authentication on FortiAuthenticator

To configure a remote user sync rule:

1. Go to Authentication > User Management > Remote User Sync Rules, choose SAML and then click Create New.
2. Configure the following settings:
a. Name: Enter a name for the sync rule (e.g. SAML Users).
b. Remote SAML server: Select the previously configured remote SAML server.
3. Configure the token-based sync priority settings under Synchronization Attributes by enabling and ordering the
authentication sync priorities.
This example scenario uses FortiToken Cloud for two-factor authentication, so the priority is FortiToken Cloud
followed by None (users are synced explicitly with no token-based authentication).
4. Select or create a user group to associate users with from the dropdown menu.
5. In SAML User Mapping Attributes, set the Username field to sAMAccountName.
6. The remaining settings can be configured to your preference or left in their default state.
7. Click OK to save your changes when completed.

FortiAuthenticator 6.6.0 Examples 242

Fortinet Inc.
SAML Authentication

To configure remote users with two-factor authentication:

1. Go to Authentication > User Management > Remote Users and Import users from the remote SAML account.
2. Edit a user and enable One-Time Password (OTP) authentication, and select FortiToken > Cloud as the delivery
method.
3. Click OK to save your changes.

Configure FortiAuthenticator replacement messages

To configure the FortiAuthenticator replacement messages:

1. Go to Authentication > SAML IdP > Replacement Messages, and click the Login Page replacement message.
2. Click Restore Default in the replacement message toolbar and select idp-proxy.
3. On the right side of the screen you can edit the replacement message's HTML. Follow the instructions included in
the HTML to replace [proxy_portal_url] with the ADFS portal URL.
4. Click Save.

Results

Once configured, Active Directory synchronized users can sign in to Office 365 using two-factor authentication from
FortiAuthenticator.

To sign in to Office 365 using FortiAuthenticator with two-factor authentication:

1. When the user attempts to access the Office 365 SP, they are redirected to the ADFS SAML IdP.

2. In the ADFS server login page, enter username and password.

FortiAuthenticator 6.6.0 Examples 243

Fortinet Inc.
SAML Authentication

3. Enter your 2FA token or approve the access request from your FortiToken push request.

Once approved you are logged in to your Office 365 account.

SSL VPN SAML authentication using FortiAuthenticator with

OneLogin as SAML IdP

Using this example, you can set up a SAML authentication based SSL VPN configuration with OneLogin as the IdP.

FortiAuthenticator and OneLogin configurations must be set up in parallel to generate the

required SAML URL and certificate information.

Following the example you can connect to an SSL VPN configured FortiGate with your account validated by OneLogin
using FortiAuthenticator as an IdP proxy.
In this example:
l FortiAuthenticator is as an IdP proxy to OneLogin, i.e., FortiAuthenticator IdP proxy receives SAML authentication
requests to OneLogin and users are validated against the OneLogin user database.
l FortiAuthenticator is as an IdP to local resources. SAML clients act as SAML SP to FortiAuthenticator.
FortiAuthenticator uses local or remote databases for user authentication.

User validation is done using OneLogin user database.

FortiAuthenticator 6.6.0 Examples 244

Fortinet Inc.
SAML Authentication

l FortiGate is an SSL VPN gateway and acts as an SP for FortiAuthenticator.

VPN user authentication requests are sent to FortiAuthenticator for validation.

l OneLogin is used to create an advanced SAML custom connector.

l OneLogin acts as an IdP for FortiAuthenticator.

Prerequisites and scope of the example

1. Access to a valid OneLogin account.

2. IP connectivity to FortiAuthenticator is already done.
3. FortiGate SSL VPN is already configured.
4. OneLogin MFA related configuration are beyond the scope of this example.
FortiGate 7.0.3 and OneLogin- SAML Custom Connector (Advanced)- SAML 2.0 are used in this example.

To configure SSL VPN SAML authentication with OneLogin as SAML IdP:

1. OneLogin related configurations:

a. Creating an OneLogin application on page 246
b. Configuring an application on OneLogin on page 246
i. Configuring application parameters on OneLogin on page 248
ii. Configuring SSO on OneLogin on page 249
c. Granting user access to the application on page 250
2. FortiAuthenticator related configurations:
a. Configuring a remote SAML server on page 251
b. Configuring an OneLogin realm on page 253
c. Creating remote SAML users on page 253
d. Configuring SAML IdP settings on page 254
e. Configuring FortiAuthenticator replacement message on page 255
f. Configuring FortiGate SP settings on FortiAuthenticator on page 255
3. FortiGate related configurations:
a. Uploading SAML IdP certificate to the FortiGate SP on page 257
b. Creating SAML user and server on page 258
c. Mapping SSL VPN authentication portal on page 260
d. Increasing remote authentication timeout using FortiGate CLI on page 261
e. Configuring a policy to allow users access to allowed network resources on page 261

FortiAuthenticator 6.6.0 Examples 245

Fortinet Inc.
SAML Authentication

Creating an OneLogin application

To create an OneLogin application:

1. Log in to OneLogin with a Super user account.

2. Go to Applications > Applications.

If you are unable to locate the Applications option, go to Administration > Users and
privileges and ensure that Permission is set as Super user.

3. Select Add App.

4. In the Find Applications page, search and select SAML Custom Connector (Advanced).
The Add SAML Custom Connector (Advanced) window opens.
5. In Display Name, enter a name for the application.
6. Customize icons as required. Optionally, enter a description.
7. Click Save.

See Configuring an application on OneLogin on page 246, Configuring application parameters on OneLogin on page
248, and Configuring SSO on OneLogin on page 249.

Configuring an application on OneLogin

To configure an OneLogin application:

1. In the SAML Custom Connector (Advanced) window that opens after step 7 in Creating an OneLogin application on
page 246, go to the Configuration tab.
Alternatively, go to Applications > Applications, from the applications list select your application, and then go to the
Configuration tab.
2. In Audience (Entity ID), enter the Entity ID from the remote SAML server configuration on FortiAuthenticator.
3. In ACS (Consumer) URL Validator, enter the modified ACS (login) URL from the remote SAML server configuration
on FortiAuthenticator.

FortiAuthenticator 6.6.0 Examples 246

Fortinet Inc.
SAML Authentication

The ACS (Consumer) URL Validator must start with a “^”, end with a “$”, and have a “\”
preceding every “/”, “?” and “.”.
See the screenshot below.

4. In ACS (Consumer) URL, enter the ACS (login) URL from the remote SAML server configuration on
FortiAuthenticator.
5. In Single Logout URL, enter the SLS (logout) URL from the remote SAML server configuration on
FortiAuthenticator.
6. In Login URL, enter the Portal URL from the remote SAML server configuration on FortiAuthenticator.
7. SAML not valid before and SAML not valid on or after may be changed as required.
8. Ensure that SAML initiator is set as OneLogin.
9. Ensure that SAML nameID format is as Email.
10. Ensure that SAML issuer type is set as Specific.
11. In the SAML signature element dropdown, select Both.
12. Click Save.

Parameters while configuring an application on OneLogin must match the remote SAML
server configuration on FortiAuthenticator.
See Configuring a remote SAML server on page 251.

FortiAuthenticator 6.6.0 Examples 247

Fortinet Inc.
SAML Authentication

Configuring application parameters on OneLogin

To configure an email application parameters on OneLogin:

1. Go to Applications > Applications, from the applications list select your application.
2. Go to the Parameters tab and select +.
The New Field dialog opens.
3. In the New Field dialog:
a. In Field name, enter a name.
b. Select the Include in SAML assertion checkbox
c. Click Save.

FortiAuthenticator 6.6.0 Examples 248

Fortinet Inc.
SAML Authentication

4. Open the recently created field, and in the Value dropdown, select Email.
5. Click Save.

Once the field is configured, the window should appear as shown below.

To configure a Memberof application parameter on OneLogin:

1. Repeat steps 1 to 3 in Configuring an email application parameters on OneLogin.

2. Open the recently created field, and in the Value dropdown, select MemberOf.
3. Click Save.
4. Click Save from the top.

Configuring SSO on OneLogin

To configure SSO on OneLogin:

1. Go to Applications > Applications, from the applications list select your application.
2. Go to the SSO tab.
3. In the SAML Signature Algorithm dropdown, select SHA-256.

FortiAuthenticator 6.6.0 Examples 249

Fortinet Inc.
SAML Authentication

4. Click Save.

Clicking View Details in X.509 Certificate shows the certificate assigned to the application
by OneLogin that includes the fingerprint information. Ensure that SHA fingerprint is
SHA256.
Select a format from the dropdown and download the certificate.

Granting user access to the application

To grant user access to the application:

1. Go to Users > Users.

2. Select the desired user from the list.

The Users window opens.
3. Go to the Applications tab and select +.

FortiAuthenticator 6.6.0 Examples 250

Fortinet Inc.
SAML Authentication

4. In the Assign new login to window, select the previously created application, and select Continue.

If only one application exists or is unassigned to a user, it is automatically selected.

5. In the new dialog that appears:

a. Ensure that Allow the user to sign in is selected.
b. In NameID value, enter the user email address.
c. In group, enter OneLogin.

The group parameter has been manually overridden.

The group value is contained in the SAML assertion and the FortiGate firewall policy
configuration step uses it to match group information and grant users access based on
the OneLogin group affiliation.
See Configuring FortiGate SP settings on FortiAuthenticator on page 255 and
Configuring a policy to allow users access to allowed network resources on page 261.

d. Ensure that email is same as NameID value.

e. Click Save.

Configuring a remote SAML server

Some fields, including IdP entity ID, IdP single sign-on URL, and IdP certificate fingerprint, are
configured based on the corresponding OneLogin settings.
It is advised that you set up OneLogin and the SAML server simultaneously.
See Configuring SSO on OneLogin on page 249 and Configuring application parameters on
OneLogin on page 248.

FortiAuthenticator 6.6.0 Examples 251

Fortinet Inc.
SAML Authentication

To configure a remote SAML server:

1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.
The Create New Remote SAML Server window opens.
2. Enter a name for the SAML server.
3. Select Type as Proxy.

The Portal URL is the SAML SP login URL.

4. In the Entity ID dropdown, select the non-Azure IdP entity ID.

5. In the IdP Metadata pane:
a. In IdP entity ID, enter Issuer URL from the SSO tab in OneLogin application configurtaion.
b. In IdP single sign-on URL, enter SAML 2.0 Endpoint (HTTP) from the SSO tab in OneLogin application
configurtaion.
c. In IdP certificate fingerprint, select Import certificate, and upload the certificate fingerprint file that you saved
while configuring the application on OneLogin. See Downloading the IdP certificate fingerprint on OneLogin.
Alternatively, select Import IdP metadata to import the IdP related URL(s) you saved from OneLogin. See
Importing IdP metadata.
6. Enable SAML single logout and in IdP single logout URL enter SLO Endpoint (HTTP) from the SSO tab in OneLogin
application configuration. See View Details.
7. In the Username pane, ensure that Obtain username from is set to the default Subject NameID SAML assertion.
8. In the Group Membership:
a. In Obtain group membership from, select SAML assertions.
b. In SAML assertions, select Text-based list, and enter group.
group is the application parameter with Value set as Memberof. See Configuring a Memberof application
parameter on OneLogin.

In the Text-based list field, any value can be used so long it is a parameter for the
OneLogin application.

9. Optionally, enable Implicit group membership when only a single group exists.

FortiAuthenticator 6.6.0 Examples 252

Fortinet Inc.
SAML Authentication

10. Click OK.

Once the OneLogin application is set up and a certificate is associated with the application,
you can download the IdP metadata by going to More Actions > SAML Metadata in one of
the tabs when configuring the application.

Configuring an OneLogin realm

To create a realm:

1. Go to Authentication > User Management > Realms, and select Create New.
2. Enter an name for the realm.
3. In User source, select the remote SAML server created in Configuring a remote SAML server on page 251.
4. Click OK.

Creating remote SAML users

To create remote SAML users:

1. Go to Authentication > User Management > Remote Users, and select SAML.
2. Select Create New.
The Create New Remote SAML User window opens.
3. In the Remote SAML dropdown, select the remote SAML server created in Configuring a remote SAML server on
page 251.

FortiAuthenticator 6.6.0 Examples 253

Fortinet Inc.
SAML Authentication

4. In Username, enter a username in email format as set in OneLogin. Optionally, enter any useful information that you
may need in the User Information pane.

For successful authentication, the username must match with the email on OneLogin.

5. Click OK.

Once saved, the newly created remote SAML user allows for FortiAuthenticator MFA, if required.

Configuring SAML IdP settings

To configure SAML IdP settings:

1. Go to Authentication > SAML IdP > General, and select Enable SAML Identity Provider portal.
2. In Server address, enter the FortiAuthenticator FQDN.

Device FQDN can be configured from the System Information widget in System >
Dashboard > Status.
FQDN must be reachable via DNS for users using the service.

3. Ensure that Username input format is set as username@realm.

4. In the Realms dropdown, select the OneLogin realm configured in Configuring an OneLogin realm on page 253.
Optionally, for group filtering, enable Filter, click the pen icon to edit, select groups from the Available User Groups
search box, and click OK. This restricts access to a subset of users, e.g., restrict SAML authentication only to a
group of 3rd party contractors even though all users may have been imported to FortiAuthenticator.
5. Optionally, in login session timeout, adjust the amount of time the user session is valid for, on successful
authentication.
6. In the Default IdP certificate dropdown, select the local FortiAuthenticator certificate to use to sign SAML requests to
SP clients. The certificate is uploaded to the FortiGate SP. See Uploading SAML IdP certificate to the FortiGate SP
on page 257.
To export the IdP certificate, see Exporting the IdP certificate.
7. Ensure that Get nested groups for user is disabled.
8. Click OK.

FortiAuthenticator 6.6.0 Examples 254

Fortinet Inc.
SAML Authentication

To export the IdP certificate:

1. Go to Certificate Management > End Entities > Local Services.

2. Select the certificate used in the SAML IdP and click Export Certificate.

As a best practice, the default certificate should not be used as it is less secure than a
certificate issued by a trusted Certificate Authority (CA).

Configuring FortiAuthenticator replacement message

To configure a replacement message:

1. Go to Authentication > SAML IdP > Replacement Messages, and click the Login Page replacement message.
2. In Restore Default dropdown, select idp-proxy to automatically redirect users to the IdP proxy login page after 3
seconds.
Alternatively, select idp-server-and-proxy, and then select Or Sign in using a cloud server to go to the IdP proxy
login page.
3. On the right side of the screen, you can edit the replacement message in HTML. Replace all instances of [proxy_
portal_url] with Portal URL in Configuring a remote SAML server on page 251.
4. Click Save.

In the Restore Default dropdown, idp-server option must not be selected as it does not
redirect users to the IdP proxy, i.e., OneLogin for authentication.

For the configurations to work, the SAML IdP login page replacement message must be
edited to include the portal URL.

Configuring FortiGate SP settings on FortiAuthenticator

FortiGate is configured as a SAML client ,i.e., SAML SP for FortiAuthenticator.

To complete the following configuration, you will need to configure the SAML settings on the ForiGate SP at the same
time. This is because some fields including the SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL are only
available when configuring the SAML settings on the FortiGate SP.

FortiAuthenticator 6.6.0 Examples 255

Fortinet Inc.
SAML Authentication

To configure FortiGate service provider settings on FortiAuthenticator:

1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
2. Enter the following information:
a. SP name: Enter a name for the FortiGate SP.
b. IdP prefix: Select +, enter an IdP prefix in the Create Alternate IdP Prefix dialog or select Generate prefix, and
click OK.
c. Server certificate: Select the same certificate as the default IdP certificate used in Authentication > SAML IdP
> General. See Configuring SAML IdP settings on page 254.
d. In Application name for FTM push notification, enter OneLogin.
3. Click Save.
4. In the SP Metadata pane, enter the following information:
a. SP entity ID: Enter the SP entity ID from Creating SAML user and server on page 258.
b. SP ACS (login) URL: Enter the SP single sign-on URL from Creating SAML user and server on page 258.
c. SP SLS (logout) URL: Enter the SP single logout URL from Creating SAML user and server on page 258.

SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL must match their
respective configurations on the FortiGate SP side.

5. Click OK.
6. Select and click Edit to edit the recently created FortiGate SP.
7. In Assertion Attribute Configuration:
a. Select Subject NameID in Subject NameID.
b. Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress in Format.
8. In Assertion Attributes, select Add Assertion Attribute:
a. Enter a name for the SAML attribute. Here, group.
b. Select SAML assertion in the User attribute dropdown.
c. Enter group in Custom field.
d. Select Add Assertion Attribute again to create a new SAML attribute named email, and from the User attribute
dropdown select SAML username.

SAML assertion attribute names and values must match values configured in Creating
SAML user and server on page 258.

FortiAuthenticator 6.6.0 Examples 256

Fortinet Inc.
SAML Authentication

9. Click OK to save changes.

Uploading SAML IdP certificate to the FortiGate SP

To upload SAML IdP certificate:

1. Go to System > Certificates.

2. From the Create/Import dropdown, select Remote Certificate.
The Upload Remote Certificate window opens.
3. In the Upload Remote Certificate window, select Upload, and browse to the certificate that you saved in Exporting
the IdP certificate.
4. Click Open.

FortiAuthenticator 6.6.0 Examples 257

Fortinet Inc.
SAML Authentication

5. Click OK.

6. Make note of the name of the certificate used. Here, REMOTE_Cert_2.

The certificate is then referenced in Creating SAML user and server on page 258.

Ensure that the correct certificate is uploaded to the FortiGate SP, else SAML
authentication fails due to a mismatch in the certificate used by FortiAuthenticator to sign
the SAML assertion.

The FortiGate SP only trusts SAML assertions signed by the certificate selected in
Creating SAML user and server on page 258.

Creating SAML user and server

To create a new SAML server:

1. Go to User & Authentication > Single Sign-On and select Create New.
The single-sign on wizard opens.
2. Enter a name for the SAML server.
3. In SP address, enter the local IP address and port in the format <IP_ADDRESS>:<PORT>.

SP address is the IP address of the interface users use to connect to the SSL VPN in VPN
> SSL-VPN Settings > Listen on Interface(s).
The port should be the same port configured in VPN > SSL-VPN Settings > Listen on Port.

FortiAuthenticator 6.6.0 Examples 258

Fortinet Inc.
SAML Authentication

Click the icon beside the SP entity ID, SP single sign-on URL, and SP single logout URL
fields to copy the text.
SP entity ID, SP single sign-on URL, and SP single logout URL are then used when
configuring SP settings on FortiAuthenticator.
See Configuring FortiGate SP settings on FortiAuthenticator on page 255.

4. Click Next.

5. In IdP Details:
a. Ensure that IdP type is Fortinet Product.
b. In IdP address, enter the Server address from FortiAuthenticator. See Configuring SAML IdP settings on page
254.
c. In Prefix, enter the IdP prefix from Configuring FortiGate SP settings on FortiAuthenticator on page 255.
d. In the IdP certificate dropdown, select the certificate from Uploading SAML IdP certificate to the FortiGate SP
on page 257.
6. In the Additional SAML Attributes pane:
a. In Attribute used to identify users, enter email.
b. In Attribute used to identify groups, enter group.

Attribute used to identify users and Attribute used to identify groups must match Assertion
Attributes configured in Configuring FortiGate SP settings on FortiAuthenticator on page
255.

7. Click Submit.

FortiAuthenticator 6.6.0 Examples 259

Fortinet Inc.
SAML Authentication

To create the SAML group:

1. Go to User & Authentication >User Groups and click Create New.

2. Enter a name for the group.
3. In Remote Groups, select Add.
The Add Group Match window opens.
4. In the Remote Server dropdown, select FAC OneLogin IdP Proxy.

FAC OneLogin IdP Proxy is the name of the SAML server set up in Creating a SAML
server.

5. In Groups, select Any.

You may set Groups as Specify to filter specific groups from the FortiGate SP.

6. Click OK.
7. Click OK.

Mapping SSL VPN authentication portal

To map SSL VPN authentication portal:

1. Go to VPN > SSL-VPN Settings.

2. In the Authentication/Portal Mapping pane:
a. Select Create New.
The New Authentication/Portal Mapping window opens.
b. In User/Groups, select +, search and select the SAML user group configured in Creating the SAML group.

FortiAuthenticator 6.6.0 Examples 260

Fortinet Inc.
SAML Authentication

c. In the Portal dropdown, select full-access or tunnel-access.

In the Portal dropdown, web-access can also be selected if the user connects to the
network using the portal.

d. Click OK.
3. Click Apply.

Increasing remote authentication timeout using FortiGate CLI

To allow enough time for the remote authentication process to take place, the default value of the remote authentication
timeout must be increased.

To increase remote authentication timeout:

1. In the FortiGate CLI console, enter the following commands:

config system global
set remoteauthtimeout 60 #seconds that the FortiGate waits for response from remote
authentication server.
end

Remote authentication timeout value should be adjusted according to the requirements of

your environment. The value (60 seconds) set above may not work for you.

Configuring a policy to allow users access to allowed network resources

To configure a policy:

1. Go to Policy & Objects > Firewall Policy and select Create New.
2. Enter a name for the policy.
3. In Incoming Interface, select SSL-VPN tunnel interface (ssl.root).
4. In Outgoing Interface, select a destination interface.
5. In Source:
a. Select + to open the Selected Entries window.
b. In User, search and select the SAML user group created in Creating a SAML group and the SSL VPN pool
range object.
c. Select Close.
6. In Destination:
a. Select + to open the Selected Entries window.
b. In Address, search and select the destination address.
c. Select Close.

FortiAuthenticator 6.6.0 Examples 261

Fortinet Inc.
SAML Authentication

7. In the Schedule dropdown, select always.

8. In Service:
a. Select + to open the Selected Entries window.
b. Search and select ALL.
c. Select Close.
9. Optionally, in the Security Profiles pane, select the required options.
10. Click OK.

If more policies are required, modify the above steps as needed.

FortiGate SSL VPN with FortiAuthenticator as SAML IdP

In this configuration, the FortiGate acts as a SAML Service Provider (SP) requesting authentication from
FortiAuthenticator, which acts as a SAML Identity Provider (IdP). It connects to the Windows AD via LDAP to
authenticate user requests. The FortiAuthenticator also acts as a root CA to sign certificates for the SP, IdP and
FortiGate SSL VPN portal.
Users are managed in Windows AD under the Security Groups Finance and Sales. The users are:

User sAMAccountName Security MemberOf

name Group

Tom tsmith Sales CN=Sales,CN=Users,DC=fortiad,DC=info

Smith

Dan dparker Finance CN=Finance,CN=Users,DC=fortiad,DC=info

Parker

The following shows topology for the configuration used in this example:

The authentication process is as follows in this deployment using SSL VPN web mode:

FortiAuthenticator 6.6.0 Examples 262

Fortinet Inc.
SAML Authentication

1. The user initiates an SSL VPN request to the FortiGate.

2. The FortiGate sends a POST redirect to browser.
3. Browser redirects the SAML authentication request to FortiAuthenticator.
4. The user authenticates with FortiAuthenticator using their LDAP credentials.
5. FortiAuthenticator sends a SAML assertion that contains the user and group authentication in a POST redirect to
the SSL VPN login page.
6. Browser sends the redirected FortiAuthenticator request that contains the SAML assertion to the FortiGate.
7. The FortiGate consumes the assertion and provides the user with access to resources based on the defined firewall
security policy.

In the case of SSL VPN tunnel mode, the communication on the user endpoint is done on the
FortiClient rather than the browser.

Assumptions

1. A policy is configured on the FortiGate using VIP to allow external users access to the FortiAuthenticator for SAML
authentication. The VIP maps 10.0.3.7->10.88.0.7 on TCP/443.
2. When using SSL VPN tunnel mode, the end user’s FortiClient is registered to the EMS server in order to license the
VPN remote access module.
3. A policy is configured on the FortiGate using VIP to allow external users access to EMS for Telemetry. The VIP
maps 10.0.3.254->10.88.0.1 on TCP/8013.

Certificate management

During the authentication process, the SAML SP and IdP must verify each other. This means that they must verify
certificates on both ends. Since the local CA manages the SAML certificates on the FortiAuthenticator, it has the
certificates necessary for its configurations. To complete its configuration, the SAML SP certificate and SAML IdP
certificate must be exported and loaded onto the FortiGate.
Furthermore, in this scenario, the CA on the FortiAuthenticator will also sign the SSL VPN certificate used by the
FortiGate. This certificate must also be exported and loaded on the FortiGate.

Configuring the local CA on FortiAuthenticator

To configure a local CA on FortiAuthenticator:

1. Go to Certificate Management > Certificate Authorities > Local CAs and select Create New.
The Create New Local CA Certificate window opens.
2. In Certificate ID, enter a unique ID for the CA.
3. In the Subject Information pane, enter the necessary subject information to identify the CA.

FortiAuthenticator 6.6.0 Examples 263

Fortinet Inc.
SAML Authentication

4. Click OK.

To export the created local CA:

1. Go to Certificate Management > Certificate Authorities > Local CAs.

2. From the local CA certificate list, select the local root CA created in Configuring a local root CA, and select Export
Certificate to export the CA certificate in .crt format. This certificate is then imported on the client endpoint later.

Generating the certificates on FortiAuthenticator

To generate a user certificate for the FortiGate SAML SP on FortiAuthenticator:

1. Go to Certificate Management > End Entities > Users and select Create New.
2. In Certificate ID, enter a unique ID for the certificate.
3. Ensure that the Issuer is Local CA.
4. In Certificate authority dropdown, select the previously created local CA. See Configuring a local root CA.
5. In the Subject Information pane, enter the necessary subject information to identify the user certificate.
6. Click OK.

To export the user certificate:

1. Go to Certificate Management > End Entities > Users.

2. From the users list, select the user certificate created in Configuring a user certificate, and select Export Key and
Cert to export the user certificate in .p12 format.
3. Enter a password to secure the key.

FortiAuthenticator 6.6.0 Examples 264

Fortinet Inc.
SAML Authentication

To generate a server certificate for the SAML IdP on FortiAuthenticator:

1. Go to Certificate Management > End Entities > Local Services and select Create New.
2. In Certificate ID, enter a unique ID for the certificate.
3. In Certificate authority dropdown, select the previously created local CA.
See Configuring a local root CA.
4. In the Subject Information pane, enter the necessary subject information to identify the server certificate.
5. Click OK.

To export the server certificate:

1. Go to Certificate Management > End Entities > Local Services.

2. From the local services list, select the server certificate created in Configuring a server certificate, and select Export
Certificate to export the certificate in .cer format.

To create and sign a user certificate for FortiGate SSL VPN web portal:

1. On FortiGate, go to System > Certificate, and from the Create/Import dropdown, select Generate CSR.
2. 2. Enter the Certificate Name, Subject Information and any Optional Information such as a Subject Alternative
Name.
3. Click OK.

4. On the Certificates list page, select the user certificate you have created under Local Certificate.
5. Click Download to download the CSR file.
6. On FortiAuthenticator, go to Certificate Management > End Entities > Users, and click Import.
7. Enter a certificate Id.
8. Select Upload a file to locate and upload the CSR file created from the FortiGate.
9. In the Certificate authority dropdown, select the certificate authority created earlier. See Configuring a local root CA.

FortiAuthenticator 6.6.0 Examples 265

Fortinet Inc.
SAML Authentication

10. Click OK.

11. In Certificate Management > End Entities > Users, select the above certificate.
12. Click Export Certificate to export a .cer file.

Importing certificates on FortiGate

1. On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Certificate.
2. In the Create Certificate window, select Import Certificate in the Import Certificate pane.
3. In Type, select PKCS #12 Certificate.
4. In Certificate with key file, select Upload, locate and then upload the .p12 user certificate with key file from your
computer, and enter the password.
See Exporting user certificate.
5. Click Create.
On the certificates list page, the new certificate is available in Local Certificate.

To import the SAML IdP remote certificate:

1. On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Remote Certificate.
2. Select Upload to locate and upload the .cer remote certificate from your computer.
3. Click OK.
On the certificates list page, the new certificate is now available in Remote Certificate.

To import the user certificate for the FortiGate SSL VPN portal

1. On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Certificate.
2. Select Import Certificate to locate the .cer user certificate file from your computer.
3. Click Create.
On the certificates list page, the new certificate is now available in Local Certificate.

FortiAuthenticator 6.6.0 Examples 266

Fortinet Inc.
SAML Authentication

FortiAuthenticator user management

FortiAuthenticator acts as the SAML IdP, authenticating users against the Windows AD. To do this, the appropriate
LDAP connection, user realm and user groups must be configured before it can be applied to the SAML IdP
configurations.
Configuring multiple user groups is optional. In this example, multiple groups are used to ensure only users who are
members of the Sales and Finance groups can pass authentication.

To configure an LDAP remote authentication server on FortiAuthenticator:

1. Go to Authentication > Remote Auth. Servers > LDAP, and select Create New.
2. Configure the LDAP server settings to connect to the Windows AD as shown in the screenshot.

3. Click OK.

To configure a user realm on FortiAuthenticator:

1. Go to Authentication > User Management > Realms and select Create New.
2. Name the realm.
3. In User source, from the dropdown, select the recently created LDAP server.
4. Click OK.

To configure user groups on FortiAuthenticator:

1. Go to Authentication > User Management > User Groups and select Create New
2. To create a user group for Sales:
a. In Name, enter Sales.
b. Set the Type as Remote LDAP.
c. From the Remote LDAP dropdown, select the recently created LDAP server.
d. In LDAP filter, specify an LDAP filter using an LDAP query.
To select users who are memberOf the Sales group, enter
(&(objectclass=user)(memberOf=CN=Sales,CN=Users,DC=fortiad,DC=info))
3. Click OK.
4. To create a user group for Finance:
a. In Name, enter Finance.
b. Set the Type as Remote LDAP.

FortiAuthenticator 6.6.0 Examples 267

Fortinet Inc.
SAML Authentication

c. From the Remote LDAP dropdown, select the recently created LDAP server.
d. In LDAP filter, specify an LDAP filter using an LDAP query.
To select users who are memberOf the Finance group, enter
(&(objectclass=user)(memberOf=CN=Sales,CN=Users,DC=fortiad,DC=info))
e. Click OK.

The LDAP filter above will not match users whose group (Sales or Finance) is set as the
primary group. This is because the primary group is returned by the primaryGroupID
attribute by Windows AD and does not appear in the memberOf attribute.

SAML IdP and SP configurations

Before configuring the IdP and SP settings, quickly note down the IP addresses and ports that
will be used by the client endpoint to connect to the IdP and SP.

In this topology, the IP addresses and ports used by the client endpoint are:
• FortiAuthenticator (IdP) – 10.0.3.7:443
• FortiGate (SP) – 10.0.3.254:10443 (10443 is used for access related to SSL VPN based on the default listening port
for SSL VPN. Change this accordingly when listening on a different port)
In general, the URLs used for the SP and IdP configurations in a SSL VPN scenario are in the following format:

Settings FortiGate CLI setting URL format

SP Entity ID entity-id http://<SP_

IP>:<port>/remote/saml/metadata/

SP Assertion consumer single-sign-on-url https://<SP_

service (login) URL IP>:<port>/remote/saml/login/

SP Single logout service single-logout-url https://<SP_

URL IP>:<port>/remote/saml/logout/

IdP Entity ID idp-entity-id http://<IdP_IP>:<port>/saml-

idp/<prefix>/metadata/

IdP Assertion consumer idp-single-sign-on-url https://<IdP_IP>:<port>/saml-

service URL (Single sign- idp/<prefix>/login/
on URL)

IdP Single logout service idp-single-logout-url https://<IdP_IP>:<port>/saml-

URL (single logout URL) idp/<prefix>/logout/

To configure general SAML IdP settings on FortiAuthenticator:

1. Go to Authentication > SAML IdP > General.

2. Enable SAML Identity Provider portal.

FortiAuthenticator 6.6.0 Examples 268

Fortinet Inc.
SAML Authentication

3. Enter the server address. This address must be accessible by the client endpoint.
4. In Realms, select Add a realm and select the recently created realm from the dropdown.
5. In Groups, enable Filter, and choose the Finance and Sales user groups that you recently created.
6. In Default IdP certificate dropdown, select the IdP certificate created in Certificate Management > End Entities >
Local Services. See Generating a server certificate.
7. Click OK.

To configure service provider SAML settings on FortiAuthenticator

1. Go to Authentication > SAML IdP > Service Providers and select Create New.
2. Enter an SP name.
3. Enter an IdP prefix. This prefix will appear in the IdP URLs.
4. In Server certificate, choose the SAML IdP certificate created under Certificate Management > End Entities > Local
Services. See Generating a server certificate.
5. Store the IdP URLs on Notepad as they are needed on FortiGate.
6. Enter the SP entity ID, SP ACS (login) URL, SP SLS (logout) URL as recommended in the table above.
7. In Assertion Attributes, select Add Assertion Attribute:
a. In SAML attribute, enter username.
b. In User attribute dropdown, select FortiAuthenticator > Username.
8. Select Add Assertion Attribute:
a. In SAML attribute, enter group.
b. In User attribute dropdown, select Remote LDAP server > Group.
This is equivalent to returning the groups from the memberOf attribute.
c. Click OK.

FortiAuthenticator 6.6.0 Examples 269

Fortinet Inc.
SAML Authentication

To configure SAML Single Sign-On settings on the FortiGate:

SAML settings can be configured from the GUI, but the default SP URLs must be changed after they are created.
Therefore, the following instructions show how to configure the SAML settings from CLI instead.
1. In the CLI console, enter the following commands:
config user saml
edit "fac_saml_idp-sslvpn"
set cert "saml_sp.fortiad.info"
set entity-id "http://10.0.3.254:10443/remote/saml/metadata/"
set single-sign-on-url "https://10.0.3.254:10443/remote/saml/login/"
set single-logout-url "https://10.0.3.254:10443/remote/saml/logout/"
set idp-entity-id "http://10.0.3.7/saml-idp/fgt2/metadata/"
set idp-single-sign-on-url "https://10.0.3.7/saml-idp/fgt2/login/"
set idp-single-logout-url "https://10.0.3.7/saml-idp/fgt2/logout/"
set idp-cert "saml_idp.fortiad.info"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end

l The setting set cert <certificate> corresponds to the SP certificate imported to

the FortiGate as a local certificate earlier in the example.
l The setting set idp-cert <certificate> corresponds to the IdP certificate
imported to the FortiGate as a remote certificate earlier in the example.

FortiGate user management

Once user authentication is successful on FortiAuthenticator, it sends a SAML assertion back to the client with the
username and group information. When the client redirects this information to the FortiGate SAML SP, the FortiGate
must process the assertion and match the correct user group for access control.

To configure user groups for Finance and Sales in FortiGate:

1. Go to User & Authentication > User Groups and select Create New.
2. To create a user group for Sales:
a. In Name, enter Sales.
b. In Remote Groups, click Add.
c. Choose the SAML SSO settings as the Remote Server.
d. Set Groups to Specify and enter the group name CN=Sales,CN=Users,DC=fortiad,DC=info.

FortiAuthenticator 6.6.0 Examples 270

Fortinet Inc.
SAML Authentication

e. Click OK.

3. To create a user group for Finance:

a. In Name, enter Finance.
b. In Remote Groups, click Add.
c. Choose the SAML SSO settings as the Remote Server.
d. Set Groups to Specify.
The group name is the result of the output of the LDAP query for the memberOf attribute. In the example, this
is CN=Finance,CN=Users,DC=fortiad,DC=info.
e. Click OK.

Besides the groups for SAML users, a non-SAML placeholder group needs to be created in order for SSL VPN
portal to be active. The following shows a placeholder group named sslvpn_group with 2 local users.

FortiAuthenticator 6.6.0 Examples 271

Fortinet Inc.
SAML Authentication

FortiGate SSL VPN configurations

Configure SSL VPN portals and settings for Finance and Sales users to have remote network access. Firewall policies
also need to be put into place for access control.

To configure SSL VPN portals for Finance and Sales users:

1. Go to VPN > SSL-VPN Portals and click Create New.

2. To create a profile named Finance-portal:
a. In Name, enter Finance-portal.
b. Enable Tunnel Mode with split tunneling set to Enabled Based on Policy Destination.
c. Set Source IP Pools to a desired pool.
d. Enable Web Mode and in Portal Message, enter Finance SSL-VPN Portal.
e. In Predefined Bookmarks, select Create New to create a new bookmark called Finance Server. In our example,
a Finance server is available on https://10.88.0.5:9443.
f. Click OK.

3. To create a profile named Sales-portal:

a. In Name, enter Sales-portal.
b. Enable Tunnel Mode with split tunneling set to Enabled Based on Policy Destination.
c. Set Source IP Pools to a desired pool.
d. Enable Web Mode and in Portal Message, enter Sales SSL-VPN Portal.

FortiAuthenticator 6.6.0 Examples 272

Fortinet Inc.
SAML Authentication

e. In Pre-defined Bookmarks, create a new bookmark called Sales Server. In our example, a Sales server is
available on https://10.88.0.3:9443.
f. Click OK.

To configure SSL VPN settings:

1. Go to VPN > SSL-VPN Settings and enable SSL-VPN.

2. Set Listen on Interface(s) to WAN (port3).
3. Set Listen on Port to 10443.
4. Set the Server Certificate to FGT-SSLVPN.
5. In Authentication/Portal Mapping, configure user groups to portal mappings.
a. Select Create New and create a new Finance mapping:
i. Set Users/Groups to Finance.
ii. Set Portal to Finance-portal.
iii. Click OK.
b. Select Create New and create a new Sales mapping:
i. Set Users/Groups to Sales.
ii. Set Portal to Sales-portal.
iii. Click OK.

FortiAuthenticator 6.6.0 Examples 273

Fortinet Inc.
SAML Authentication

c. Select Create New and create a new placeholder mapping:

i. Set Users/Groups to sslvpn_group.
ii. Set Portal to no-access.
iii. Click OK.
d. For All other Users/Groups, set Portal to no-access.

To configure firewall policies for access control:

1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Create a policy named SSLVPN-Finance.
a. Set Incoming Interface to SSL-VPN tunnel interface (ssl.root).
b. Set Outgoing Interface to port2.
c. Set Source to all and User to Finance.
d. Set Destination to the Finance address object. If needed, create this object with the IP address
10.88.0.5/32.
e. Set Service to ALL.
f. Configure other settings as needed.

FortiAuthenticator 6.6.0 Examples 274

Fortinet Inc.
SAML Authentication

g. Click OK.

3. Create a policy named SSLVPN-Sales.

a. Set Incoming Interface to SSL-VPN tunnel interface (ssl.root).
b. Set Outgoing Interface to port2.
c. Set Source to all and User to Sales.
d. Set Destination to the Webserver1 address object. If needed, create this object with the IP address of
10.88.0.3/32.
e. Set Service to ALL.
f. Configure other settings as needed.

FortiAuthenticator 6.6.0 Examples 275

Fortinet Inc.
SAML Authentication

g. Click OK.

4. Create a placeholder policy named SSLVPN-placeholder.

a. Set Incoming Interface to SSL-VPN tunnel interface (ssl.root).
b. b. Set Outgoing Interface to port1.
c. Set Source to all and User to sslvpn_group.
d. Set Destination to none.
e. Set Service to ALL_ICMP.

FortiAuthenticator 6.6.0 Examples 276

Fortinet Inc.
SAML Authentication

f. Click OK.

FortiClient configurations

In SSL-VPN tunnel mode, the FortiClient will initiate the connection. Below are two ways of configuring the SSL VPN
connection profile.

To configure an SSL VPN remote access profile on FortiClient:

1. Go to the Remote Access tab.

2. Click the hamburger icon beside the VPN Name dropdown and select Add a new connection.
3. Set the VPN to SSL-VPN.
4. Set the Connection Name to SAML_SSLVPN.
5. Set Remote Gateway to 10.0.3.254.
6. Select Customize port and set it to 10443.
7. Select Enable Single Sign On (SSO) for VPN Tunnel.
8. Optionally, select Use external browser as user-agent for saml user authentication if you wish to use an external
browser instead of the embedded module for authentication.

FortiAuthenticator 6.6.0 Examples 277

Fortinet Inc.
SAML Authentication

9. Click Save.

To configure an SSL VPN remote access profile on FortiClient EMS:

1. Go to Endpoint Profiles > Remote Access.

2. Select an existing profile such as Default and click Edit.
3. In VPN Tunnels, add Add Tunnel.
4. In VPN Type, select Manual and click Next.
5. In Basic Settings:
a. Set Name to EMS_SAML_SSLVPN.
b. Set Remote Gateway to 10.0.3.254.
c. Set Port to 10443.
6. In Advanced Settings:
a. Enable SAML Login.
b. b. Optionally, enable Use external browser as user-agent for saml user authentication if you wish to use an
external browser instead of the embedded module for authentication.
7. Click Save to save the VPN profile.
8. Click Save again to save the changes to the Remote Access Profile.

9. Shortly after, the FortiClient endpoint should receive the newly synced EMS_SAML_SSLVPN profile.

FortiAuthenticator 6.6.0 Examples 278

Fortinet Inc.
SAML Authentication

10. View the settings on FortiClient.

Testing and verification

The following demonstrates connection via Web mode and Tunnel mode using SAML authentication. Review the
authentication process at the beginning of this deployment scenario to understand how the process works.
For Web mode, import the CA certificate of the FortiAuthenticator Local CA into the trusted certificate store used by your
browser. This will prevent warnings from appearing when accessing the SSL VPN web portal.

Web mode SSL VPN

To verify a Web mode SSL VPN connection with the Finance user Dan Parker (dparker):

1. Open a browser, and enter https://10.0.3.254:10443.

2. Click Single Sign-On to sign in.

Your sign-on request will be redirected by the FortiGate SAML SP to the FortiAuthenticator SAML IdP.
3. Enter the user credentials for the user and click Login.

In the background, the FortiAuthenticator authenticates this user over the LDAP connection to the Windows AD. If
the authentication succeeds and matches a user group on FortiAuthenticator, FortiAuthenticator sends a SAML
assertion back to the browser containing the username and group information.

FortiAuthenticator 6.6.0 Examples 279

Fortinet Inc.
SAML Authentication

The browser redirects the SAML assertion to the FortiGate SAML SP, which matches the username and group
information to a user group. Based on this user group, access is granted.
The Finance user can now see the Finance SSL-VPN Portal.

4. Clicking on the Finance Server bookmark, the user can access the Finance server.

To verify the login status on the FortiGate and FortiAuthenticator:

1. On FortiGate, go to Dashboard > Network and expand the SSL-VPN widget.

2. From Log & Report > System Events, switch to VPN Events log.
Alternatively, in the CLI console, enter the following commands:
execute log filter category 1
execute log filter field subtype vpn
execute log display
1974 logs found.
10 logs returned.

FortiAuthenticator 6.6.0 Examples 280

Fortinet Inc.
SAML Authentication

38: date=2022-10-28 time=14:20:00 eventtime=1666992000214198069 tz="-0700"

logid="0101039938" type="event" subtype="vpn" level="warning" vd="root"
logdesc="SSL VPN pass" action="ssl-web-pass" tunneltype="ssl-web"
tunnelid=165774014 remip=10.0.3.2 user="dparker" group="Finance" dst_
host="10.88.0.5" reason="https" msg="SSL web application activated
3. On FortiAuthenticator, go to Logging > Log Access > Logs.
The SAML IdP authentication for dparker will be displayed.

Tunnel mode SSL VPN

To verify a Tunnel mode SSL VPN connection with the Sales user Tom Smith (tsmith):

1. On the client desktop, open FortiClient and go to the Remote Access tab.
2. Select the VPN tunnel created earlier and click SAML Login.
3. When prompted for the login credentials, enter the username and password and click Login.

Again, in the background, the SAML login request gets processed by FortiAuthenticator. Upon a successful match,
it sends a SAML assertion back to the FortiClient. The FortiClient forwards this to the FortiGate which matches a
corresponding user group.
4. Once connected, the user can open a browser and browse to https://10.88.0.3:9443 to access the Sales

FortiAuthenticator 6.6.0 Examples 281

Fortinet Inc.
SAML Authentication

webserver.

To verify the login status on the FortiGate and FortiAuthenticator:

1. On FortiGate, go to Dashboard > Network and expand the SSL-VPN widget.

2. Go to Dashboard > User & Devices and expand the Firewall Users widget.

3. From Log & Report > System Events, switch to VPN Events log.
Alternatively, in the CLI console, enter the following commands:

execute log filter category 1

execute log filter field subtype vpn
execute log display
2063 logs found.
10 logs returned.
10: date=2022-10-28 time=14:48:24 eventtime=1666993704610253079 tz="-0700"
logid="0101039947" type="event" subtype="vpn" level="information" vd="root"
logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel"

FortiAuthenticator 6.6.0 Examples 282

Fortinet Inc.
SAML Authentication

tunnelid=165774015 remip=10.0.3.2 tunnelip=10.212.134.200 user="tsmith"

group="Sales" dst_host="N/A" reason="tunnel established" msg="SSL tunnel
established"
4. On FortiAuthenticator, go to Logging > Log Access > Logs.
The SAML IdP authentication for tsmith will be displayed.

Logging in to FortiGate as an administrator using FIDO2

authentication

For information on FIDO2 authentication, see https://fidoalliance.org/fido2/.

In this example, we will log in to a FortiGate device using FIDO2 authentication method for SAML.
FortiGate acts as the web authentication relying party:
l SAML authentication configured for the admin authentication using FortiAuthenticator as the IdP.
FortiAuthenticator is the web authenticator:
l FortiAuthenticator uses local and remote LDAP users as example.
l FortiAuthenticator is the IdP for FortiGate.

All Fortinet products supporting SAML for authentication can also use FIDO2.

To configure admin login on FortiGate using FIDO2:

1. Configuring SAML on FortiGate on page 283

2. Configuring SAML on FortiAuthenticator on page 285
3. Editing users to set up FIDO authentication on page 287
4. Results on page 288

Configuring SAML on FortiGate

To configuring SAML on FortiGate:

1. Go to Security Fabric > Fabric Connectors.

2. Double-click Security Fabric Setup to open it.
The Security Fabric Settings window opens.

FortiAuthenticator 6.6.0 Examples 283

Fortinet Inc.
SAML Authentication

3. In the Security Fabric Settings window, in SAML Single Sign-On, click Advanced Options.
A new SAML SSO window opens.

4. In the SAML SSO window:

a. In Mode, select Service Provider.
b. In SP address, ensure that the address is the current browser address.
c. In SP certificate dropdown, select an SP certificate.
d. In Default admin profile, select super_admin.
e. Ensure that IdP type is Fortinet Product.
f. In IdP address, enter the FQDN for the FortiAuthenticator.
g. InPrefix, enter a prefix.

FortiAuthenticator 6.6.0 Examples 284

Fortinet Inc.
SAML Authentication

h. In the IdP certificate dropdown, select the IdP certificate.

5. Click OK.
6. Click OK.

Configuring SAML on FortiAuthenticator

To configure SAML general settings on FortiAuthenticator:

1. Go to Authentication > SAML IdP > General, and select Enable SAML Identity Provider portal.
2. In Server address, enter the FQDN for FortiAuthenticator.
3. Enable Use default realm when user-provided realm is different from all configured realms.
4. In Realms, add realms.
5. Click Save.

To configure SAML SP settings on FortiAuthenticator:

Here, we add FortiGate SP settings to FortiAuthenticator.

1. Go to Authentication > SAML IdP > Service Providers, and select Create New.
The Create New SAML Service Provider window opens.

FortiAuthenticator 6.6.0 Examples 285

Fortinet Inc.
SAML Authentication

2. In SP name, enter the a name for the SP.

3. In Create an identifier for this IdP, select +, in the Create an Alternate indentifier window, enter the same identifier
used as the prefix in IdP settings in Configuring SAML on FortiGate on page 283, and click OK.
4. In Authentication method, select FIDO.
Ensure that FIDO-only is selected and Allow two-factor authentication (password and OTP) if no FIDO keys are
available for the user account is enabled.
5. In Assertion Attribute Configuration, keep the default settings.
6. In Assertion Attributes, select Add Assertion Attribute:
a. In SAML attribute, enter username.
b. In the User attribute dropdown, select Email.
7. In Assertion Attributes, select Add Assertion Attribute:
a. In SAML attribute, enter groups
b. In the User attribute dropdown, select Group.
8. Click Save.
The Edit SAML Service Provider window opens.
9. In the SP Metadata pane:
a. In SP entity IP, paste the Entity ID from FortiGate.
b. In SP ACS (login) URL, paste Assertion consumer service URL from FortiGate.
c. In SP SLS (logout) URL, paste Single logout service URL from FortiGate.
10. Click Save.

FortiAuthenticator 6.6.0 Examples 286

Fortinet Inc.
SAML Authentication

Editing users to set up FIDO authentication

To edit a local user to set up FIDO authentication:

1. Go to User Management > Local Users.

2. From the list double-click a local user to edit it.
The Edit Local User window opens.
If you need to create a new local user, see Local users in the latest FortiAuthenticator Administration Guide.
3. Enable FIDO authentication.
4. Select Register FIDO key.
The Add new FIDO Key window opens.
5. Enter a key name in FIDO Key name.
6. Click OK.
7. In the Verify your identity dialog that appears, select USB security key, push the button on the FortiToken 410 (FIDO
client) physical device.
OR
If using a Mac device, in the Verify your identity dialog that appears, select This device, register your fingerprint
using the Touch ID button.
The FIDO key registration is complete.
8. Click Save.

To edit an LDAP user to set up FIDO authentication:

1. Go to User Management > Remote Users and select the LDAP tab.
2. From the list, double-click an LDAP user to edit it.
The Edit Remote LDAP User window opens.
If you need to import a new remote user, see Remote users in the latest FortiAuthenticator Administration Guide.
3. Enable FIDO authentication.
4. Select Register FIDO key.
The Add new FIDO Key window opens.
5. Enter a key name in FIDO Key name.
6. Click OK.
7. Follow step 7 from Editing a local user to set up FIDO authentication.

FortiAuthenticator 6.6.0 Examples 287

Fortinet Inc.
SAML Authentication

8. Click Save.

Users can self-provision using a self-service portal.

Results

1. On the web browser, go to the FortiGate GUI.

2. Select Sign in with Security Fabric.

3. In the IdP login screen, enter the user name and click Next.

4. In the Verify your identity dialog that appears, select USB security key, push the button on the FortiToken 410
physical device.
If this is the first login, the user account is created.

FortiAuthenticator 6.6.0 Examples 288

Fortinet Inc.
SAML Authentication

5. Click Continue.

You are now logged in to the FortiGate GUI.

Configuring FIDO2 authentication for SSLVPN

For information on FIDO2 authentication, see https://fidoalliance.org/fido2/.

In this example, we set up an SSLVPN tunnel that uses FIDO2 authentication.
A FortiToken 410 physical device is used to perform FIDO2 authentication.
FortiAuthenticator is the IdP for FortiGate.

To configure FIDO2 authentication for SSLVPN:

1. Configuring SAML SP on FortiGate on page 290

2. Configuring SAML IdP general settings on FortiAuthenticator on page 291
3. Configuring SP settings on FortiAuthenticator on page 291
4. Editing users to set up FIDO authentication on page 292
5. Creating a user group with the SAML SSO server on page 293
6. Configuring SSLVPN on FortiGate on page 293
7. Creating a firewall policy for SSLVPN traffic on page 295
8. Configuring SSLVPN on FortiClient on page 295
9. Results on page 296

FortiAuthenticator 6.6.0 Examples 289

Fortinet Inc.
SAML Authentication

Configuring SAML SP on FortiGate

To configure SAML SP on FortiGate:

1. Go to User & Authentication > Single Sing-On, and select Create new.
A New Single Sign-On wizard opens.
2. In Name, enter the name for the SP.
3. Click Next.
4. In the Service Provider Configuration:
a. In Address, keep the FQDN of the SP (FortiGate).
5. In Identity Provider Details:
a. In Type, select Fortinet Product.
b. In Address, enter the FQDN of the IdP (FortiAuthenticator).
c. In Prefix, enter a prefix.
d. In the Certificate dropdown, select a certificate.
If required, click + to import a certificate.
6. In the Additional SAML Attributes pane:
a. In Attribute used to identify users, enter username.
b. In Attribute used to identify groups, enter groups.
7. Click Submit.

8. Double-click the recently created SP to open it.

9. In the Service Provider Configuration pane, copy and save Entity ID, Assertion consumer service URL, and Single
logout service URL as a text file on your management computer. This is needed when configuring SP settings on
FortiAuthenticator.
See step 9 in Configuring SP settings on FortiAuthenticator on page 291.

FortiAuthenticator 6.6.0 Examples 290

Fortinet Inc.
SAML Authentication

Configuring SAML IdP general settings on FortiAuthenticator

To configure SAML IdP on FortiAuthenticator:

1. Go to Authentication > SAML IdP > General, and select Enable SAMLIdentity Provider portal.
2. In Server address, enter the FQDN address of the FortiAuthenticator.
3. Enable Use default realm when user-provided realm is different from all configured realms.
4. In Realms, add realms.
5. In Default IdP certificate dropdown, select the same certificate as in step 5-d of Configuring SAML SP on FortiGate
on page 290.
6. Click Save.

Configuring SP settings on FortiAuthenticator

To configure SP settings on FortiAuthenticator:

1. Go to Authentication> SAML IdP > Service Providers, and select Create New.
The Create New SAML Service Provider window opens.
2. In SP name, enter the name of the SP.
3. In Create an identifier for this IdP, select +, in the Create an Alternate indentifier window, enter the same identifier
used as the prefix in IdP settings in Configuring SAML SP on FortiGate on page 290, and click OK.
4. In Authentication method, select FIDO.
Ensure that FIDO-only is selected and Allow two-factor authentication (password and OTP) if no FIDO keys are
available for the user account is enabled.
5. In Assertion Attribute Configuration, keep the default settings.
6. In Assertion Attributes, select Add Assertion Attribute:
a. In SAML attribute, enter username.
b. In the User attribute dropdown, select Email.
7. In Assertion Attributes, select Add Assertion Attribute:
a. In SAML attribute, enter groups
b. In the User attribute dropdown, select Group.
8. Click Save.
The Edit SAML Service Provider window opens.
9. From the text file that you saved in step 9 in Configuring SAML SP on FortiGate on page 290, in the SP Metadata
pane on FortiAuthenticator:

FortiAuthenticator 6.6.0 Examples 291

Fortinet Inc.
SAML Authentication

a. In SP entity ID, paste the Entity ID from FortiGate.

b. In SP ACS (login) URL, paste Assertion consumer service URL from FortiGate.
c. In SP SLS (logout) URL, paste Single logout service URL from FortiGate.
10. Click Save.

Editing users to set up FIDO authentication

To edit a local user to set up FIDO authentication:

1. Go to User Management > Local Users.

FortiAuthenticator 6.6.0 Examples 292

Fortinet Inc.
SAML Authentication

8. Click Save.

Creating a user group with the SAML SSO server

To create a user group:

1. Go to User & Authentication > User Groups, and select Create New.
The New User Group window opens.
2. In Name, enter a name for the user group.
3. In Type, select Firewall.
4. In the Remote Groups pane, select Add:
The Add Group Match window opens.
a. In Remote Server, select the SSO server created in Configuring SAML SP on FortiGate on page 290.
b. Click OK.
5. Click OK.

Configuring SSLVPN on FortiGate

To configure SSLVPN on FortiGate:

1. Go to System > Feature Visibility.

2. Enable SSL-VPN.

FortiAuthenticator 6.6.0 Examples 293

Fortinet Inc.
SAML Authentication

3. Click Apply.
New SSL-VPN related tabs are now ready to be configured in VPN.
4. Go to VPN > SSL-VPN Settings.
5. In Listen on Port, enter 14003.
This is the same port appended to the WAN accessible FQDN for the SP (FortiGate).
See Configuring SAML SP on FortiGate on page 290.
This port number will be used when configuring FortiClient.
See Configuring SSLVPN on FortiClient on page 295.
6. In the Server Certificate dropdown, select a server certificate.
7. Enable Redirect HTTP to SSL-VPN.
8. In Restrict Access, select Allow access from any host.
9. In Address Range, select Specify custom IP ranges.
10. In IP Ranges, add IP address ranges.
11. In DNS Server, select Specify.
12. Enter IP addresses for DNS servers in DNS Server #1 and DNS Server #2.
13. In the Authentication/Portal Mapping pane, select Create New:
The New Authentication/Portal Mapping window opens.
a. In Users/Groups, select +, from the Select Entries list, select the user group created in Creating a user group
with the SAML SSO server on page 293, and click Close.
b. In the Portal dropdown, select full-access.
c. Click OK.
14. Click Apply.

FortiAuthenticator 6.6.0 Examples 294

Fortinet Inc.
SAML Authentication

Creating a firewall policy for SSLVPN traffic

To configure a firewall policy:

1. Go to Policy & Objects > Firewall Policy, and select Create new.
The Create New Policy window opens.
2. In the Settings tab:
a. In Name, enter a name for the firewall policy.
b. In Type, select Standard.
c. In Incoming interface, select +, from the Select Entries list, select an incoming interface, and click Close.
d. In the Outgoing interface, select +, from the Select Entries list, select outgoing interfaces, and click Close.
e. In Source:
i. Select +, from the Select Entries list, select all.
ii. From the dropdown, select User, select the user group created in Creating a user group with the SAML
SSO server on page 293, and click Close.
f. In Destination, select destinations.
g. In Service, select +, from the Select Entries list, select ALL, and click Close.
h. In Inspection mode, select Proxy-based.
i. Disable NAT.
3. Click OK.

Configuring SSLVPN on FortiClient

Since the FortiClient mini browser does not support FIDO2, you must use an external browser for FIDO2 authentication.

FortiAuthenticator 6.6.0 Examples 295

Fortinet Inc.
SAML Authentication

To configure SSLVPN on FortiClient:

1. Open the FortiClient console.

2. Go to REMOTE ACCESS and from the More Options icon, select Add a new connection.
The New VPN Connection window opens.
3. In Connection Name, enter a name.
4. In Remote Gateway, enter FQDN from the Address field in Configuring SAML SP on FortiGate on page 290.
5. Select Customize port and enter the same port number as used in step 5 in Configuring SSLVPN on FortiGate on
page 293.
6. Select Enable Single Sign On (SSO) for VPN Tunnel and Use external browser as user-agent for saml user
authentication.
7. Click Save.

Results

1. On the FortiClient console, go to REMOTE ACCESS.

2. From the dropdown, select the VPN connection created in Configuring SSLVPN on FortiClient on page 295.
3. Select Connect.
The default web browser is automatically launched by FortiClient.
4. On the FortiAuthenticator login page that open, enter the user name, and click Next.

5. In the Verify your identity dialog that appears, select USB security key, push the button on the FortiToken 410
physical device.
The web browser completes the authentication and responds to FortiClient.

FortiAuthenticator 6.6.0 Examples 296

Fortinet Inc.
SAML Authentication

FortiClient completes the SSLVPN tunnel setup.

FortiAuthenticator 6.6.0 Examples 297

Fortinet Inc.
Computer Authentication

This section describes configuring computer authentication.

l Computer authentication using FortiAuthenticator with MS AD Root CA on page 298

Computer authentication using FortiAuthenticator with MS AD Root

This example includes the configuration required for computer authentication using FortiAuthenticator with a Microsoft
Active Directory Root CA.
This configuration uses the following topology:
l Microsoft Active Directory configured with a Root CA.
l A wireless client with a computer certificate issued by the MS AD Root CA.
l A FortiGate and a managed FortiAP SSID with a WPA2-enterprise and RADIUS assigned VLAN.
l A FortiAuthenticator.

To configure computer authentication using FortiAuthenticator with a Microsoft AD Root CA:

1. Configure the certificates and Root CA on page 298

2. Configure LDAP users on FortiAuthenticator on page 300
3. Configure RADIUS authentication on page 303
4. Configure the SSID and interface objects on page 308
5. Results on page 310

Configure the certificates and Root CA

With Microsoft Active Directory as the Root CA, use Group Policy Management to deploy client certificates to domain
computers. This is the certificate that will be used to validate RADIUS requests.

To create a computer client certificate:

1. In Active Directory > Group Policy Management, create a new Group Policy Object (GPO) with settings configured
for auto-enrollment.

FortiAuthenticator 6.6.0 Examples 298

Fortinet Inc.
Computer Authentication

2. Link the GPO to the OU where the client computers are located.
The computer account in Active Directory must use the attribute dNSHostName with the value of the computer's
name. This attribute is used later on FortiAuthenticator when creating the user remote sync rule.

To import the Microsoft AD Root CA as a trusted CA:

1. On the FortiGate, go to System > Certificates, and click Import > CA Certificate. Configure the following settings,
and click OK when complete.
a. Type: File.
b. Upload: Click Upload and browse to the location of your certificate.
2. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Trusted CAs, and click Import.
Configure the following settings, and click OK when complete.
a. Certificate ID: Enter the certificate ID.
b. Certificate: Click Upload a file and browse to the location of your certificate.

FortiAuthenticator 6.6.0 Examples 299

Fortinet Inc.
Computer Authentication

Once the Root CA is configured, you can issue certificates from AD to both the FortiGate and the FortiAuthenticator.

Configure LDAP users on FortiAuthenticator

You can now configure the remote LDAP server on FortiAuthenticator to connect to Active Directory, create a user realm
and user group, and import the AD users into FortiAuthenticator using a remote user sync rule.

To configure LDAP users on FortiAuthenticator:

1. Configuring the LDAP server on page 300

2. Creating a user realm on page 301
3. Creating a user group on page 302
4. Importing users with a remote user sync rule on page 302

Configuring the LDAP server

Create an LDAP entry for remote lookup of computers with the username attribute as dNSHostName.

To configure remote LDAP server on FortiAuthenticator:

1. In FortiAuthenticator, go to Authentication > Remote Auth. Servers > LDAP, and click Create New.
2. Under Create New LDAP Server, set the following:
a. Name: Enter the server name, for example: AD_Computers.
b. Primary server name/IP: Enter the LDAP server name, for example: dc01.wl-cse.net using Port 636.
c. Base distinguished name: Enter the base distinguished name, for example: DC=wl-cse,DC=net.
d. Bind type: Regular.
Enter the username and password for your LDAP user.
3. Under Query Elements, set the following:
a. User object class: computer.
b. Username attribute: dNShostName.
c. Group object class: group.
d. Obtain group memberships from: Group attribute.
e. Group membership attribute: memberOf.

FortiAuthenticator 6.6.0 Examples 300

Fortinet Inc.
Computer Authentication

4. Enable Secure Connection, and set the following:

a. Protocol: LDAPS.
b. CA certificate: Select the CA certificate you previously configured.

5. Click OK.

Creating a user realm

Create a user realm for the users (computers) from your remote LDAP. This realm is used later when configuring
RADIUS authentication.

To create a user realm:

1. Go to Authentication > User Management > Realms, and click Create New.
2. Set the following:
a. Name: Enter a name for the realm, for example: host.
b. User source: Select the previously configured remote LDAP server.

3. Click OK.

FortiAuthenticator 6.6.0 Examples 301

Fortinet Inc.
Computer Authentication

Creating a user group

Create a user group for the users (computers) from your remote LDAP.

To create a remote LDAP user group:

1. Go to Authentication > User Management > User Groups, and click Create New.
2. Set the following:
a. Name: Enter a name for the LDAP group, for example: AD_LAB_PC.
b. Type: Remote LDAP.
c. User retrieval: Set a list of imported remote LDAP users.
d. Remote LDAP: Select the previously configured remote LDAP server, for example AD_Computers.
e. LDAP users: Add your chosen LDAP users to the Selected LDAP Users pane.
3. Click OK.

Importing users with a remote user sync rule

Create the user sync rule to import your users (computers) into FortiAuthenticator. You can configure this rule with an
LDAP filter to match specific groups in Active Directory. For the LDAP username and certificate binding common name,
use dNSHostName. This must match the CN of the actual issued certificate.

To configure a remote user sync rule:

1. Go to Authentication > User Management > Remote User Sync Rules, and click Create New.
2. Under Edit Remote LDAP User Synchronization Rule, set the following:
a. Name: Enter a name for the rule, for example: AD-computers.
b. Remote LDAP: Select the remote LDAP server you previously configured.
c. Base distinguished name: Enter your base distinguished name, for example: DC=wl-cse,DC=net.
d. LDAP filter: Select the LDAP filter which matches your specific group in Active Directory, for example: (&
(objectClass=computer)(memberof=CN=LAB-Computers,OU=Computers,OU=LAB,DC=wl-
cse,DC=net)).
3. Under Synchronization Attributes, set the following:
a. Token-based authentication sync priorities: Select None.
b. Sync every: Select the sync frequency based on your preferences, for example: 1 hour(s).
c. Sync as: Remote LDAP User.
d. User role for new user imports: User.
e. Group to associate users with: Select your remote LDAP user group.
f. Certificate binding CA: Select your CA for certificate binding.

FortiAuthenticator 6.6.0 Examples 302

Fortinet Inc.
Computer Authentication

4. Under LDAP User Mapping Attributes, set the following:

a. Username: dNSHostName.
b. Certificate binding common name: dNSHostName.

5. Click OK.
Once the user sync rule has been created, run it to import your user (computer) account, and then verify the user was
successfully created in Authentication > User Management > Remote Users and that the certificate binding is in place.

Configure RADIUS authentication

You can now configure RADIUS authentication between the FortiAuthenticator and FortiGate.

To configure RADIUS authentication:

1. Adding RADIUS attributes on page 304

2. Configuring the RADIUS client on page 304
3. Configuring the EAP server certificate on page 305

FortiAuthenticator 6.6.0 Examples 303

Fortinet Inc.
Computer Authentication

4. Creating a RADIUS policy on page 305

5. Configuring the RADIUS server on FortiGate on page 307

Adding RADIUS attributes

RADIUS attributes can be added to the previously configured LDAP user group.

To add RADIUS attributes to the LDAP user group:

1. Go to Authentication > User Management > User Groups, and edit the user group associated with the remote
LDAP users.
2. Under RADIUS Attributes, add the RADIUS attributes required by your configuration. In this example, the following
attributes are required:
l Tunnel-Type: VLAN.

l Tunnel-Medium-Type: IEEE-802.

l Tunnel-Private-Group-Id: 240.

l Fortinet-Group-Name: FTNT_LAB_Computers.

Configuring the RADIUS client

To configure RADIUS authentication using FortiAuthenticator, the FortiGate must be configured as a RADIUS client.

FortiAuthenticator 6.6.0 Examples 304

Fortinet Inc.
Computer Authentication

To configure the RADIUS client settings:

1. Go to Authentication > RADIUS Service > Clients, and click Create New.
2. Set the following:
a. Name: Enter a name for the RADIUS client, for example: FGT-LAB.
b. Client address: Select IP/Hostname, and enter your RADIUS client's IP or hostname, for example: fgt.wl-
cse.net.
c. Secret: Enter a shared secret. This will also be used to configure RADIUS settings on FortiGate.
d. (Optional) Accept RADIUS accounting messages for usage enforcement: Enabled.
e. (Optional) Support RADIUS Disconnect messages: Enabled.

3. Click OK.

Configuring the EAP server certificate

In order to use EAP, you must specify the certificate used for FortiAuthenticator in the RADIUS-EAP configuration
settings.

To configure the RADIUS certificate for EAP-TLS:

1. Go to Authentication > RADIUS Service > Certificates.

2. Specify the EAP Server Certificate and the Trusted CA from Active Directory that you previously configured.

3. Click OK.

Creating a RADIUS policy

A RADIUS policy must be configured in order to allow RADIUS authentication for the selected client.

FortiAuthenticator 6.6.0 Examples 305

Fortinet Inc.
Computer Authentication

To create a RADIUS policy:

1. Go to Authentication > RADIUS Service > Policies, and click Create New.
2. Under RADIUS clients, configure the following, and click Next.
a. Policy name: Enter a name for this policy, for example: FGT-Computer-TLS.
b. RADIUS clients: Add the previously configured FortiGate RADIUS client to the Chosen RADIUS Clients
section.

3. Under RADIUS attribute criteria, click Next.

4. Under Authentication type, choose Client Certificates (EAP-TLS), and click Next.

5. Under Identity source, configure the following, and click Next.

a. Username format: Select your preferred username format, for example: realm\username.
b. Realms: In the Realms table, select your AD realm.
To return the RADIUS attributes associated with the group to which the user belongs, the groups need to be
added to the group filter list. In this example, add the AD_LAB_PC user group previously defined.

FortiAuthenticator 6.6.0 Examples 306

Fortinet Inc.
Computer Authentication

6. Under Authentication factors, click Next.

7. Under RADIUS response, click Save and exit.

Configuring the RADIUS server on FortiGate

Finally, you can configure the RADIUS server settings (FortiAuthenticator) on FortiGate.

To configure the RADIUS server on FortiGate:

1. On FortiGate, go to User & Authentication > RADIUS Servers, and click Create New.
2. Under New RADIUS Server, set the following:
a. Name: Enter a name for the RADIUS server, for example: FAC.
b. Authentication method: Default.

FortiAuthenticator 6.6.0 Examples 307

Fortinet Inc.
Computer Authentication

3. Under Primary Server, set the following:

a. IP/Name: Enter the IP address of the FortiAuthenticator.
b. Secret: Enter the RADIUS server secret created on FortiAuthenticator.

4. Click OK.

Configure the SSID and interface objects

To configure the SSID and interface objects:

1. Creating the SSID on page 309

2. Creating interfaces on page 310

FortiAuthenticator 6.6.0 Examples 308

Fortinet Inc.
Computer Authentication

Creating the SSID

To create an SSID with dynamic VLAN assignment:

1. On FortiGate, go to WiFi & Switch Controller > SSID, and click Create New > SSID.
2. Create a new SSID with Dynamic VLAN assignment enabled under Additional Settings.

FortiAuthenticator 6.6.0 Examples 309

Fortinet Inc.
Computer Authentication

Creating interfaces

You can now create interfaces as required.

To create additional interfaces:

1. Go to Network > Interfaces, and click Create New > Interface.

2. Configure your VLAN interface. In this example, the DomainComputers VLAN is created with the following settings:
a. Name: DomainComputers.
b. Type: VLAN.
c. Interface: The configured SSID, FGT-FAC-8021X (FGT-FAC-8032X).
d. VLAN ID: 240
e. Role: LAN.

Results

Once the configuration is complete, you should now be able to authenticate your computer using FortiAuthenticator with
a Microsoft AD Root CA.
To confirm computer authentication is working as intended:

FortiAuthenticator 6.6.0 Examples 310

Fortinet Inc.
Computer Authentication

1. When connecting to the client, you can see Authentication Success in the FortiAuthenticator logs.

2. When reviewing the debug logs, you can see that certificate binding check has passed.

3. On FortiGate, you can see that the client successfully connected:

4. Packet capture shows the RADIUS-Accept message, including the VLAN 240.

FortiAuthenticator 6.6.0 Examples 311

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

This example demonstrates how to configure WiFi onboarding using FortiAuthenticator Smart Connect with either
Google Workspace or Microsoft Azure.
This configuration assumes that you have already configured your FortiAuthenticator following the initial configuration
steps available within the FortiAuthenticator Administration Guide. FortiAuthenticator must be version 6.1.1 or higher.
Before starting, you should already have the following available:
l A registered domain name and functional DNS. This example uses fortixpert.com.
l A publicly signed wildcard certificate for your domain (for example *.fortixpert.com used to sign MS Azure DS
Secure LDAP Connector).
l A publicly signed host/server certificate for FortiAuthenticator.
l An active Google Workspace Enterprise or MS Azure subscription, depending on your chosen configuration.
l Please note: Secure LDAP is not supported using Google Workspace Business or Google Workspace Basic
subscriptions.
l An active MS Azure subscription requires AD Directory Services to be provisioned in order to support Secure

LDAP.
l Have the appropriate Fortinet infrastructure in place, for example, Fortigate running FOS 6.2.4GA+, FortiSwitch
running 6.2.4GA+, FortiAP/FortiAP-U running latest GA and FortiAuthenticator 6.1.1 and above.

To configure WiFi onboarding using Smart Connect:

1. Initial settings on FortiAuthenticator on page 312

2. Select either the Google Workspace or Azure configuration:
a. Option A - WiFi onboarding with Smart Connect and Google Workspace on page 316
b. Option B - WiFi onboarding with Smart Connect and Azure on page 326
3. FortiGate configuration on page 334
4. Results on page 345

Initial settings on FortiAuthenticator

To set up the initial configuration on FortiAuthenticator:

1. Install certificates on page 312

2. Configure the RADIUS client settings on page 314
3. Configure the local root CA on page 314
4. Configure the EAP server certificate and CA for EAP-TLS on page 315

Install certificates

To install a wildcard certificate on FortiAuthenticator:

1. Go to Certificate Management > Certificate Authorities > Trusted CA.

Import a trusted root/intermediate public CA certificate in order to support your wildcard certificate.

FortiAuthenticator 6.6.0 Examples 312

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

2. In Certificate Management > End Entities > Local Services, click Import, select Certificate and Private Key, and
import your domain wildcard certificate as *domainname. For example, *fortixpert.com.

To generate a Certificate Signing Request (optional):

The following steps are optional and can be done if the server certificate matching the FortiAuthenticator FQDN is not yet
available.
1. In Certificate Management > End Entities > Local Services, select the Create New button.
Configure the following settings:
a. Under Create New Server Certificate, set the Certificate ID to your certificate name, for example,
fac.fortixpert.com.
b. Under Subject Information, configure the Name, Department, Company, City, State/Province, Country and
Email Address for your certificate.
c. (Optional) If you are using a self-signed certificate on FortiAuthenticator, add a Subject Alternative Name
(SAN) matching the FQDN under Subject Alternative Name.
d. (Optional) Under Advanced Options: Key Usages, choose all Key Usages and Extended Key Usages.
e. All other fields can be left in their default state. Click OK to save your changes.

2. Export the pending CSR by selecting the pending entry and then clicking Export Certificate. Use the downloaded
certificate-name.csr file to obtain a certificate from a public CA.
3. Import the signed certificate file from the public CA by selecting Import and uploading the certificatename.cer
file.

FortiAuthenticator 6.6.0 Examples 313

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

To install local service certificates:

1. Go to Certificate Management > Certificate Authorities > Trusted CA.

Upload the trusted root/intermediate public CA certificates in order to support your host/server certificate.
2. Under Certificate Management > End Entities > Local Services, Import your publicly signed host/server certificate
matching the FQDN (i.e. fac.fortixpert.com) along with the matching private key.
3. Under System > Administration > System Access > GUI Access, configure the following:
a. For HTTPS Certificate, select the server certificate matching the device FQDN from the dropdown box.
b. For CA Certificate, select the Root CA certificate that was used to sign the host/server certificate selected
above.
4. Select OK.

Configure the RADIUS client settings

To configure the RADIUS client:

1. Add the FortiAuthenticator host record to your local DNS server.

If you are using FortiGate as the DNS server, this can be set under Network > DNS Servers on FortiGate.
2. Under System > Dashboard > Status, edit and set the hostname and FQDN for FortiAuthenticator so that it matches
the DNS host record.
3. In Authentication > RADIUS Service > Clients, add the wireless controller, in this example FortiGate, as a new
RADIUS client.
Enter the Name and IP/Hostname of the wireless controller, and create a Secret.
4. Click OK.

Configure the local root CA

You can now configure a local CA on FortiAuthenticator. This will be used to generate client certificates for
authentication via EAP-TLS.

FortiAuthenticator 6.6.0 Examples 314

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

To configure the Local Root CA:

1. In Certificate Management > Certificate Authorities > Local CAs, select Create New.
2. Configure the following settings:
a. Set the Certificate ID to the Local_Root_CA_Name.
b. In Certificate Authority Type, set the Certificate Type to Root CA.
c. In Subject Information, configure the Name, Department, Company, City, State/Province, Country, and Email
address for your certificate.
d. In Advanced Options > Key Usages, choose all Key Usages and Extended Key Usages.
3. Leave all other settings as their default, and click OK.

Configure the EAP server certificate and CA for EAP-TLS

To set an EAP Server Certificate and CA for EAP-TLS:

1. Go to Authentication > RADIUS Service > Certificates.

2. In Server Settings > EAP Server Certificate, select the publicly signed certificate matching the FortiAuthenticator
FQDN (e.g. fac.fortixpert.com).

FortiAuthenticator 6.6.0 Examples 315

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

3. In EAP-TLS Authentication > Local CAs, select the local CA (e.g. FortiXpert_Root_CA).

4. Click OK.

Option A - WiFi onboarding with Smart Connect and Google

Workspace

This section outlines how to configure the FortiAuthenticator to communicate with Google Workspace via Secure
Lightweight Directory Access Protocol.

To configure WiFi Onboarding with Google Workspace:

1. Configure Google Workspace LDAPS Integration on page 316

2. Configure Smart Connect and the captive portal on page 322
3. Configure RADIUS settings on FortiAuthenticator on page 325

Configure Google Workspace LDAPS Integration

Here you will configure FortiAuthenticator to communicate with Google Workspace via Secure Lightweight Directory
Access Protocol.

To configure FortiAuthenticator and Google Workspace LDAPS integration:

1. Provision the LDAP connector in Google Workspace on page 317

2. Configure certificates on FortiAuthenticator on page 319
3. Configure the remote LDAP server and users on page 320

FortiAuthenticator 6.6.0 Examples 316

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

Provision the LDAP connector in Google Workspace

To provision the LDAP connector in Google Workspace:

Configure FortiAuthenticator to communicate with Google Workspace via Secure Lightweight Directory Access Protocol
(LDAPS).
1. Login to the Google Workspace admin console using a Google Workspace admin account.
2. Click the Apps icon, then select LDAP and Add Client.
3. In Add LDAP Client Step 1, configure the following settings:
a. Name:Enter a name, for example FAC.
b. Description: Enter a description, for example Secure LDAP Client for FAC.

4. Under Add LDAP Client Step 2, configure the following settings:

a. Verify User Credentials: Entire domain.
b. Read user information: Entire domain.
c. Read Group Information: On.

FortiAuthenticator 6.6.0 Examples 317

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

5. Click Add LDAP Client.

You will now be prompted to connect your client to the LDAP service.
6. Click Download Certificate and save the ZIP file.

Unzip the certificate file to a local folder. Contained within will be a public certificate along with a private key.

FortiAuthenticator 6.6.0 Examples 318

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

7. Select Continue to Client Details. Select Service status and change the status to On.

8. Click Save.

Configure certificates on FortiAuthenticator

To download Google Root CA Certificate:

1. Open a new Internet browser and navigate to https://pki.goog.

2. Under Root CAs in the Repository tab, download the GS Root R2 certificate in the DER format. The file will be called
GSR2.crt.

To import the Google Certificates into FortiAuthenticator:

1. In FortiAuthenticator, go to Certificate Management > Certificate Authorities > Trusted CAs, and click Import.
2. Enter a Certificate ID and then upload the Google Root CA certificate previously downloaded.

3. Go to Certificate Management > End Entities > Local Services, and click Import.
4. Under Import Certificate , select Certificate and Private Key as the Type.
Enter a Certificate ID, and select the Certificate file and Private key file from the file you unzipped previously. A
Passphrase is not required. Click OK.

FortiAuthenticator 6.6.0 Examples 319

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

Configure the remote LDAP server and users

To provision the remote LDAP server:

1. In FortiAuthenticator, go to Authentication > Remote Auth. Servers > LDAP, and click Create New.
2. Under Create New LDAP Server, set the following:
a. Name: Enter a name for the remote LDAP server, for example google.fortixpert.com.
b. Primary server name/IP: ldap.google.com.
c. Base distinguished name: Enter the base LDAP search directory, for example the Google Workspace
domain: dc=fortixpert,dc=com.
d. Bind type: Simple.
3. Under Query Elements, set the following:
a. Pre-defined templates: Select OpenLDAP/G Suite from the dropdown box, and click Apply.
4. Under Secure Connection, enable the secure connection function, and set the following:
a. Protocol: LDAPS.
b. CA Certificate: Select the Google_RootCA_GSR2 certificate from the dropdown box.
c. Use Client Certificate for TLS Authentication: Enabled.
d. Client certificate: Select the G Suite_LDAP client certificate from the dropdown box.
5. At the top of the page under Base distinguished name, select the directory lookup icon.
Once the LDAPS connection is established you'll see the Directory of Groups and Users within Google Workspace.

FortiAuthenticator 6.6.0 Examples 320

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

Select OK.

6. Select OK again to save the LDAP server settings.

To import remote user accounts:

1. Go to Authentication > User Management > Remote Users, and confirm that LDAP is selected at the top right of the
page.
2. Click Import.
3. Under Import Remote LDAP Users, set the following:
a. Remote LDAP server: Select your connector bound to ldap.google.com from the dropdown box.
b. Action: Import Users.
4. Click Go. A list of all the users within your Google Workspace directory will be displayed.
5. Select the users you want to be able to connect to the wireless network using their Google Workspace account, and
select OK to import the relevant user accounts.
6. Under Synchronization Attributes, set the following:
a. Token-based authentication sync priorities: None.
b. Sync every: Select the sync frequency. In production environments, this should be set to 30 minutes or more
depending on the number of users being synchronized.
c. Sync as: Remote LDAP User.
d. User role for new user imports: User.

FortiAuthenticator 6.6.0 Examples 321

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

7. Leave all other settings in their default state, and click OK.

To create a new realm:

1. Go to Authentication > User Management > Realms, and click Create New.
2. Configure the following settings:
a. Name: Enter a name for your realm, for example fortixpert.com.
b. User source: Select the remote LDAP service from the dropdown box.
3. Click OK.

Configure Smart Connect and the captive portal

This section outlines the configuration required on FortiAuthenticator to provision a captive portal using Smart Connect
authenticating against Google Workspace.

To configure Smart Connect and portals on FortiAuthenticator:

1. Create the Smart Connect profile on page 322

2. Create the captive portal on page 323
3. Create the self-service portal policy on page 324

Create the Smart Connect profile

To create Smart Connect profiles:

1. Go to Authentication > Portals > Smart Connect Profiles, and click Create New.
2. Under General Information, enter a name for the profile, and click Next.

3. Under Wireless Connection Settings, set the following and then click Next.
a. SSID: Enter your SSID name, for example Secure Wi-Fi.
b. Auth method: WPA2 Enterprise.
c. Hidden SSID: Disabled.

4. Under EAP General Settings, set the following and then click Next.
a. EAP Type: TLS.
b. Signing CA: Select the local Root CA configured earlier.

FortiAuthenticator 6.6.0 Examples 322

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

c. Username Format: Select your preference, for example username@realm.

5. Under Certificate Installation Settings, set the following and then click OK.
a. Install local CA certificates: Choose to install the local Root_CA certificate.
b. Install trusted CA certificates: Choose to install any certificate that is required for all relevant certificate
chains to be fully trusted.

6. Select OK to complete the setup of the Smart Connect profile.

Create the captive portal

To create a captive portal:

1. Go to Authentication > Portals > Portals, and click Create New.

2. Under Create New Portal, enter a name and optional description for the portal.
3. Under Post-login services, enable Smart Connect and select the previously configured Smart Connect profile from
the dropdown.

FortiAuthenticator 6.6.0 Examples 323

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

4. Select OK.

Create the self-service portal policy

To create a self-service portal policy:

1. Go to Authentication > Portals > Policies. Select the Self-Service Portal option, and click Create New.
2. Under Policy Type, set the following and then click Next.
a. Name: Enter a policy name, for example SmartConnect.
b. Description: Enter an optional description for the policy.
c. URL: Note this URL. This is the external captive portal redirection URL which must be added to the Onboarding
SSID configured on the FortiGate/WLC later.
d. Portal: Select the previously configured Smart Connect portal.

3. Under Identity sources, set the following and then click Next:
a. Username format: username@realm.

FortiAuthenticator 6.6.0 Examples 324

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

b. Realms: In the dropdown box, select the LDAP realm associated with ldap.google.com, for example
fortixpert.com.

4. Under Authentication factors, leave the default options in place, and click Save and exit.

Configure RADIUS settings on FortiAuthenticator

To create a RADIUS service policy:

1. Go to Authentication > RADIUS Service > Policies, and click Create New.
2. Under RADIUS clients, set the following and then click Next:
a. Policy Name: Enter a name for the policy, for example EAP-TLS Policy Google Workspace.
b. Description: Enter an optional description, for example EAP-TLS Policy for User Authentication.
c. RADIUS Clients: Add the FortiGate to the Chosen RADIUS Clients section.

3. Under RADIUS attribute criteria, click Next without making changes.

4. Under Authentication type, select Client Certificates (EAP-TLS), and click Next.

FortiAuthenticator 6.6.0 Examples 325

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

5. Under Identity source, set the following and then click Next:
a. Username format: Select your preferred format, for example username@realm.
b. Realms: Select the realm that you set up to communicate with ldap.google.com, for example fortixpert.com.

6. Under Authentication factors, click Next without making changes.

7. Under RADIUS response, validate that the EAP-TLS response is as expected, and click Save and exit.

Option B - WiFi onboarding with Smart Connect and Azure

This section outlines how to configure the FortiAuthenticator to communicate with Microsoft Entra ID Directory Services
via Secure Lightweight Directory Access Protocol

To configure WiFi Onboarding with Azure:

1. Configure Microsoft Entra ID (formerly Microsoft Azure AD) DS LDAPS integration on page 326
2. Configure Smart Connect and the captive portal on page 331
3. Configure RADIUS settings on FortiAuthenticator on page 334

Configure Microsoft Entra ID (formerly Microsoft Azure AD) DS LDAPS integration

This guide does not include information on how to provision Microsoft Entra ID DS. Please refer to Microsoft's support
site for instructions on how to do this.

To configure Microsoft Entra ID DS LDAPS integration:

1. Provision the LDAPS connector in Microsoft Entra ID DS on page 326

2. Provision the remote LDAP server on FortiAuthenticator on page 328

Provision the LDAPS connector in Microsoft Entra ID DS

To provision the LDAP connector in Microsoft Entra ID DS:

1. Login to the Azure admin portal using an Azure admin account.

2. Select Active Directory Domain Services.
3. Select View.
4. Select your AD DS instance, for example fortixpert.com.
5. Within the AD DS menu for your domain, select Secure LDAP under Settings.

FortiAuthenticator 6.6.0 Examples 326

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

6. In the Secure LDAP window, perform the following:

a. Set Secure LDAP to Enable.
b. Set Allow secure LDAP access over the internet to Enable.
c. Upload your domain wildcard certificate, for example *.fortixpert.com, in .PFX format.
d. Enter the password to decrypt the PFX file.

7. Select the Save button at the top of the page, and wait for Azure to configure Secure LDAP.
This process takes approximately five minutes.
8. Once provisioning is complete, you must now allow inbound access for the secure LDAP protocol (port 636 to your
AD DS instance.
9. Browse to the network security group linked in your Secure LDAP connector.
10. Select the network secure group link to access the network security group settings.
You can follow the steps found on Microsoft's support website to enable user accounts for Azure AD DS. This is
required for users to authenticate through Secure LDAP.

FortiAuthenticator 6.6.0 Examples 327

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

To create an Azure inbound firewall policy:

1. Within the network security group, go to Settings > Inbound Security Rules, and click Add.
2. In Add inbound security rule, set the following:
a. Source: IP Address.
b. Source IP address/CIDR ranges: Set as the IP address/range that the inbound request will be originating
from.
c. Destination port ranges: 636.
d. Name: Enter the name, for example AllowSecureLDAP.
e. Description: Add an optional description.
3. Leave all other settings as their default values, and click Add.

To obtain the LDAPS IP address:

1. Go to Azure AD Directory Services, and select the Azure domain.

2. Go to Settings > Properties. Note down the Secure LDAP external IP address.

Provision the remote LDAP server on FortiAuthenticator

To provision the remote LDAP server:

1. In FortiAuthenticator, go to Authentication > Remote Auth. Servers > LDAP, and click Create New.
2. In the Create New LDAP Server window, set the following:
a. Name: Enter a name, for example azure.fortixpert.com.
b. Primary server name/IP: Enter the Secure LDAP IP.
c. Bind type: Regular.
d. Username/Password: Enter a username and password that can access MS Azure DS to perform directory
lookups.
e. Base distinguished name: Leave blank.
3. In the Query Elements section, set the following:
a. Pre-defined templates: Select Microsoft Active Directory and click Apply.
b. Force use of administrator account for group membership lookups: Enabled.
4. In the Secure Connection section, set the following
a. Secure Connection: Enabled.
b. Protocol: LDAPS.
c. CA Certificate: Select the Root CA certificate for the wildcard certificate that was uploaded to MS Azure to use
with the Secure LDAP connector.
5. Select the lookup icon next to Base distinguished name. Choose the base DN for your user accounts, for example
DC=fortixpert,DC=com. Click OK.

FortiAuthenticator 6.6.0 Examples 328

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

6. Click OK to save the remote LDAP server configuration.

To import remote user accounts:

1. Go to Authentication > User Management > Remote Users. Confirm LDAP is selected at the top of the page, and
click Import.
2. Under Import Remote LDAP User, complete the following:
a. Remote LDAP Server: Select the Azure remote LDAP server.
b. Action: Select Import users, and click Go to view a list of users within your Azure directory.

FortiAuthenticator 6.6.0 Examples 329

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

c. Select the users you wish to be able to connect to the wireless network using their Azure based account.

3. Click OK.

To set up a remote user sync rule:

1. Go to Authentication > User Management > Remote User Sync Rule, and click Create New.
2. Under Create New Remote LDAP User Synchronization Rule, set the following:
a. Name: Enter a name, for example Azure_Remote_Sync.
b. Remote LDAP: Select your Azure remote LDAP server.
c. Base distinguished name: This setting can be left as the default, for example DC=fortixpert,DC=com.
3. Under Synchronization Attributes, set the following:
a. Token-based authentication sync priorities: Enable None.
b. Sync every: Select the sync frequency. In production environments, this should be set to 30 minutes or more
depending on the number of users being synchronized.
c. Sync as: Remote LDAP User.
d. User role for new user imports: User.
4. Leave all other settings in their default states, and click OK.

To create a new realm:

1. Go to Authentication > User Management > Realms, and click Create New.
2. Under Create New Realm, set the following:
a. Name: Enter the realm name, for example fortixpert.com.
b. User source: Select the remote LDAP service from the dropdown box.
3. Click OK.

FortiAuthenticator 6.6.0 Examples 330

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

Configure Smart Connect and the captive portal

This section outlines the configuration required on FortiAuthenticator to provision a Captive Portal using Smart Connect
authenticating against Microsoft Entra ID DS.

To configure Smart Connect and portals on FortiAuthenticator:

1. Create the Smart Connect profile on page 331

2. Create the captive portal on page 332
3. Create the self-service portal policy on page 333

Create the Smart Connect profile

To create Smart Connect profiles:

1. Go to Authentication > Portals > Smart Connect Profiles, and click Create New.
2. Under General Information, enter a name for the profile, and click Next.

3. Under Wireless Connection Settings, set the following and then click Next.
a. SSID: Enter your SSID name, for example Secure Wi-Fi.
b. Auth method: WPA2 Enterprise.
c. Hidden SSID: Disabled.

4. Under EAP General Settings, set the following and then click Next.
a. EAP Type: TLS.
b. Signing CA: Select the local Root CA configured earlier.
c. Username Format: Select your preference, for example username@realm.

FortiAuthenticator 6.6.0 Examples 331

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

chains to be fully trusted.

6. Select OK to complete the setup of the Smart Connect profile.

Create the captive portal

To create a captive portal:

1. Go to Authentication > Portals > Portals, and click Create New.

FortiAuthenticator 6.6.0 Examples 332

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

Create the self-service portal policy

To create a self-service portal policy:

3. Under Identity sources, set the following and then click Next:
a. Username format: username@realm.
b. Realms: In the dropdown box, select the LDAP realm associated with Azure, for example fortixpert.com.

4. Under Authentication factors, leave the default options in place, and click Save and exit.

FortiAuthenticator 6.6.0 Examples 333

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

Configure RADIUS settings on FortiAuthenticator

To create a RADIUS service policy:

1. Go to Authentication > RADIUS Service > Policies, and click Create New.
2. Under RADIUS clients, set the following and then click Next:
a. Policy Name: Enter a name for the policy, for example EAP-TLS Policy Azure.
b. Description: Enter an optional description, for example EAP-TLS Policy for User Authentication.
c. RADIUS Clients: Add the FortiGate to the Chosen RADIUS Clients section.

3. Under RADIUS attribute criteria, click Next without making changes.

4. Under Authentication type, select Client Certificates (EAP-TLS), and click Next.

6. Under Authentication factors, click Next without making changes.

7. Under RADIUS response, validate that the EAP-TLS response is as expected, and click Save and exit.

FortiGate configuration

This section outlines the configuration required on FortiGate WLAC to provision an onboarding (Smart Connect enabled)
WiFi network and a secure (WPA2 + EAP-TLS enabled) Wi-Fi network.

FortiAuthenticator 6.6.0 Examples 334

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

To configure the FortiGate:

1. Configure the RADIUS server on FortiGate on page 335

2. Create the user group for cloud-based directory user accounts on page 335
3. Provision the Onboarding and Secure WiFi networks on page 336

Configure the RADIUS server on FortiGate

To configure the RADIUS server:

1. In FortiGate, go to User & Authentication > RADIUS Servers, and click Create New.
2. Under New RADIUS Server, set the following:
a. Name: Enter a name for the RADIUS server, for example FAC.
b. NAS IP: Enter the Network Access Server (NAS) IP. This should ideally be the IP from the
interface/VLAN FortiAuthenticator is on.
3. Under Primary Server, set the following:
a. IP/Name: Enter the FortiAuthenticator IP address.
b. Secret: Enter the secret matching the one configured on FortiAuthenticator.
4. Click Test Connectivity to test if the connection is correctly configured, and click OK.

Create the user group for cloud-based directory user accounts

To create user groups:

1. Go to User & Authentication > User Groups, and click Create New.
2. Configure the following settings:
a. Name: Configure a name, for example Onboarding.
b. Type: Firewall.
c. Remote Groups: Select Add. Within the Add Group Match window, select FortiAuthenticator as the remote
server from the dropdown box.
d. Groups: Any.

FortiAuthenticator 6.6.0 Examples 335

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

3. Select OK on the Add Group Match window. The Onboarding group is now created.

Provision the Onboarding and Secure WiFi networks

To provision the Smart Connect enabled "Onboarding" SSID:

1. Go to Wi-Fi & Switch Controller > SSID, and click Create New.
2. Under Create New SSID, set the following:
a. Profile name: Enter a name for the profile, for example Onboarding.
b. Traffic mode: Tunnel.
3. Under Address, set the following:
a. IP/Netmask: Enter the interface IP address for the Onboarding SSID.
4. Under DHCP Server, enable the DHCP Server setting and set the following:
a. Leave Address range, Netmask, Gateway, and Lease time in their default states.
b. DNS server: Select Same as Interface IP or specify a local DNS server that can resolve your FortiAuthenticator
FQDN. If you are using the DNS database on FortiGate, select Same as Interface IP.

5. Under Network, leave the Decide detection setting enabled.

FortiAuthenticator 6.6.0 Examples 336

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

6. Under WiFi Settings, set the following:

a. SSID: Enter the SSID, for example Onboarding.
b. Security mode: Captive Portal.
c. Portal type: Authentication.
d. Authentication portal: Select External, and enter the FortiAuthenticator Smart Connect portal redirection URL
obtained when configuring Smart Connect on FortiAuthenticator.
e. User groups: Select the previously configured user group, for example Onboarding.
f. Exempt destinations/services: Select FortiAuthenticator.
g. Leave all other settings as their default state.

7. Click OK.

To provision the "Secure Wi-Fi" network:

1. Go to WiFi & Switch Controller > SSID, and click Create New.
2. Configure the following settings:
a. Profile name: Enter a profile name, for example Secure Wi-Fi.
b. Traffic mode: Bridge.
c. SSID: Enter the SSID name, for example Secure Wi-Fi.
d. Security mode: WPA2 Enterprise.
e. Authentication: Choose RADIUS Server, and select the FortiAuthenticator.

FortiAuthenticator 6.6.0 Examples 337

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

f. Optional VLAN ID: This setting is optional and can be configured if WiFi traffic needs to be tagged by the AP to
a VLAN configured on your local switch. Dynamic VLAN assignment is also supported.

3. Click OK.

To assign SSIDs to FortiAP profiles:

1. Go to WiFi & Switch Controller > FortiAP Profiles.

2. Select the relevant AP profile(s) and assign the previously created SSIDs (Onboarding and Secure Wi-Fi) to the

FortiAuthenticator 6.6.0 Examples 338

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

AP radio interfaces.

FortiAuthenticator 6.6.0 Examples 339

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

3. Confirm the SSIDs are broadcasting and can be seen by WiFi enabled devices.

FortiAuthenticator 6.6.0 Examples 340

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

FortiAuthenticator 6.6.0 Examples 341

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

4. Click OK.

To create a new FortiAuthenticator object to use with firewall policies:

1. Go to Policy & Objects > Addresses, and click Create New > Address.
2. Configure the following settings:
a. Name: Enter a name, for example FAC.
b. Type: Subnet.
c. IP/Netmask: The FortiAuthenticator IP address.
d. Interface: any.

3. Click OK.

To create a firewall policy for the Onboarding SSID:

1. Go to Policy & Objects > Firewall Policy, and click Create New.
2. On the New Policy page, set the following:
a. Name: Enter a name, for example Onboarding Policy.
b. Incoming Interface: Select the Onboarding SSID.
c. Outgoing Interface: Select the Management VLAN.
d. Source: Select all or the Onboarding address subnet range.
e. Destination: Select FortiAuthenticator and the DNS server if you are using a third party DNS server.
f. Service: DNS, HTTP, and HTTPS.
g. Under Advanced, enable the Exempt from Captive Portal option.
When using a FortiOS version earlier than 6.4.1, you can enable this setting in the CLI with the command set

FortiAuthenticator 6.6.0 Examples 342

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

captive-portal-exempt enable.

FortiAuthenticator 6.6.0 Examples 343

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

FortiAuthenticator 6.6.0 Examples 344

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

3. Click OK.

Results

You can now connect your device to the Onboarding SSID and proceed with the Smart Connect onboarding process:
l Smart Connect Windows device onboarding process on page 345
l Smart Connect iOS device onboarding process on page 347

Smart Connect Windows device onboarding process

To onboard a Windows device:

1. On your Windows device, connect to the Onboarding WiFi network.

The FortiAuthenticator login screen is displayed.

2. Enter either your Google Workspace or Azure login credentials, and select Login.
Once logged in, select Smart Connect.

FortiAuthenticator 6.6.0 Examples 345

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

3. Enter a unique Device ID and choose your operating system from the Platform dropdown. Click OK.

A SmartConnect_UserName.exe file will be made available. Save this file.

4. Run the SmartConnect_UserName.exe file.
If the Microsoft Defender warning message appears, click More info > Run anyway. If the User Account Control
warning appears, click Yes.
The Fortinet Smart Connect network configuration tool will now run.
5. Select Start.

Your device will now be provisioned with the wireless network information and certificates in order to connect to the
Secure Wi-Fi SSID.
6. Once provisioning is complete, click Connect. Your device will now connect to the Secure Wi-Fi network using
WPA2 and EAP-TLS.
You may wish to forget the Onboarding network to prevent your device from automatically connecting to it in the
future.

FortiAuthenticator 6.6.0 Examples 346

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

Smart Connect iOS device onboarding process

To onboard an iOS device:

1. On the iOS device, connect to the Onboarding WiFi network.

The FortiAuthenticator login screen is displayed.

2. Enter either your Google Workspace or Azure login credentials, and select Login.
Once logged in, select Smart Connect.

3. Enter a unique Device ID and choose your operating system from the Platform dropdown. Click OK.

FortiAuthenticator 6.6.0 Examples 347

Fortinet Inc.
WiFi onboarding using FortiAuthenticator Smart Connect

4. When prompted, download the configuration profile.

5. In Settings, select Profile Downloaded.
6. Select Install within the SmartConnect Install Profile. Depending on your device setup, you may be prompted to
enter your device passcode/password.

7. On the warning screen, select Install to install any root certificates included within the profile. Once the installation is
finished, click Done.
8. In Settings, select the information icon next to the Onboarding WiFi network and select Forget this Network. Once
the network has been forgotten, the device will automatically connect to the Secure Wi-Fi network.

FortiAuthenticator 6.6.0 Examples 348

Fortinet Inc.
Zero Trust Tunnel

This section describes configuring Zero Trust Tunnel using FortiAuthenticator.

Accessing an AD server with a zero trust tunnel on

FortiAuthenticator

A zero trust tunnel allows FortiAuthenticator to securely access TCP-based-on-premise services from the public internet.
Using a zero trust tunnel, you can access an on-premise LDAP/AD server.

Requirements:

This example uses FortiAuthenticator 6.6.0, FortiOS 7.4.2, and an AD server.

In this example:
1. FortiAuthenticator operates as a local certificate authority (CA).
2. FortiAuthenticator generates a client certificate for the connection between FortiAuthenticator and the AD server.
3. The local root CA certificate is exported and installed on the FortiGate in order to authenticate and trust the client
connection.
4. FortiGate acts as a ZTNA application gateway allowing FortiAuthenticator to access the AD server using TCP
forwarding access proxy.

To access an AD server with a zero trust tunnel on FortiAuthenticator:

1. Configure certificate authentication for FortiAuthenticator. See Configuring certificate authentication for
FortiAuthenticator on page 350.
2. Configure a zero trust tunnel on FortiAuthenticator. See Configuring a zero trust tunnel on FortiAuthenticator on
page 352.
3. Configure an LDAP server on FortiAuthenticator. See Configuring an LDAP server with zero trust tunnel enabled on
FortiAuthenticator on page 353.
4. Configure the FortiGate device as the ZTNA server. See Configuring a ZTNA server on page 353.
5. Configure a ZTNA rule on the ZTNA server. See Configuring a ZTNA rule on page 355.
6. For troubleshooting, see Debugging: Zero trust tunnel related issues on page 356.

FortiAuthenticator 6.6.0 Examples 349

Fortinet Inc.
Zero Trust Tunnel

Configuring certificate authentication for FortiAuthenticator

To configure a local root CA:

1. Go to Certificate Management > Certificate Authorities > Local CAs, and select Create New.
The Create New Local CA Certificate window opens.
2. In Certificate ID, enter a unique ID for the CA.
3. Ensure that the Certificate type is Root CA.
4. In Name(CN), enter the subject name, e.g., a domain name.
5. Click Save.

To export the local root CA:

1. Go to Certificate Management > Certificate Authorities > Local CAs.

2. From the local CA certificate list, select the local root CA created in Configuring a local root CA, and select Export
Certificate.
The public certificate (.crt file) for the CA is downloaded to your computer, and the certificate is later imported to
FortiGate. See Importing local root CA.

To create a server certificate for FortiAuthenticator signed by the CA:

1. Go Certificate Management > End Entities > Local Services, and select Create New.
The Create New Server Certificate window opens.
2. In Certificate ID, enter a unique ID for the certificate.
3. In the Certificate Signing Options pane, ensure that the Issuer is Local CA and the Certificate authority is the local
CA created in Configuring a local root CA.
4. In the Subject Information pane, for Name(CN), enter the FQDN of the FortiAuthenticator.
The certificate is used when configuring the zero trust tunnel. See Configuring a zero trust tunnel on
FortiAuthenticator on page 352.

To import the local root CA to FortiGate:

1. Go to System > Certificates, and from the Create/Import dropdown, select CA Certificate.
The Import CA Certificate window opens.
2. In Type, select File.
3. Select Upload, and locate the local root certificate created in Configuring a local root CA on your computer.
4. Click OK.

The imported root CA is available with the name CA_Cert_X where X denotes the number
of certificates imported.
The Issuer field for the imported root CA is the Name(CN) you gave it.

To rename the root CA on FortiGate:

In the CLI console, enter the following commands:

config vpn certificate ca
rename <cert> to <new name>

FortiAuthenticator 6.6.0 Examples 350

Fortinet Inc.
Zero Trust Tunnel

To create address objects on FortiGate for FortiAuthenticator and the LDAP server:

1. Go to Policy & Objects > Addresses, and select the Address tab.
2. In the Address tab, select Create new.
The New Address window opens.
3. In Name, enter a name for the address, e.g., FAC.
4. In IP/Netmask, enter the public IP address of the FortiAuthenticator with its subnet mask.

For FortiTrust Identity, 154.52.4.227 is the fixed WAN IP address for FortiAuthenticator
Cloud to build zero trust tunnels into an on-prem environment.
Use the IP address with its subnet mask.

5. Click OK.
The address is used when Configuring an authentication rule.
6. Go to Policy & Objects > Addresses, select the Address tab.
7. In the Address tab, select Create new.
The New Address window opens.
8. In Name, enter a name for the address, e.g., lab-ad-address.
9. In IP/Netmask, enter the private IP address of the LDAP server with its subnet mask.
10. Click OK.

To configure an authentication scheme with user-cert enabled on FortiGate:

1. Go to Policy & Objects > Authentication Rules.

2. From the Create New dropdown, select Authentication Scheme.
The New Authentication Scheme window opens.
3. In Name, enter a name for the authentication scheme.
4. In Method:
a. Select + to open the Select Entries window.
b. Select Certificate.
c. Select Close.
5. Click OK.
Alternatively, in the CLI console, enter the following commands:
config authentication scheme
edit "test_scheme" #The authentication scheme name
set method cert
set user-cert enable
next
end

To configure an authentication rule that uses the authentication scheme on FortiGate:

1. Go to Policy & Objects > Authentication Rules.

2. From the Create New dropdown, select Authentication Rule.
The Add New Rule window opens.
3. In Name, enter a name for the authentication rule.

FortiAuthenticator 6.6.0 Examples 351

Fortinet Inc.
Zero Trust Tunnel

4. In Source Address:
a. Select + to open the Select Entries window.
b. Search and select the address object for FortiAuthenticator. See Address object for FortiAuthenticator.
c. Select Close.
5. In Incoming interface:
a. From the dropdown, select the external interface used in Configuring a ZTNA server on page 353.
6. Enable Authentication Scheme and from the dropdown select the authentication scheme created in Creating an
authentication scheme.
7. Set IP-based Authentication as Disable.
8. Click OK.
Alternatively, in the CLI console, enter the following commands:
config authentication rule
edit "Cert-Auth-Rule" #The authentication rule name
set srcintf "port1"
set srcaddr "fac"
set ip-based disable
set active-auth-method "test_scheme" #The authentication scheme
next
end

To configure authentication setting to use the CA that issued the client certificate as the user-cert-ca:

1. In the CLI console, enter the following commands:

config authentication setting
set user-cert-ca "FAC_Cloud" #The CA certificate being used for client certificate
verification
end

Configuring a zero trust tunnel on FortiAuthenticator

To configure a zero trust tunnel:

1. Go to System > Network > Zero Trust Tunnels.

2. Select Create New.
The Create New Zero Trust Tunnel window opens.
3. In Name, enter a name for the zero trust tunnel.
4. In URL, enter a URL specifying the IP/FQDN and port for the ZTNA server, e.g.,
https://fac.school.net:8443/.
5. In the Client certificate dropdown, select a certificate.
This certificate is used to authenticate to the ZTNA server. In this example, it is generated by the FortiAuthenticator
CA. See Server Certificate.
6. Click Save.

FortiAuthenticator 6.6.0 Examples 352

Fortinet Inc.
Zero Trust Tunnel

Configuring an LDAP server with zero trust tunnel enabled on FortiAuthenticator

We configure the AD server on FortiAuthenticator.

To configure an LDAP server:

1. Go to Authentication > Remote Auth. Servers > LDAP, and select Create New.
2. In Create New LDAP server:
a. In Name, enter a name.
b. Enable Use Zero Trust tunnel, and from the dropdown, select the zero trust tunnel configured in Configuring a
zero trust tunnel on FortiAuthenticator on page 352.
c. In Primary Server IP, enter the IP address/FQDN of the AD server.
d. In Port, enter the port number of the LDAP server.
e. In Base distinguished name, enter a base distinguished name.
f. In Bind Type, select Regular.
Enter the username and password for the LDAP server administrator account.
3. Click OK.

Configuring a ZTNA server

To configure a ZTNA server:

1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
2. Select Create new.
The New ZTNA Server window opens.
3. In Type select IPv4.

Once set up, Type cannot be changed when editing the ZTNA server.

4. In Name, enter a name for the server.

5. In the Connect On pane:
a. In the Interface dropdown, select an external interface.
The IP address and the Port fields are automatically set to the selected interface and the default port 443.

FortiAuthenticator 6.6.0 Examples 353

Fortinet Inc.
Zero Trust Tunnel

In the dropdown, select + to create a new interface.

b. In IP address, enter the external IP address that the ZTNA clients, e.g., FortiAuthenticator, connect to.
c. In Port, enter the port number that the ZTNA clients, e.g., FortiAuthenticator, connect to, e.g., 8443.
6. In Services and Servers pane:
a. In Default certificate dropdown, select Fortinet_Factory.
Clients are presented with this certificate when they connect to the access proxy VIP.

If Fortinet_Factory is not selected as the default certificate, the local root CA

configured/exported from FortiAuthenticator and imported to FortiGate can be used.
See:
l Configuring a local root CA

l Exporting the local root CA

l Importing the local root CA

b. In Service/server mapping, select Create new.

The New Service/Server Mapping window opens.
i. In Type, select IPv4.

All hosted servers must be the same address type. The address type cannot be
changed after the mapping is created.

ii. In Service, select TCP Forwarding.

iii. In the Server pane:
i. In the Address dropdown, select an address , e.g., lab-ad-address.
ii. In Ports, enter a port number for the LDAP server, e.g., 389.

The address and the port number must match the Primary Server IP and Port
when Configuring an LDAP server with zero trust tunnel enabled on
FortiAuthenticator on page 353.

By default, LDAP uses port 389.

iv. Click OK.

FortiAuthenticator 6.6.0 Examples 354

Fortinet Inc.
Zero Trust Tunnel

7. Click OK.

Configuring a ZTNA rule

To configure a ZTNA rule:

1. Go to Policy & Objects > Firewall Policy.

2. Select Create new.
The Create New Policy window opens.
3. In Name, enter a name for the ZTNA policy.
4. Set Type to ZTNA.
5. In Incoming Interface, select the same interface as selected in Configuring a ZTNA server on page 353.
6. In Source, select +, and from the Select Entries list, select the address object for FortiAuthenticator.
See Address object for FortiAuthenticator, and select Close.
7. In ZTNA Server, select the server created in Configuring a ZTNA server on page 353.

FortiAuthenticator 6.6.0 Examples 355

Fortinet Inc.
Zero Trust Tunnel

8. Click OK.

Debugging: Zero trust tunnel related issues

To debug:

1. Go to https://<FortiAuthenticator-IP-Address>/debug.
2. From the tree menu, go to Others > GUI to see extended FortiAuthenticator debug logs.

You can change the Log level to increase or decrease the depth of details.

FortiAuthenticator 6.6.0 Examples 356

Fortinet Inc.
Zero Trust Tunnel

Accessing WAD debug categories and setting them to the maximum level in a
FortiGate ZTNA server:

To access WAD debug categories:

1. In the CLI console, enter the following command:

diagnose wad debug enable all

cert-status: failure

cert-status: success

FortiAuthenticator 6.6.0 Examples 357

Fortinet Inc.
SCIM

This section describes configuring SCIM using FortiAuthenticator.

FortiAuthenticator SCIM integration with AWS

System for Cross-domain Identity Management (SCIM) is an open standard for automating user identity information
exchange between an identity provider (IdP) and a service provider (SP).
The following shows the SCIM topology being used in this example:

To set up FortiAuthenticator as a SCIM client for AWS as the SCIM SP:

1. Enabling IAM Identity Center in AWS on page 358

2. Changing the identity source from IAM Identity Center to FortiAuthenticator on page 360
a. Importing SP metadata on page 363
b. Exporting the IdP metadata to the IAM Identity Center on page 364
c. Importing the IdP certificate to the IAM Identity Center on page 364
3. Manage provisioning on page 365
4. Creating a local user on page 366
5. Creating a user group on page 367
6. Creating a new SCIM SP on page 368

Enabling IAM Identity Center in AWS

For information on AWS Identity Center, see What is IAM Identity Center.

To enable IAM Identity Center in AWS:

1. Log in to the IAM Identity Center console with administrative privileges.

2. In Enable IAM Identity Center on the right, select Enable.
A new Enable IAM Identity Center page opens.

FortiAuthenticator 6.6.0 Examples 358

Fortinet Inc.
SCIM

3. In Select preferred setup, select Continue with setup by creating the account instance. Only one account instance
can be created per account for all regions.
4. Select Continue.
5. Optionally, select Add new tag to add tags to organize AWS resources in your IAM Identity Center instance.
6. Select Enable.
The IAM Identity Center Dashboard opens.

FortiAuthenticator 6.6.0 Examples 359

Fortinet Inc.
SCIM

Changing the identity source from IAM Identity Center to FortiAuthenticator

To configure the identity source:

1. Go to Settings in IAM Identity Center.

2. In Identity source, from the Actions dropdown, select Change identity source.

3. In Choose identity source, select External identity provider.

4. Click Next.
The Configure external identity provider page opens.
Keep the Configure external identity provider page open in a separate tab as you need it to perform steps 7, 8, and
9.

FortiAuthenticator 6.6.0 Examples 360

Fortinet Inc.
SCIM

5. On FortiAuthenticator, go to Authentication > SAML IdP > General.

a. Select Enable SAML Identity Provider portal.
b. In Server address, enter the AWS access portal sign-in URL from the Configure external identity provider page
in the IAM Identity Center.
c. Select Add a realm to add the default local realm to which the users will be associated.
d. In Default IdP certificate, select a default certificate the IdP uses to sign SAML assertions from the dropdown
menu.
In this example, the Default-Server-Certificate is selected.
e. Select Save.

6. On FortiAuthenticator, go to Authentication > SAML IdP > Service Providers.

a. Select Create New.
b. In SP name, enter a name for the SP.
c. In Create an identifier for this IdP, select +:
i. In Create Alternate IdP identifier window, select Random to randomly generate an IdP identifier.
ii. Click OK.
IdP entity id, IdP single sign-on URL, and IdP single logout URL are populated automatically.
d. In Authentication method, select All configured password and OTP factors.
e. Click Save.
7. To import the SP metadata from the IAM Identity Center, see Importing SP metadata on page 363.

FortiAuthenticator 6.6.0 Examples 361

Fortinet Inc.
SCIM

8. To export the IdP metadata to the IAM Identity Center, see Exporting the IdP metadata to the IAM Identity Center on
page 364.
9. To import the IdP certificate to the IAM Identity Center, see Importing the IdP certificate to the IAM Identity Center on
page 364.
10. Click Next.
The Confirm change page opens.

11. Review your settings in the Confirm change page and enter ACCEPT in the Confirm that you want to change your
identity source by entering ACCEPT in the field below field.
12. Select Change identity source.
A green banner at the top confirms that you have successfully changed the identity source from IAM Identity Center
to an external IdP, in this example, FortiAuthenticator.

FortiAuthenticator 6.6.0 Examples 362

Fortinet Inc.
SCIM

Importing SP metadata

We will be importing the SP metadata from the IAM Identity Center.

To import the SP metadata to the IAM Identity Center:

1. In the Service Providers list, click the recently created SP to edit it.
2. In the Configure external identity provider page opened in a separate tab as described in step 4 in Changing the
identity source from IAM Identity Center to FortiAuthenticator on page 360, under the Service provider metadata
pane, select Download metadate file.
The SP metadata file is downloaded to your management computer.
3. On FortiAuthenticator, go to Authentication > SAML IdP > Service Providers and select the SP entry created in step
6 in Changing the identity source from IAM Identity Center to FortiAuthenticator on page 360.
4. In the SP Metadata pane, select Import SP metadata.
5. In the Import Service Provider Metadata pane, select Upload a file, locate the SP metadata file on your
management computer, click Open.

FortiAuthenticator 6.6.0 Examples 363

Fortinet Inc.
SCIM

6. Click Save.

Exporting the IdP metadata to the IAM Identity Center

We will be exporting the IdP metadata to the IAM Identity Center.

To export the IdP metadata to the IAM Identity Center:

1. In the Service Providers list, click the recently created SP to edit it.
2. In IdP Metadata, select an identifier from the dropdown.
3. Select IdP metadata to download the IdP metadata to your local computer.
4. In the Configure external identity provider page opened in a separate tab as described in step 4 in Changing the
identity source from IAM Identity Center to FortiAuthenticator on page 360, under the Identity provider metadata
pane, select Choose file in IdP SAML metadata, locate the IdP metadata file on your local computer, and click
Open.

Importing the IdP certificate to the IAM Identity Center

To import the IdP certificate:

1. In the Identity provider metadata pane, we will be importing the IdP certificate.
2. In FortiAuthenticator, for this example, we are using the Default-Server-Certificate.
You can verify the default IdP certificate being used by going to Authentication > SAML IdP > General.
3. Go to Certificate Management > End Entities > Local Services.
4. Select Default-Server-Certificate from the server certificate list, then select Export Certificate from the top.
The IdP certificate is downloaded to your management computer.
5. In the Configure external identity provider page opened in a separate tab as described in step 4 in Changing the
identity source from IAM Identity Center to FortiAuthenticator on page 360, under the Identity provider metadata
pane, select Choose file in IdP certificate.
6. Locate the IdP certificate on your management computer, and click Open.
7. Continue from step 10 in Changing the identity source from IAM Identity Center to FortiAuthenticator on page 360.

FortiAuthenticator 6.6.0 Examples 364

Fortinet Inc.
SCIM

Manage provisioning

To manage provisioning:

1. Ensure that the automatic provisioning is enabled for your identity center directory.

Copy and save the access token on your management computer as it is required on the
FortiAuthenticator side.

The access token is only displayed once. If you do not save it, you must generate a new
access token.

2. Go to Settings in the IAM Identity Center.

3. In the Identity source tab, from the Actions dropdown, select Manage Provisioning.

The Automatic provisioning tab opens.

FortiAuthenticator 6.6.0 Examples 365

Fortinet Inc.
SCIM

AWS generates the SCIM endpoint and the Access token.

Copy and save the SCIM endpoint and the Access token on your management computer.

SCIM endpoint and Access token are needed on the FortiAuthenticator side.

Creating a local user

To create a local user:

1. On FortiAuthenticator, go to Authentication > User Management > Local Users.

2. Select Create New to create a new user.
3. In Username, enter a user name.
4. Ensure that Password creation is set to Specify a password.
5. In Password, enter a password.
6. Confirm the password in the Password confirmation field.
7. Click Save.
The Edit Local User window opens.

AWS requires the following four fields:

l Username

l Display name
l First name
l Last name
If any of the above user related fields are missing, AWS rejects the sync.

FortiAuthenticator 6.6.0 Examples 366

Fortinet Inc.
SCIM

8. Fill in the remaining required fields in the User Information pane, i.e., Display name, First name, and Last name.

9. Click Save.

Creating a user group

To create a user group:

1. On FortiAuthenticator, go to Authentication > User Management > User Groups.

2. Select Create New.
The Create New User Group window opens.
3. In Name, enter a name for the user group.
4. In Type, select Local.
5. From the Available Users list, select the recently created local user in Creating a local user on page 366 and move it
to Chosen Users.

FortiAuthenticator 6.6.0 Examples 367

Fortinet Inc.
SCIM

6. Click Save.

Creating a new SCIM SP

To create a new SCIM SP:

1. In FortiAuthenticator, go to Authentication > SCIM > Service Provider.

2. Select Create New.
The Create New SCIM Service Provider window opens.
3. In Name, enter a name for the SCIM SP.
4. In Scim endpoint, enter the SCIM endpoint URL that you earlier copied and saved in Manage provisioning on page
365.
5. In Access token, enter the access token that you earlier copied and saved in Manage provisioning on page 365.

The fields in User Attributes Mapping are the variables for the JSON schema being
imported to AWS, e.g., the FortiAuthenticator user name will map to the user name of the
JSON schema.

6. Click Sync.

FortiAuthenticator 6.6.0 Examples 368

Fortinet Inc.
SSOMA

This section describes SSOMA related examples:

l Log in to a Windows host using SSOMA on page 369

Log in to a Windows host using SSOMA

In this example:
l We use SSOMA to log in to a Windows host.
l An AD server is the remote LDAP server.
For information on SSOMA, see FortiClient SSO Mobility Agent in the latest FortiAuthenticator Administration Guide.

To log in to a Windows host using SSOMA:

1. Configuring a remote LDAP server on page 369

2. Enabling FSSO service on page 370
3. Configuring SSO settings on page 371
4. Installing SSOMA on page 372
5. Result on page 373

Configuring a remote LDAP server

We configure an LDAP connection to an Active Directory (AD) server on FortiAuthenticator.

To configure a remote LDAP server on FortiAuthenticator:

1. Go to Authentication > Remote Auth. Servers > LDAP, and select Create New.
The Create New LDAP Server window opens.
2. In Name, enter a name.
3. In Primary server name/IP, enter the AD server IP address.
4. In Base distinguished name, enter DC=iamexperts,DC=lab.
5. In Bind type, select Regular.
6. In Username, enter the user name.
7. In Password, enter a password.
8. Ensure that the Server type is Microsoft Active Directory.
9. Leave the settings in the Query Elements pane as default.

FortiAuthenticator 6.6.0 Examples 369

Fortinet Inc.
SSOMA

10. Click Save.

Ensure that you can browse the AD tree (IAM OU) by clicking Browse in Base
distinguished name when editing the LDAP server.

Go to Monitor > SSO > Domains to see all the configured DC/LDAP servers as well as the
known domains that have been provisioned.

Enabling FSSO service

To enable FSSO service:

1. Go to System > Network > Interfaces, and double-click port1 to edit it.
2. In Access Rights, in Services, enable FortiGate FSSO (TCP/8000) and FortiClient FSSO (TCP/8001).

FortiAuthenticator 6.6.0 Examples 370

Fortinet Inc.
SSOMA

3. Click Save.

FortiAuthenticator restarts.

Configuring SSO settings

To configure SSO FortiGate setting:

1. Add a secret key:

a. Go to Fortinet SSO > Settings > FortiGate.
b. Select Enable authentication.
c. Enter a Secret key.

The Secret key must match the value entered in the FSSO connector on FortiGate.

d. Click Save.

2. Enabling FortiClient SSO Mobility Agent Service:

a. Go to Fortinet SSO > Settings > Methods.
b. Enable FortiClient SSO Mobility Agent Service.
c. Ensure that Enable authentication is selected and the Secret key matches SSOPSK set when installing the
SSOMA.
See Installing SSOMA on page 372.

FortiAuthenticator 6.6.0 Examples 371

Fortinet Inc.
SSOMA

d. Click Save.

Installing SSOMA

We install SSOMA on a Windows host.

To install SSOMA:

1. Log in to the FortiCare portal.

2. Go to Support > Firmware Download.
3. From the Select Product dropdown, select FortiClient, and select Download.
4. In Image Folders/Files, go to Windows, and download the SSOMA setup zip file (FortiClientSSOSetup_
7.x.x.x_x64.zip) from one of the version directories.

5. Extract and save the installer to C:\Fortinet.

6. In Command Prompt, go to the directory where the FortiClient.msi was extracted.
cd C:\Fortinet\

7. In the Command Prompt, run the following command:

FortiClientSSO.msi SSOSERVER="10.255.255.12" SSOPORT="8001" SSOPSK="F0rtiXperts"

SSOSERVER is your FortiAuthenticator IP address or FQDN.

FortiAuthenticator 6.6.0 Examples 372

Fortinet Inc.
SSOMA

SSOPORT is the FortiClient listening port in Fortinet SSO > Settings > Methods when
FortiClient SSO Mobility Agent Service is enabled.
See Configuring SSO settings on page 371.

SSOPSK is the Secret key set up in Fortinet SSO > Settings > Methods when FortiClient
SSO Mobility Agent Service and Enable authentication are selected.
See Configuring SSO settings on page 371.

The installer runs and the SSOMA service is started.

8. You can check if the SSOMA service is running by going to Services on the Windows host.

Result

1. Log in to the Windows host.

2. Go to Monitor > SSO > SSO Sessions to see information about the recent SSO session.

FortiAuthenticator SSOMA for native Microsoft Entra ID joined

workstation

In this example, an endpoint is joined to Microsoft Entra ID. When the endpoint connects to the network, the SSOMA
shares the identity and the IP address with the FortiAuthenticator.
The FortiAuthenticator then does a group lookup and shares the identity with the FortiGate device.
If the endpoint now moves from a wired to a wireless connection, the SSOMA shares the updated IP address with
FortiAuthenticator which then shares the information with the FortiGate device.
For information on this feature, see FSSO for cloud-native Azure AD users in the FortiAuthenticator 6.5.5 Administration
Guide.

Prerequisites:

l FortiAuthenticator 6.5.0 or above

l FortiClient 7.2.0 or above
l A Windows 10/11 endpoint that supports Microsoft Entra ID
l Microsoft Entra ID tenant

FortiAuthenticator 6.6.0 Examples 373

Fortinet Inc.
SSOMA

Authentication flow:

1. The user logs on to Microsoft Entra ID joined workstation.

2. The SAML session is transparently set up in the background on Azure.
3. SSOMA retrieves the user identity.
4. SSOMA shares the user name and the IP address with FortiAuthenticator.
5. FortiAuthenticator retrieves the group information (OAuth).
6. FortiAuthenticator sends the user identity to FortiGate devices configured to receive.
7. Identity-based access to all FortiGate service is provided transparently without the user needing to reenter
credentials.

FortiAuthenticator SSOMA for native Microsoft Entra ID joined workstation

1. Enabling SSOMA on FortiClient EMS on page 374

2. Configuring prefer_azure on the EMS on page 375
3. Installing SSOMA with FortiClient on page 375
4. Creating a Microsoft Entra ID tenant on page 376
5. Creating a user and associating with groups on page 377
6. Joining the Windows 10 endpoint to Microsoft Entra ID on page 377
7. Verifying that the endpoint is domain joined on page 379
8. Creating FortiAuthenticator enterprise application on page 380
9. Getting application ID and the authentication key on page 382
10. Adding the application to directory readers role on page 382
11. Provisioning OAuth API on FortiAuthenticator on page 383
12. Results on page 384
13. FSSO sessions and debug logs on page 385

Enabling SSOMA on FortiClient EMS

To enable SSOMA on FortiClient EMS:

1. Go to Endpoint Profiles > System Settings.

2. Select Edit next to a profile to edit it.
3. Switch to the Advanced tab.
4. In Other:
a. Enable FortiClient Single Sign-On Mobility Agent.
b. In IP Address/Hostname, enter the IP address for the endpoint.
c. In Port, enter 8001.
d. Enter a pre-shared key.
5. Click Save.

FortiAuthenticator 6.6.0 Examples 374

Fortinet Inc.
SSOMA

Configuring prefer_azure on the EMS

1. In EMS, edit the desired endpoint profile's XML configuration to match the IP address, port, and PSK configured on
the FortiAuthenticator, and to have FortiClient detect Azure user information and send it to FortiAuthenticator.
<fssoma>
<enabled>1</enabled>
<serveraddress>10.222.48.79</serveraddress>
<presharedkey>Fortinet123!</presharedkey>
<prefer_azure>1<prefer_azure>
<fssoma>

To set up prefer_azure_registry key on SSOMA, see:

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-install-a-
standalone-Windows-FSSO-Mobility/ta-p/298044

Installing SSOMA with FortiClient

When installing FortiClient on the endpoint, make sure to select Single Sign-On Mobility Agent in the Additional Security
Features window.

Check that the configuration that you added in Enabling SSOMA on FortiClient EMS on page 374 is applied on
FortiClient in Settings > Advanced.

To install the standalone Windows FSSO Mobility Agent, see Technical Tip: How to install a
standalone Windows FSSO Mobility Agent.

FortiAuthenticator 6.6.0 Examples 375

Fortinet Inc.
SSOMA

Creating a Microsoft Entra ID tenant

To create a Microsoft Entra ID tenant:

To create a tenant:

1. Sign in to Microsoft Azure Portal.

2. In Azure portal, go to Microsoft Entra ID.
The Overview page opens.

3. In Overview, Select Manage tenants, and then select Create.

Create a tenant window opens.
4. In the Basics tab, select Azure Active Directory as the tenant type, and select Next: Configuration.

5. In Configuration, enter the Organization name, Initial domain name, and Country/Region.

6. Select Next: Review + create to review the entries, and select Create to create the tenant.

To switch to the correct directory:

1. Click the user icon on the top right.
2. Select Switch directory.
3. From the list, select Switch for the directory you intend to use.

FortiAuthenticator 6.6.0 Examples 376

Fortinet Inc.
SSOMA

Creating a user and associating with groups

We create a user john doe associated with engineering and marketing groups on the Azure portal.

To create a user and associate it with groups:

1. In Azure portal, go to Users.

2. Select +New user.
3. In Basics:
a. In User principal name, enter a user name.
b. In Display name, enter a display name.
c. In Password, enter a password.
d. Select Account enabled.
e. Click Next: Properties.
4. In the Properties tab, fill in user identity, job, and contact information.
5. Click Next: Assignments.
6. In Assignments:
a. Select +Add group.
b. From Select group, select engineering and marketing groups.
c. Click Next: Review + create.

Joining the Windows 10 endpoint to Microsoft Entra ID

To join the Windows 10 endpoint to Microsoft Entra ID:

1. On the Windows 10 endpoint, open Settings > Email & accounts.

2. Select Access work or school.

FortiAuthenticator 6.6.0 Examples 377

Fortinet Inc.
SSOMA

3. Select Connect.

Ensure that the endpoint is not joined to an on-prem AD domain.

4. Select Join this device to Azure Active Directory.

5. Sign in with the Microsoft Entra ID user, e.g., john@csefac8.onmicrosoft.com, and click Next.

FortiAuthenticator 6.6.0 Examples 378

Fortinet Inc.
SSOMA

6. Enter the password and click Sign in.

7. Note that the domain is the Microsoft Entra ID primary domain and select Join.

Verifying that the endpoint is domain joined

To verify that the endpoint is domain joined:

1. On the endpoint, open Settings > Email & accounts.

2. Select Access work or school.
You will see that the endpoint is connected to the Microsoft Entra ID tenant configured in Creating a Microsoft Entra
ID tenant on page 376.

FortiAuthenticator 6.6.0 Examples 379

Fortinet Inc.
SSOMA

3. On the Azure portal, in All devices, you can see that the endpoint is Microsoft Entra ID joined.

Creating FortiAuthenticator enterprise application

To create a FortiAuthenticator enterprise application:

1. Go to Azure Active Directory > Enterprise applications.

2. In Enterprise applications, select New application.

The Browse Azure AD Gallery page opens.

FortiAuthenticator 6.6.0 Examples 380

Fortinet Inc.
SSOMA

3. In the Browse Azure AD Gallery, select Create your own application.

The Create your own application window opens.
4. In the Create your own application window, enter a name for the application, and select Create.

5. In the newly created enterprise application, select Assign users and groups.
6. Select Add user/group.
7. In the Add Assignment page, select None Selected.
8. From Users and groups, select to add the user created in Creating a user and associating with groups on page 377.
9. Select Assign to assign the user to the application.

FortiAuthenticator 6.6.0 Examples 381

Fortinet Inc.
SSOMA

Getting application ID and the authentication key

The application ID and key is needed for MS Graph API (OAuth based).
Note down the Application ID for the application created in Creating FortiAuthenticator enterprise application on page
380.

To get the authentication key:

1. In the Microsoft Entra ID tenant created in Creating a Microsoft Entra ID tenant on page 376, go to Manage > App
registrations.
2. In the All applications tab, select the application created in Creating FortiAuthenticator enterprise application on
page 380.
3. Go to Manage > Certificates & secrets.
4. Select New client secret.
5. In Add a client secret:
a. Enter a description.
b. Click Add.
The key is displayed.
c. Copy and save the key value on your management computer. You cannot retrieve the key later.

Adding the application to directory readers role

We assign Directory Readers role for the application created in Creating FortiAuthenticator enterprise application on
page 380. The role allows the application to read the directory to determine the group membership for users.

FortiAuthenticator 6.6.0 Examples 382

Fortinet Inc.
SSOMA

To add the application to directory readers role:

1. In the Azure portal, go to Microsoft Entra ID > Roles and administrators.

2. In the search bar, enter Directory Readers.

3. Select Directory Readers, click Description, and go to Assignments.

4. Select Add assignments.
5. From the list, look up the application, select, and click Add.

Provisioning OAuth API on FortiAuthenticator

To provision OAuth API on FortiAuthenticator:

1. On FortiAuthenticator, go to Authentication > Remote Auth. Servers > OAUTH.

2. Select Create New.
3. Enter a name for the remote OAuth server.
4. In OAuth source, select Azure Directory.
5. In Client ID, enter the application ID from Getting application ID and the authentication key on page 382.
6. In Client Key, enter the authentication key from Getting application ID and the authentication key on page 382.
7. Enable Include for SSO, and in Azure AD tenant ID, enter the tenant ID from Creating a Microsoft Entra ID tenant on
page 376.
Azure AD tenand ID is used used by FortiAuthenticator upon receiving SSOMA update from FortiClient to know
which OAuth server /Azure tenant to query.

FortiAuthenticator 6.6.0 Examples 383

Fortinet Inc.
SSOMA

8. Click Save.

Results

1. When logging in to Microsoft Entra ID, select Other user.

2. Log in as john@csefac8.onmicrosoft.com.

FortiAuthenticator 6.6.0 Examples 384

Fortinet Inc.
SSOMA

FSSO sessions and debug logs

On FortiAuthenticator, when you go to Monitor > SSO Sessions, you can see the FSSO sessions.

Go to extended debug logs https://<FortiAuthenticator-IP-Address>/debug to see FSSO debug logs in

Log Categories > Single Sign On.

FortiAuthenticator 6.6.0 Examples 385

Fortinet Inc.
www.fortinet.com

Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiAuthenticator-6 5 0-Cookbook
No ratings yet
FortiAuthenticator-6 5 0-Cookbook
340 pages
FortiAuthenticator-6 3 0-Cookbook
No ratings yet
FortiAuthenticator-6 3 0-Cookbook
253 pages
FortiAuthenticator 6.6.0 Examples
No ratings yet
FortiAuthenticator 6.6.0 Examples
394 pages
FortiAuthenticator 6.1.0 Cookbook
No ratings yet
FortiAuthenticator 6.1.0 Cookbook
191 pages
Fortigate Authentication 56
No ratings yet
Fortigate Authentication 56
219 pages
Fortigate Authentication 54
No ratings yet
Fortigate Authentication 54
208 pages
FortiAuthenticator-6 0 0-Cookbook
No ratings yet
FortiAuthenticator-6 0 0-Cookbook
132 pages
FortiAuthenticator Admin Guide
No ratings yet
FortiAuthenticator Admin Guide
260 pages
FortiAuthenticator 6.6.2 Administration Guide
No ratings yet
FortiAuthenticator 6.6.2 Administration Guide
307 pages
FortiAuthenticator Study Guide
No ratings yet
FortiAuthenticator Study Guide
480 pages
FortiAuthenticator 6.4.0 RADIUS 2FA Interoperability Guide
No ratings yet
FortiAuthenticator 6.4.0 RADIUS 2FA Interoperability Guide
38 pages
FortiOS 5.4 Cookbook PDF
No ratings yet
FortiOS 5.4 Cookbook PDF
745 pages
FortiAuthenticator 6.5 Authenticator Lab Guide Online Watermark Watermark
No ratings yet
FortiAuthenticator 6.5 Authenticator Lab Guide Online Watermark Watermark
130 pages
FortiAuthenticator FSSO Authentication User Guide
No ratings yet
FortiAuthenticator FSSO Authentication User Guide
53 pages
Forti Authenticator
No ratings yet
Forti Authenticator
37 pages
Fortiauthenticator - Administration Guide
No ratings yet
Fortiauthenticator - Administration Guide
218 pages
FortiAuthenticator-6 3 0-Administration - Guide
No ratings yet
FortiAuthenticator-6 3 0-Administration - Guide
247 pages
FortiAuthenticator 6.6.0 Administration Guide
No ratings yet
FortiAuthenticator 6.6.0 Administration Guide
281 pages
FortiAuthenticator 6.5 Administrator Study Guide
No ratings yet
FortiAuthenticator 6.5 Administrator Study Guide
496 pages
FortiAuthenicator Admin Guide v1.0
No ratings yet
FortiAuthenicator Admin Guide v1.0
20 pages
FortiAuthenticator 6.2.0 VM Install Guide
No ratings yet
FortiAuthenticator 6.2.0 VM Install Guide
43 pages
FortiPAM-1 5 0-Examples
No ratings yet
FortiPAM-1 5 0-Examples
181 pages
Fortigate Cookbook 52
No ratings yet
Fortigate Cookbook 52
777 pages
Deploy - FortiAuthenticator-6.6.0-VMware - Administration - Guide
No ratings yet
Deploy - FortiAuthenticator-6.6.0-VMware - Administration - Guide
27 pages
FortiGate Sec 04 Firewall Authentication
No ratings yet
FortiGate Sec 04 Firewall Authentication
37 pages
FortiOS 5.6 Cookbook
No ratings yet
FortiOS 5.6 Cookbook
390 pages
FortiGate Enterprise Configuration Example 01-30006-0315-20080310
No ratings yet
FortiGate Enterprise Configuration Example 01-30006-0315-20080310
54 pages
Fortios Handbook 56 PDF
No ratings yet
Fortios Handbook 56 PDF
3,412 pages
FortiAuthenticator Student Guide-Online
67% (3)
FortiAuthenticator Student Guide-Online
455 pages
Fortios Handbook 54
No ratings yet
Fortios Handbook 54
3,476 pages
FortiAuthenticator 6.1 Course Description-Online PDF
No ratings yet
FortiAuthenticator 6.1 Course Description-Online PDF
2 pages
Fortios Handbook 60 PDF
No ratings yet
Fortios Handbook 60 PDF
3,149 pages
FortiAuthenticator 6.2.0 VM Install Guide
No ratings yet
FortiAuthenticator 6.2.0 VM Install Guide
43 pages
Fortigate Administratior 7.4 Lab Guide
67% (6)
Fortigate Administratior 7.4 Lab Guide
250 pages
Fortiauthenticator Admin 12
No ratings yet
Fortiauthenticator Admin 12
46 pages
Fort I Authenticator
No ratings yet
Fort I Authenticator
6 pages
FortiSASE 24.4.75 Administration Guide
No ratings yet
FortiSASE 24.4.75 Administration Guide
466 pages
FortiAuthenticator SAML 2FA Guide
No ratings yet
FortiAuthenticator SAML 2FA Guide
33 pages
FortiAuthenticator 6.6.1 Updates
No ratings yet
FortiAuthenticator 6.6.1 Updates
36 pages
FortiClient 6.2.6 Administration Guide
No ratings yet
FortiClient 6.2.6 Administration Guide
100 pages
Fortiweb v5.8.0 Administration Guide
No ratings yet
Fortiweb v5.8.0 Administration Guide
932 pages
FortiOS 6.4.7 Administration Guide
No ratings yet
FortiOS 6.4.7 Administration Guide
1,871 pages
Fortios Handbook 54 PDF
No ratings yet
Fortios Handbook 54 PDF
3,366 pages
Fort I Authenticator
No ratings yet
Fort I Authenticator
6 pages
FortiOS 5.6 Setup Guide
No ratings yet
FortiOS 5.6 Setup Guide
335 pages
FGT1 04 Firewall Authentication
No ratings yet
FGT1 04 Firewall Authentication
42 pages
Krumm20Heller20 20del20inicienso20a20la20osmoterapia
No ratings yet
Krumm20Heller20 20del20inicienso20a20la20osmoterapia
3,157 pages
FortiGate Sec 01 Introduction
No ratings yet
FortiGate Sec 01 Introduction
50 pages
FortiGate 7.4 Administrator Lab Guide
No ratings yet
FortiGate 7.4 Administrator Lab Guide
250 pages
Fortiauthenticator™: User Identity Management and Single Sign-On
No ratings yet
Fortiauthenticator™: User Identity Management and Single Sign-On
6 pages
FortiGate 7.6 Administrator Lab Guide
100% (1)
FortiGate 7.6 Administrator Lab Guide
251 pages
FortiAuthenticator 6.6.3 Release Notes
No ratings yet
FortiAuthenticator 6.6.3 Release Notes
56 pages
FortiSASE 25.2.81 Feature Administration Guide
No ratings yet
FortiSASE 25.2.81 Feature Administration Guide
612 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
353 pages
Fortinet SD Wan Lab Guide For Fortios 72
No ratings yet
Fortinet SD Wan Lab Guide For Fortios 72
204 pages
Fortinet Fortigate Infrastructure Lab Guide For Fortios 72
100% (1)
Fortinet Fortigate Infrastructure Lab Guide For Fortios 72
126 pages
FCP Sec Ops - FortiAnalyzer Analyst 7.4 - Study Guide
100% (3)
FCP Sec Ops - FortiAnalyzer Analyst 7.4 - Study Guide
216 pages
AZ 104 Microsoft Azure Administrator
100% (10)
AZ 104 Microsoft Azure Administrator
431 pages
FortiGate 7.6 Administrator Study Guide
100% (4)
FortiGate 7.6 Administrator Study Guide
558 pages
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
100% (2)
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
171 pages
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
100% (1)
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
247 pages
(FCSS NW) - Enterprise Firewall Administrator FortiOS 7.4 - Study Guide
100% (1)
(FCSS NW) - Enterprise Firewall Administrator FortiOS 7.4 - Study Guide
384 pages
(FCSS SASE) - FortiSASE Administrator FortiSASE 23 - Study Guide
No ratings yet
(FCSS SASE) - FortiSASE Administrator FortiSASE 23 - Study Guide
149 pages
AZ 305 Designing Microsoft Azure Infrastructure Solutions
100% (10)
AZ 305 Designing Microsoft Azure Infrastructure Solutions
278 pages
Exam Ref AZ-305 Designing Microsoft Azure Infrastructure Solutions (Ashish Agrawal, Gurvinder Singh Etc.) (Z-Library)
100% (3)
Exam Ref AZ-305 Designing Microsoft Azure Infrastructure Solutions (Ashish Agrawal, Gurvinder Singh Etc.) (Z-Library)
284 pages
MS-102 2023
100% (3)
MS-102 2023
625 pages
FortiGate Security 7.2 Lab Guide-Online
No ratings yet
FortiGate Security 7.2 Lab Guide-Online
203 pages
VASCM10 Exam Study Guide
No ratings yet
VASCM10 Exam Study Guide
7 pages
Palo Alto Networks Firewall 10.2 Troubleshooting EDU-330 Courseware Version A April 2022 - Lab
100% (1)
Palo Alto Networks Firewall 10.2 Troubleshooting EDU-330 Courseware Version A April 2022 - Lab
258 pages
(FCSS ZT - NSE7) - Zero Trust Access FortiOS 7.2 - Study Guide
100% (1)
(FCSS ZT - NSE7) - Zero Trust Access FortiOS 7.2 - Study Guide
192 pages
Impira PDF
No ratings yet
Impira PDF
85 pages
Ms365 Security 1695157231
100% (2)
Ms365 Security 1695157231
118 pages
AZ 304 Trainer Handbook
92% (12)
AZ 304 Trainer Handbook
385 pages
AZ 500T00A ENU TrainerHandbook PDF
100% (4)
AZ 500T00A ENU TrainerHandbook PDF
333 pages
LAB 7 - High Availability (HA)
100% (1)
LAB 7 - High Availability (HA)
17 pages
Fortinet Advanced Analytics Lab Guide For Fortisiem 63
No ratings yet
Fortinet Advanced Analytics Lab Guide For Fortisiem 63
224 pages
FCP - FortiManager Administrator 7.4 - Study Guide
100% (2)
FCP - FortiManager Administrator 7.4 - Study Guide
327 pages
(FCSS Sec Ops) - Security Operations Analyst FortiAnalyzer 7.4 - Study Guide
No ratings yet
(FCSS Sec Ops) - Security Operations Analyst FortiAnalyzer 7.4 - Study Guide
158 pages
(FCSS NW) - Network Security Support Engineer FortiOS 7.4 - Study Guide
100% (3)
(FCSS NW) - Network Security Support Engineer FortiOS 7.4 - Study Guide
555 pages
MD 102T00 ENU PowerPoint 08
No ratings yet
MD 102T00 ENU PowerPoint 08
55 pages
FortiGate Infrastructure 7.2 Lab Guide-Online
No ratings yet
FortiGate Infrastructure 7.2 Lab Guide-Online
123 pages
Palo Alto Student Manual - c3226cb5 595e 49e0 B5a9 Acb7d1f067bf
100% (6)
Palo Alto Student Manual - c3226cb5 595e 49e0 B5a9 Acb7d1f067bf
229 pages
DO 117 s2017
No ratings yet
DO 117 s2017
24 pages
Ecowrap Case Study
No ratings yet
Ecowrap Case Study
3 pages
It's MAY MADNESS at Miraflores
No ratings yet
It's MAY MADNESS at Miraflores
48 pages
Halmore - PL 25923 - BOP 1 (Non COA 12)
No ratings yet
Halmore - PL 25923 - BOP 1 (Non COA 12)
10 pages
SOAL UAS Bahasa Inggris
No ratings yet
SOAL UAS Bahasa Inggris
3 pages
Knowledge and Attitude of Health Workers Towards Health Information Management System A Case Study of Delta State University Teaching Hospital Oghara Delta State
No ratings yet
Knowledge and Attitude of Health Workers Towards Health Information Management System A Case Study of Delta State University Teaching Hospital Oghara Delta State
14 pages
Roboticized Light Switch For Home Automation: Instructables
No ratings yet
Roboticized Light Switch For Home Automation: Instructables
7 pages
Gen-Y Women's Online Fashion Buying Motivations
No ratings yet
Gen-Y Women's Online Fashion Buying Motivations
17 pages
Barney's Shadow Adventure
No ratings yet
Barney's Shadow Adventure
6 pages
Internship Report On Laxmi Bank
No ratings yet
Internship Report On Laxmi Bank
75 pages
Write If P If Its Primary Prevention, S For Secondary Prevention and T For Tertiary Prevention
100% (1)
Write If P If Its Primary Prevention, S For Secondary Prevention and T For Tertiary Prevention
2 pages
Exam Fee ( (01 CSE 22) (7th Sem) )
No ratings yet
Exam Fee ( (01 CSE 22) (7th Sem) )
2 pages
Copy - of - Form - Timesheet - Siemens - Rizki - Z - SI - Pulomas - Maret 2024
No ratings yet
Copy - of - Form - Timesheet - Siemens - Rizki - Z - SI - Pulomas - Maret 2024
2 pages
Udayji Points 7.10.22
No ratings yet
Udayji Points 7.10.22
14 pages
1 s2.0 S1110016822001533 Main
No ratings yet
1 s2.0 S1110016822001533 Main
12 pages
Resort Showcase From Resorts and Residence
No ratings yet
Resort Showcase From Resorts and Residence
9 pages
TPD
No ratings yet
TPD
16 pages
D.P.chadha v. Triyugi Narayan Mishra
No ratings yet
D.P.chadha v. Triyugi Narayan Mishra
2 pages
Ricoh MP 3353 Service Manual
100% (5)
Ricoh MP 3353 Service Manual
1,322 pages
The Handbook of Attitudes, Volume 1 - Basic Principles - 2nd Edition - 2
No ratings yet
The Handbook of Attitudes, Volume 1 - Basic Principles - 2nd Edition - 2
4 pages
Mixed Certificate Chains For The Transition To Post-Quantum Authentication in TLS 1.3
No ratings yet
Mixed Certificate Chains For The Transition To Post-Quantum Authentication in TLS 1.3
77 pages
Evolution of India's Foreign Policy
No ratings yet
Evolution of India's Foreign Policy
15 pages
History of Philippine AMLA
No ratings yet
History of Philippine AMLA
11 pages
Tidyman, Ernest - Shaft Among The Jews (1972) - Libgen - Li
No ratings yet
Tidyman, Ernest - Shaft Among The Jews (1972) - Libgen - Li
257 pages
Textile Effluents Impact on Bandi River
No ratings yet
Textile Effluents Impact on Bandi River
6 pages
The Day Die The Untold Story of Assisted Dying in America Anita Hannig HQ File Fast Access
No ratings yet
The Day Die The Untold Story of Assisted Dying in America Anita Hannig HQ File Fast Access
328 pages
UK & US Oil & Gas Market Entry
No ratings yet
UK & US Oil & Gas Market Entry
23 pages
High Pressure Pumping
No ratings yet
High Pressure Pumping
1 page
Dcp031 Power Saving System For Lathe
No ratings yet
Dcp031 Power Saving System For Lathe
3 pages
Logical Reasoning and Comprehension Test
No ratings yet
Logical Reasoning and Comprehension Test
7 pages