Fortinet FortiAuthenticator Reviews

We implement FortiAuthenticator in situations where there are multiple Active Directory domains. Other use cases include:

• When we need to use FortiClient to keep track of users as they move around different locations where normal FSSO would have issues
• When we need to use one FortiToken for multiple Fortigates
• When we want to use it as a domain controller.

The FortiAuthenticator can do many things.

It keeps track of users and their IPs no matter where they are in the network. When users roam, we don't have to worry about not mapping them to an IP.

Valuable features include the robust SSO features, when you have more complicated authentication within an organization. We can mix AD, Radius, Portal, SSO Portals (Google, etc.), and build our own environment. It is very flexible.

The GUI is on the older side but I'm sure that it will be upgraded soon. It works, but it looks a little dated.

This solution is used for 2FA for Desktop and VPN access. Each computer, server and VPN access has to have a 2FA and the solution allowed us to accomplish this with a fob or phone app. We use the fob as phones are not owned by the company.

This was a regulation we needed to fill and it worked at a good price. It provided a solution that allowed us to fulfill the requirement.

• Easy integration with FortiGate to allow for 2FA with our VPN.
  
• Addition and removal of access as needed for the VPN.

For my use of this solution, not much needs to change. I do not mind the way it works currently. However, I would recommend a more fluid integration with FortiGate.

Standards-based secure authentication

FortiAuthenticator centralizes the management and storage of user identity information, thereby increasing the efficiency of administration and increasing the control over who accesses the network.

• Two-factor authentication using tokens

1- OATH-compatible time-based tokens (Hardware tokens FortiToken200/FortiToken220)
2- USB certificate-based tokens FortiToken-300)
3- FortiToken Mobile for Android, iOS, and Windows Mobile
4- SMS and email tokens

• Wired/Wireless authentication using the 802. 1X standard
• Certificate management
• Captive portal guest management
• Fortinet Single Sign-On

Central management of user Identities and access

FortiAuthenticator extends two-factor authentication to multiple FortiGate appliances and to third-party solutions that support RADIUS or LDAP authentication

FortiAuthenticator can create, sign, and revoke X.509 certificates.

FortiAuthenticator can sign user certificate signing requests (CSRs) and distribute certificate revocation lists (CRLs) and CA certificates.

FortiAuthenticator verifies the identity of the external LDAP server by using a trusted CA certificate

FortiAuthenticator has expanded the capabilities of captive portal from credential authentication to include social WiFi authentication and MAC address authentication.

Social WiFi authentication allows FortiAuthenticator to utilize third-party user identity methods to authenticate users into a wireless guest network. Supported authentication methods include:Google+, Facebook, LinkedIn, Twitter which include SMS- and email-based authentication

Fortinet Single Sign-on (FSSO) enables FortiAuthenticator to leverage the existing network authentication systems for firewall authentication. (Windows Active Directory (AD) or Novell eDirectory)

1- Integration with different vendor firewalls (I tested only with Cisco using Cisco ASDM 6.3 (5) but i am not sure if it works with other vendor solutions)

2- A lot of configurations are available only from CLI

3- Documentation/videos for different implementation scenarios

1 year

It is very stable.

VM platfroms are scalable based on the business needs.

10/10

9/10

We used FortiGate to manage tokens and user identities but FortiAuthenticater includes more features.

All Fortinet solutions are easy to implement.

Integrated RADIUS server with 802.1x functionality and access control. Single Sign On and AD integration. It integrates very tightly with the rest of the Fortinet ecosystem.

It integrated with the existing Cisco wireless infrastructure to solidify the way people authenticate onto the network. It permitted having a centralized area to authenticate all users and enabled SSOimplementation.

A better integration with other vendors. The device is rich in features but there are a lot of functionalities I have still not experienced with.

Two and a half years.

Overall not really, a few hiccups with the syncing with AD but nothing major.

Not in my experience. The device can scale on a VM with an additional license. And there are boxes that can support thousands of users (which I have still not met).

Very good. In our area we get support both in French and English and the response times are usually pretty decent.

We are a Fortinet reseller and integrator so there were no "switches" per say.

The setup process can be tedious.

I would start off with a VM including the base license and scale according to the number of users you need to authenticate.

ClearPass by Aruba and ISE by Cisco are the two main competitors in this space. To me ClearPass seams to be the most feature-rich solution for the price and vendor neutral as is FortiAuthenticator.

I strongly recommend someone accompany you in the initial deployment of the product to view all the functionalities that the platform is capable of doing.

• User management with many credential sources: LDAPs, RADIUS, Social login, SAML, tokens, and local
• Captive portal server: Used to configure several portals for each service
• User friendly GUI with many features
• Very powerful

We are now enjoying social login in public Wi-Fi environments with very easy deployment and a maximum level of security.

I would like to see support for more credential authentication protocols.

I have used the product for six months.

I did not encounter any stability issues.

I did not encounter any scalability issues.

I would give technical support a rating of 10/10.

We used FreeRADIUS. It had limited authentication protocols (only RADIUS), no GUI, and very complicated management.

We enjoyed an easy deployment. There are many documents with guides and best practices.

This solution comes with a low price for the features, power, and ease of licensing.

We looked at FreeRADIUS and Ciso ISE.

This is a perfect solution for authentication services.

The valuable features are the granularity of the security settings and the relative ease of adding users. It also makes it really nice and easy to remove access from users that have left us or who are doing things they shouldn’t be doing.

It made things much easier for dealing with users BYOD for our secured wireless networks. We also use this in conjunction with an MDM solution. It makes a nice package that is easy for our end-users and is very secure.

The interface is a bit misleading in areas. Finding some settings can be a bit confusing and difficult. I would also like to see a few more real world examples given in the setup section.

We have used this solution for one and a half years.

We did not have any stability issues. This runs on our VMware environment and we have never had an issue with stability.

As this is a virtual device, we had no scalability issues. If we need more users, we just add more licenses. This makes it nice as there is no physical appliance to outgrow.

Configuration of the virtual device was very straightforward.

The configuration of the settings in the authenticator was a bit more confusing. We did have to contact support a few times to work through some configuration issues. They also helped us set up some configurations for the active directory and our local certificate servers.

The price was very reasonable given what it can do.  Licensing was also very reasonable.

Just make sure you do an accurate count of what you will need for licenses. If you run out of licenses, no additional users will be able to authenticate through this device.

Planning is the key to a successful implementation. Know what you want to accomplish out of the gate before you get started. Make sure you test before rolling out to end users. Due to really tight timelines, we missed a couple of key settings and configurations.

One of the most valuable features is the simple FSSO (Fortinet Single Sign-On) configuration that helps to manage user-based security rules.

It is a cool security product. It's easy to use, implement and maintain, but there is room for improvement.

When we came across access management, we required several technical features to help manage user access to critical systems and remote access. That’s why we always go for a SSO two-factor authentication server. FortiAuthenticator is a bundle of these features. It has its own hardware and software token for two-factor authentication. It supports single sign-on and seamless integration with user-based web filtering, without any prior authentication. It can act as a Radius server to support other systems for Radius authentication. One of the common practices is using FortiAuthenticator with Dot1.X network access control.

The GUI is not fancy enough and some of the settings are difficult to access.

Part of the configuration has to be done by CLI, which is not friendly for security administrators.

Integration with other firewalls may not be as good as expected.

I have used it for two years, mostly implementation for clients.

No stability issues so far, as long as the number of users is not too large.

No issues for scalability: It is easy to add new resources as we deploy virtual machines.

FortiCare can provide prompt replies. They have basic knowledge on every single product in the Fortinet family. They have a standard protocol to response to support cases which is great. They are willing to accept RMA for technical difficulties that cannot be solved in a short period of time.

I have tried Cisco ISE as a NAC solution. Cisco ISE is the "Terminator" of NAC solutions, which has numerous features to prevent unauthorized access. However, its integration with FortiGate firewall is not great. When I use the SSLVPN service from FortiGate, it fails to authenticate with two-factor authentication. For this, using FortiAnthenticator would be a good choice for its genuine integration.

It is quite straightforward to set up the FortiAuthenticator. We mainly deploy as a virtual machine. An OVF file is provided by Fortinet and you just simply compile the file in the VMware environment. Upon simple configuration, such as IP address and default gateway, you can access the web GUI and do any configuration, as you like.

Licensing is straightforward, as Fortinet provides stackable licenses for FortiAuthenicator. Count the number of users and select sufficient licenses. Pricing is acceptable; much cheaper than Cisco ISE.

I have tried Cisco ISE. For state-of-the-art features, I would recommend Cisco ISE because of its brilliant features. But I would recommend FortiAuthenticator, if you are currently using FortiGate firewall and you seek a well-suited, complimentary NAC solution.

The need for a NAC solution depends on your infrastructure. If you are a Fortinet user, FortiAuthenticator would be a nice choice to enhance security on VPN and web access. However, there are many other choices, such as ForeScout, which is vendor-neutral, to support different systems from different vendors.

The valuable features are:

• Two-factor authentication
• User ID with our LDAP service
• Integration with our other FortiGates

By using one of our units as a load-balancing slave, we were able to roll out location-based VPNs that created quicker connections to local servers for our end users. Furthermore, incorporating a LBS unit has provided preventative measures and ensured that our remote users can still connect if a failure occurs on our master authentication unit.

It was initially difficult to sync our high availability, load-balancing slave (LBS) to our master unit. There were some initial issues connecting it and syncing with our master FortiAuthenticator unit. After reaching out to Fortinet support, it turned out that the unit needed a software update.

I would like to see the following:

• Creating an easier implementation of software patches.
• Designing the admin profiles to sync across, instead of having to recreate them. (I see how this could be problematic with security measures.)

We've been using our master unit for about a year and our LBS for about six months.

We had some stability issues. Our first LBS unit wouldn't work properly the first time and that wasted a lot of time. Eventually, it died and we had to RMA the unit.

We didn't have any issues with scalability.

The technical support we received from Fortinet was responsive. When we experienced problems, they were able to fix our issues.

Before implementing our FortiAuthenticators, we used our main FortiGate as a way to push out two-factor codes to our users. After a while, this option was not working. As we continued to grow, we needed something more substantial and manageable.

The initial setup was somewhat difficult in syncing our LDAP service to our main FortiGate.

Before using the FortiAuthenticator, we pushed out tokens via our main FortiGate.

If you want a more efficient way to manage two-factor authentication for your users, or implement the unit as a cluster member role, the FortiAuthenticator can be incorporated very well into your environment.