FortiAuthenticator
User Authentication and Identity Management
FortiAuthenticator Overview
Answering your authentication challenges Authentication and
Authorization
• RADIUS, LDAP, 802.1X, Radius Proxy
• SSO Mobility Agent • Web based login widget
Two Factor Authentication
• FortiToken, physical and mobile • Tokenless, via SMS and email
Certificate Management
• X.509 Certificate Signing, Certificate Revocation
• Remote Device / Unattended Authentication
Fortinet Single Sign on
• Active Directory • Agent or agentless
• Third party systems via RADIUS, Syslog and API Integration
Two-factor Auth User Identity FortiAuthenticator Wireless Auth FSSO FortiAuthenticator
FortiAuthenticator FortiGate FortiGate FortiAP
User Authentication and Identity Management User Identity Two-factor Authentication Wireless Authentication
FortiAuthenticator Overview
Secure access to your organizations systems and data
with identity based policy and two-factor authentication
»Control access your intellectual property
Enable secure remote and guest network access whilst
retaining control over security
»Allow business to flourish but not to the detriment of security
Reduce the operational burden of local and guest user
management
»Identify users and apply granular user policy
»Integrate with existing user repositories (AD, LDAP)
»User lifecycle management workflow
FortiAuthenticator Use Cases
Enable strong password
security across your network
and application estate
»Secure remote access to critical
systems
Reduce operational overheads
»Self-service password reset
»Integration with existing LDAP
and AD databases
»Built in lost token workflow
»Migration strategy from
third-party vendor tokens
Two-factor Authentication Username Password Token LDAP/ Active Directory Protected Devices FortiAuthenticator
Support for wide range of secure authentication methods Physical Tokenless Certificate (BYOD) API Mobile
FortiAuthenticator Use Cases
Flexible range of token formats to
suit all deployment requirements
»OATH compatible TOTP (time)
based tokens (FTK200)
»USB certificate tokens (FTK300)
»FortiToken Mobile for Android, iOS
and Windows Mobile
»SMS and Email tokens.
Supports any RADIUS capable
device
»Juniper, Cisco, F5 , Array, Citrix etc
»Microsoft Windows Domain Login
and OWA
FortiAuthenticator Use Cases
FortiToken Mobile: Supports
Android, iOS and Windows Mobile
»6 or 8 digit passcode, 30 or 60s
refresh
»Free install, supports other TOTP
& HOTP OATH tokens e.g. Google, Dropbox, Amazon
»QR Code Provisioning support
»PIN protection enforced from FAC
Perpetual license
»Can be reissued if device is lost
»Can be reissued if user leaves the
organization
FortiAuthenticator Use Cases
Centralized WiFi Authentication
Authenticate users (PEAP,
EAP-TTLS) and machines.
Certificate based device
authorization (EAP-TLS) for
BYOD environments
In open guest or visitor
networks, FortiAuthenticator
can provide captive portal
functions
Wireless Authentication
FortiAuthenticator
FortiAP
FortiAuthenticator Use Cases
User Self-registration
Collection of user details
Option to SMS login details
(proof of identity)
Receptionist registration option
Time limited accounts
Delete expired accounts
Support multiple locations
Coming soon:
Facebook,
Google, Linkedin, Twitter login
Guest Management
FortiAuthenticator
FortiAP
FortiAuthenticator Use Cases
Identify users and apply
identity based security policy
»FortiAuthenticator transparent
user identification collects and embellishes user identity
information
»Allows FortiGate, FortiMail and
FortiCache devices to apply appropriate policy based on user identity and role
»Granular control of network and
application access
Fortinet Single Sign-On
Staff Admin Guest
Corporate Resources Guest Access
Transparent User Identity
FortiAuthenticator Use Cases
Fortinet Single Sign-On
RADIUS Accounting Records FortiClient SSO Mobility Agent Active Directory Polling Login Portal
& Widgets REST API Syslog Kerberos with NTLM Fallback TS and AD Collector Agents
AD & Windows Generic Sources
FortiAuthenticator
FortiAuthenticator Use Cases
Simplifies the task of certificate
management
Issue certificates for multiple
uses:
»VPN Authentication
»Wireless 802.1X (PEAP, EAP)
»Windows Desktop
Authentication
»Compatible with FTK300 USB
PKI Certificate Store
Certificate Authority
X
FortiAuthenticator Use Cases
Strengthen and simplify VPN
security
»Certificate based VPN
enhances traditional pre shared keys with second factor
»Revoke certificates if device is lost (OCSP)
»Zero touch certificate distribution (SCEP)
»Integration with FortiManager to
simplify deployment
FortiAuthenticator Use Cases
Integrates Carrier/ISP
networks with Fortinet RADIUS
Single Sign-on
»Minimises changes needed to
critical business systems
»Takes the additional load by
duplicating RADIUS Packets
RSSO used to apply Identity
Policy for FortiGate, FortiMail
and FortiCache
RADIUS Accounting Proxy
Carrier / ISP RADIUS Server
RADIUS Accounting
Active-Passive High Availability
»Local sync with failover
»Supports all features
Active-Active Config Sync
Geographic distribution
Load balance across devices
(scalability)
Supports authentication feature
sync (not FSSO)
Can be combined with Active
Passive HA (A-P Master, standalone slaves)
FortiAuthenticator Use Cases
Case Study: Medium Enterprise Identity Management
Multiple user groups / domains
Online retail organization with mobile
workforce and widespread BYOD adoption.
Incumbent Cisco wireless network,
customer thought Cisco was the only option for gateway Identity Policy
Organization and Challenge
Why We Won
What They Bought
Ability to consume user identity from Cisco wireless network (vis RADIUS Accounting)
Fully inclusive guest management and registration features
2x FortiAuthenticator 200D (HA)
2x FortiGate 600C (HA)
Still in the game for Wifi refresh
Who We Beat
Cisco WAN
Remote Workers Cisco tried to claim that the only way to perform Identity Based Firewalling was using their own ISE and ASA .
FortiAuthenticator proved this wrong and have kept Fortinet in the running for the Wifi refresh
FortiAuthenticator
FortiGate
Case Study: Local Government Identity Management
Multiple user groups / domains
Regional govt. requiring transparent identity aware firewalling
5,000 users with granular permissions across 3 domain controllers, 2 domains
Organization and Challenge
Why We Won
What They Bought
Multiple identity detection methods
AD Polling combined with RADIUS (VPN) and guest portal
Fully inclusive guest management and registration features
2x FortiAuthenticator 1000D (HA)
2x FortiGate 1000D (HA)
Who We Beat
Juniper , CheckPoint, SonicWall WAN
Remote Workers
FAC gathers user identity and forwards to
FGT
FortiAuthenticator
FortiGate
Case Study: Enterprise Identity Management
90 Remote Sites
Multinational enterprise with 3 Datacenters, 90 branches and 17,000 users throughout the world.
Mobile workforce means users could be on any site.
Organization and Challenge
Why We Won
What They Bought
Performance and scalability of user identity detection
Selective distribution of login events to local site and core
3 x FortiAuthenticator 3000D 9 x FortiGate 3600C 90 x FortiGate 110C Who We Beat PaloAlto, Juniper WAN
FAC gathers user identity and selectively forwards identity to relevant FGT …… 3 Datacenters FortiAuthenticator
FortiGate Clusters
Active Directory
Case Study: Enterprise Two-Factor Auth
Network Operations Center
Enterprise organization requiring secure multi-factor authorization for heterogeneous range of devices
Integration with existing LDAP/AD infrastructure
Organization and Challenge
Why We Won
What They Bought
Secure provisioning strategy (CD)
Physical and Soft token support
Support for wide range of client devices and Windows Desktop login
2 x FortiAuthenticator 400C 100 x FortiToken 200 500 x FortiToken Mobile Who We Beat RSA, Safenet Internet Multiple Datacenters FortiAuthenticator Home Workers
Large Enterprise/Service Provider Deployments FortiAuthenticator 1000D • Support up to 10,000 users • HDD – 2 x 2TB • 4 x 10/100/1000 • 2 x SFP • Rack Mountable, 2U • Dual AC PSU Large Enterprise/Service Provider Deployments FortiAuthenticator 3000D • Support up to 40,000 users • HDD – 2 x 2TB • 4 x 10/100/1000 • 2 x SFP • Rack Mountable, 2U • Dual AC PSU
All Sized Deployments from SME to Service Provider Deployments
FortiAuthenticator VM
• From 100 to 1M+ users • Unlimited CPU • Unlimited RAM Mid Enterprise Deployments FortiAuthenticator 400C • Support up to 2,000 users • HDD – 1 x 1TB • 4 x 10/100/1000 • Rack Mountable, 1U • Single AC PSUSmall / Mid Enterprise Deployments FortiAuthenticator 200D • Support up to 500 users • HDD – 1 x 1TB • 4 x 10/100/1000 • Rack Mountable, 1U • Single AC PSU
FortiAuthenticator Ordering Information
FortiAuthenticator vs FortiGate
Area Feature FortiGate FortiAuthenticator
Auth Two-factor Auth w. FortiToken
Auth Multiple FortiGate per token
Auth Support third party vendors
Auth User password reset
Auth User self registration
Auth Support multiple realms
FSSO AD Polling
FSSO DC & TS Agent
FSSO Kerberos
FSSO RADIUS Accounting û (FSSO)
(RSSO)
(Both)
FSSO Syslog
Competitive Landscape
Two-factor Auth
User Identity
FortiAuthenticator
Feature Comparison – User Identity
Feature FortiAuth PaloAltoUser-ID Cisco Identity Services Engine Juniper Pulse UAC * Checkpoint Identity Awareness Blade Identity Microsoft Windows Environments DC Polling DC Agent
Terminal Services Agent Kerberos Microsoft Exchange Identity Non-Microsoft Windows Environments Endpoint Agent Captive Portal Embeddable Widgets SYSLOG
Open API (IF-MAP)
RADIUS Accounting
Authorization LDAP/AD Local override
Feature Comparison – Two Factor Auth
Feature Type Feature FortiAuth Safenet RSA Vasco
Deployment Appliance Software Virtual Machine Cloud
Tokens Physical Token ü (Time)
(Event) ü (USB Cert) ü (Time) ü (Event) ü (USB Cert) ü (Time)
Mobile Token ü (iOS)
ü (Andriod) ü (WinMo) ü (BB) ü (iOS) ü (Andriod) ü (WinMo) ü (BB) ü (iOS) ü (Andriod) ü (WinMo) ü (BB)
Desktop Token (Mac)
(Win) ü (Mac) ü (Win) ü (Mac) ü (Win) Tokenless ü SMS ü Email ü SMS ü Email ü GrIDsure ü SMS ü Email
Agents Windows Domain 2FA Outlook Web Access 2FA
Sharepoint Roadmap
Integration Auth Methods ü RADIUS
ü LDAP SAML ü API ü RADIUS LDAP ü SAML ü API
External User repositories ü Local ü AD ü LDAP ü AD ü LDAP RADIUS ü AD ü LDAP (Oracle only)